Here we are going to do some Zone transfer and google enum. We found a DNS server that allows Zone transfer and we can see all the hosts a domain has. We can run port scan on these host's or use the information we obtain for a social engineering attack. On Backtrack 2 there is a python script for email enumeration using google. I posted a link to the code below. Once we get a list of emails we can do a google search on them to find out what they have registered there accounts for.
Zone transfer
host -t ns victim.com
victim.com name server ns2.**telecom.net.
victim.com name server ns1.**telecom.net
host -l victim.com ns1.**telecom.net
Using domain server:
Name: ns1.**telecom.net
Address: **.136.95.2#53
Aliases:
victim.com name server ns1.**telecom.net.
victim.com name server ns2.**telecom.net.
victim.com has address **.6.150.207
afw.victim.com has address **.132.59.39
asgshare.victim.com has address **.132.59.42
bilbo.victim.com has address **.132.59.38
cbportal.victim.com has address **.195.**.136
demo.victim.com has address **.132.59.41
dev.victim.com has address **.132.59.62
docusign.victim.com has address **.132.59.62
docusigndemo.victim.com has address **.132.59.36
dots.victim.com has address **.132.59.44
dou.victim.com has address **.132.59.49
douinfo.victim.com has address **.132.59.43
eclipse.victim.com has address **.233.172.157
stage.eclipse.victim.com has address **.89.226.67
www.eclipse.victim.com has address **.233.172.157
eclipserebound.victim.com has address **.233.172.156
files.victim.com has address **.6.150.207
ftp.victim.com has address **.132.59.38
test.ftp.victim.com has address **.132.59.38
imagenet.victim.com has address **.6.150.207
kwclnt.victim.com has address **.132.59.62
kwportal.victim.com has address **.195.**.130
kwremote.victim.com has address **.195.**.137
lists.victim.com has address **.23.51.19
localhost.victim.com has address 127.0.0.1
mail.victim.com has address **.17.147.38
mcwebview.victim.com has address **.132.59.40
pahportal.victim.com has address **.195.**.135
palms.victim.com has address **.132.59.45
partners.victim.com has address **.23.52.2
phportal.victim.com has address **.195.**.133
remaxportal.victim.com has address **.195.**.134
remaxremote.victim.com has address **.195.**.134
support.victim.com has address **.132.59.38
tam.victim.com has address **.132.59.47
testdrive.victim.com has address **.132.59.48
tssrv.victim.com has address **.195.**.131
vision.victim.com has address **.132.59.50
waldo.victim.com has address **.132.59.37
Email Harvesting
Here is the python script I used.
https://docs.google.com/document/d/1-AaKJBaIXP3uzynaTm3kpUhX3ysV8DbFz2r1r1lAR7U/edit?hl=en_US&authkey=CL217ccH
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Google Web & Group Results:
+++++++++++++++++++++++++++++++++++++++++++++++++++++
marketing@victim.com
jbotti@victim.com
JFrankel@victim.com
tfranceski@victim.com
So a little google search on the email address and see what’s up with these guys.
Example
JFrankel has a post on blackberry.com about not receiving emails through Blackberry enterprise server. The post is old but the concept stays the same this can lead to social engineering by calling saying you’re from blackberry support and can ask network topology questions.
We can also do some SMTP enumeration or send him a message on blackberry.com forum I think someone would be more prone to open a forum private message link as opposed to an email. The link can lead to somewhere we can do some cross site scripting, enable a back door, really anything.
We see the domain has a hosted email server do to the IP being in a complete different range. Do an ARIN lookup
**.252.96.3
NS ns-east.xxxxx.net
**.153.156.3
NS ns-west.xxxx.net
**.17.147.38 PTR mail.xxxxxxxxx.com
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment