One of a company’s most important responsibilities is to know its network footprint. Many large corporations are compartmentalized, and different groups have different responsibilities that rarely overlap. It’s not uncommon for a company to have multiple class-C IP address ranges, along with third-party hosted websites, and not really realize they exist within the organization’s assets. Each business unit manages their part of the site or brand, and there is often very little collaboration across business units. And don’t even mention uniform security standards.
When the bad guys target a company, they do so from a holistic point of view. They enumerate company subsidiaries, find all the network ranges owned and hosted by the company and tailor attacks against the weakest links.
You might have an e-commerce site running on one IP which receives regular vulnerability scanning and PCI attention, but the surrounding IP range is never touched. Or, you might have IDS monitoring for your primary company website, but leave development and QA sites untouched and unmonitored.
Often, a network admin will believe an address range is not used and will not bother checking it, or will want more scrutiny paid to the primary site (which generates actual revenue). This tutorial will attempt to explain, and show, why this approach is often detrimental to the company and can lead to a network breach with loss of consumer trust in the brand. If you are doing your own testing, you should consider how this approach can help you. If you are hiring out the testing, this will give you some ammunition to help make sure they are doing the job right.
First, I’ll outline the project. Acme Company has requested a penetration testing (pentest) of their Internet presence. They believe they own two class-C networks and have a third-party hosted page used for their primary Web presence. They have a subsidiary that runs autonomously, but the subsidiary has its own class-C network. The goal of the assessment is to document what ACME owns and to find vulnerabilities on any Acme-owned or branded IP address.
Discovery begins by looking up Acme company information. This includes browsing Acme’s site, looking for external links to subsidiaries, finding information on corporate affiliates, names and titles of board members, distributors, customers and third-party partners. We plug this information into Yahoo Finance, perform searches on Wikipedia and LinkedIn and scour through social media for any information that can build an attack profile. For our demonstration, let’s say we found the following companies associated with ACME:
Now that we have a mapping of companies, the second stage begins.
Enumeration of assets.
The “whois” utility is used for domain name searches, registration and availability. The query syntax follows:
ACME (CO454834) VERIZON-LAN (NET-10-10-10-1) 10.10.10.1-10.10.10.255
ACME CORP ATT-NET (NET-192-168-1-1) 192.168.1.1-192.168.1.255
ACME BRANDS T-MOBILE-NET (NET-172-1-1-20) 220.127.116.11-18.104.22.168
ACME DEV SPRINT-NET (NET-172-20-20-20) 172.20.20.20-172.20.20.40
We repeat this process for all the company names we found earlier and build a list of IP address ranges which are registered to each company from the list above. Compiling all of the associated addresses gives the tester a true list of the ACME IP address space. Once complete, we perform “whois” queries against the company names without wildcards and with .COM/.NET extensions.
Domain Name: acmecorp.com
Registry Domain ID: 1729401_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.demys.com
Registrar URL: http://www.demys.com
Updated Date: 2014-05-07T08:05:01Z
Creation Date: 1995-07-03T04:00:00Z
Registrar Registration Expiration Date: 2015-07-02T04:00:00Z
Name Server: ns0.acmecorp.com
Name Server: ns1.acmecorp.com
Name Server: ns1.acmecorp.net
In this example, the Acme Corp uses internally owned DNS Name Servers. The next command performs zone transfers in an attempt to get a list of hosts and IPs serviced by the server.
dig @ns0.acmecorp.com acmecorp.com axfr
A successful zone transfer will give you a wealth of information. However, zone transfers will often not succeed due to increased community awareness about DNS configuration weaknesses. This is only a small speed bump, so it doesn’t really impede our advancement.
Since the company hosts their own name servers, virtually all of their sites will be configured to use these internally-hosted name servers. Next, we need TLD Zone files that we can query against for valid websites. The TLD Zone files are available from Verisign and can be downloaded for free if you request them.
With a copy of the .COM and .NET zone files, we can query each file for Acme’s name servers and get a list of valid websites serviced by them.
grep –i NS0.ACMECORP.COM com.zone | tee –a acme_com_results.txt
grep –i NS1.ACMECORP.Net net.zone | tee –a acme_net_results.txt
Next, we ping the discovered hostnames and see if we have any additional IP ranges to work with. Even if ping doesn’t provide a response, it will associate with an IP if the site is valid.
PING spaceleysprockets.net (10.150.150.10) 56(84) bytes of data.
As we can see from the example, we have another IP range to add to our list.
Next, we will use the script “subbrute” to find virtual hosts on our targets.
We repeat this process on all discovered hostnames.
Next we move on to “theharvester” to gather emails, subdomains, hosts, employee names, open ports and banners.
./theharvester.py –d acmecorp.com –l 500 –b all
[+] Emails found:
firstname.lastname@example.org[+] Hosts found in search engines:
From this query, we learned that there is yet another IP range hosting “qa.acmecorp.com.” We also discovered the email address structure for acmecorp. We perform the same query on all subsidiaries and identified domains, and we continue building our network map.
If you are comfortable with the above tools, I would recommend moving to a more robust method of enumeration using Aquatone.
aquatone-discover –domain acmecorp.com
With Aquatone you can load API keys and do much deeper dives on your discovery.
At this point, an actual company network map would be quite substantial and would contain the following:
- Company-owned and third-party hosted IP address ranges
- Subdomains and virtual hosts you can target for further attack
- E-mail addresses for potential phishing campaigns
For now, we will target the IP address ranges looking for open ports and enticing services. Up to this point, all enumeration and discovery has been non-invasive. So far, none of this work would raise any red flags, no IDS warnings and no alerts. From the perspective of ACME, everything has been legal and completely anonymous. Moving forward from here, we begin leaving a digital trail. (Note: permission should be obtained from hosting providers prior to performing the next steps)
Perform a port scan of each of the ranges. A recommended approach is to minimize the number of ports you are looking for and assume all hosts are blocking ICMP replies, so the –PN flag is preferred.
Nmap –iL ipranges.txt –PN –p 80,443,8443,8080,21,22,23,25,53,1723,3389–oA acmecorp_results
The ports we target are the following:
80 – HTTP
While a full port scan would be ideal, for a first pass we are going to work with the assumption that ACME (and subsidiaries) have an IDS and basic network monitoring in place. We don’t want to make too much noise and get our originating IP addresses blocked. More often than not, by the time you get to this point, the IP address ranges you identified during this enumeration process will be bigger than the IP address ranges provided by ACME (or the “target” company) for testing. This might be a good time to reach out to your company point of contact and discuss the scope.
By now, we should have a nice list of attractive targets to test. Of course, this is providing that we find open ports, and as part of our prior testing, virtual hosts and sub-domains on each IP hosting a Web server. As I stated in the beginning, most of the primary hosts will be hardened and secure, but more often than not, many secondary or alternate hosts fly under the radar and probably have some (or more!) problems. Just remember, the entrance point isn’t always the main company website, but one they forgot about, or didn’t even realize they had.
The above method has been extremely successful in the years I’ve pen-tested. If you have any suggestions, please post them in the comments.