Search the Fine Web
Domain Name System (DNS)
A preliminary survey to gain information.
Finding as much information about the target as
possible before launching the first attack
Many computer attackers first investigate their
target using publicly available information. By
conducting determined, methodical
reconnaissance, attackers can determine how
best to mount their attacks successfully.
Finding pretext(false reason) to obtain
privileged information or services.
Social engineering involves an attacker calling
employees at the target organization on the
phone and fool them into revealing sensitive
If someone unknown to the user calls on the
phone looking to verify computer
configurations, passwords, or other sensitive
items, the user should not give out the
sensitive data, no matter how friendly or
urgent the request, without verifying the
Attacker with physical access to your
computer systems might find that a user
walked away from a machine while logged
in, giving them instant access to accounts and
Attackers might plant backdoors on your
Physical access to an Ethernet plug in the
Retrieving sensitive information from trash.
Attackers use dumpster diving to find discarded
paper, CDs, DVDs, floppy disks, tapes, and
hard drives containing sensitive data.
Paper and media shredders are the best
defence against dumpster diving.
Provide a separate trash for sensitive
Search the Fine Web(STFW)
Searching an organization’s own web site
Using search engines
Listen in at the virtual watering hole: USENET
Searching an Organization’s Own Web
Employees’ contact information and phone
Clues about the corporate culture and language.
Server and application platforms in use.
Using Search Engines
Conduct search based on organization name,
product names, employee names.
Retrieve information about history, current
events, and future plans of the target organization.
Search for links to target organization via link
www.companyname.com in a search engine.
Listening in at the Virtual Watering
Posting of questions by employees to technical
Google newsgroup archive web search engine
Defenses against Web searches
An attempt to increase security by keeping
elements of a security strategy secret known as
Security by obscurity.
Security policy regarding posting of sensitive
information on web site, newsgroups, and
Contain information regarding assignment of
Internet addresses, domain names, and individual
Internet Corporation for Assigned Names and
Complete list of accredited registrars available at
InterNIC whois database available at
Whois database for organizations outside the
United States available at
www.allwhois.com/home.html web site.
Figure 5.2 List of accredited registrars on the InterNIC site
Figure 5.3 Using the InterNIC whois database to find the target’s registrar
Figure 5.4 Looking up a domain name at a particular registrar
Figure 5.5 Results of a registrar whois search
Figure 5.6 Searching for IP Address Assignments in ARIN
Defenses Against Whois
You must make sure that your registration data
is accurate so that the proper person can be
contacted without interruption if an incident
Make sure there is no extraneous information in
your registration records that could be used by
an attacker, such as account names for an
DNS is a hierarchical database distributed
around the world that stores a variety of
information, including IP addresses, domain
names, and mail server information.
Fig 5.8 Recursive search to resolve a domain name to IP address
Interrogating DNS Servers
So how does an attacker get DNS information?
First, the attacker needs to determine one or more
DNS servers for the target organization.
Using this DNS server information, an attacker
has a variety of tools to choose from for getting
Attackers typically attempt to perform a zone
Defenses from DNS-based
Make sure you aren't leaking additional
information through DNS.
Your domain names should not indicate any
machine's operating system type.
Do not include HINFO or TXT records.
Restrict zone transfers to secondary DNS only.
Configure firewall .
Internal users can resolve both internal and external names.
External users can only access external names.
The first set consists of completely integrated
client executables, such as Sam Spade, which
are run on an end user's machine and perform
recon queries on behalf of that user.
The second category includes a Web-based
tools, accessed across the Internet using a Web
General Purpose Reconnaissance GUI
Client Tools for MS Windows
Web-based Reconnaissance Tools:
Research and Attack Portals
An attacker accesses these tools using a browser,
typing in the target name or IP address into a Web
Counter Hack A Step-by-Step Guide to
Computer Attacks and Effective Defenses by