Uploaded byjekil
PDF, PPTX1,702 views

Names and virtual host discovery

This document discusses techniques for discovering hostnames and virtual hosts through DNS enumeration, service fingerprints, application layers, and passive methods. It lists tools that can be used for reconnaissance like DNSenum, DNSrecon, Maltego, Nmap, and TheHarvester. The document provides examples of hostname discovery through DNS records, SSL certificates, HTTP response banners, redirects, and public data sources.

Internet
Related topics:
Penetration-Testing

Embed presentation

Download as PDF, PPTX
Names and virtual host discovery Can you spot all names?
@jekil Cuckoo Sandbox (cuckoosandbox.org) Malwr (malwr.com) Secdocs (secdocs.org) Ghiro (getghiro.org) Hostmap
How many entry points?
Virtual hosting 21/tcp (FTP) 42.0.0.42 80/tcp (HTTP) default (42.0.0.42) ftp.antani.com corp.antani.com default (42.0.0.42) www.antani.com admin.antani.com
Check Enumeration process 42.0.0.42 DNS Query Vulnerability Brute force Public DB Info leaks IP list Name list
DNS names enumeration
DNS queries PTR (reverse lookup) NS (name server lookup) MX (mail server lookup) AXFR (zone transfer vuln) SRV (service location lookup) Many resource record types http://en.wikipedia.org/wiki/List_of_DNS_record_types
DNS names brute force Perform many A (AAAA) queries It takes a lot of time It could overload DNS servers You need a good wordlist Not stealth
Service fingerprints
Banner grabbing Services prone to host name leak Host names in response banner By default, by design $ nc 216.18.179.54 25! 220 barracuda.ord1.reflected.net ESMTP (e5fb20dbadbd8bd56b3600247242f162)
SSL/TLS
X.509 Certificate Services over SSL/TLS Some properties could expose host names or IP Example: Common Name (CN) $ openssl s_client -showcerts -connnect 151.22.70.92:443! ....! subject=/C=IT/ST=Venezia/L=Venezia/OU=IT/ O=SAVE S.P.A./CN=my.veniceairport.it
Application layer
Tough applications Host name leak in application/protocol Following HTTP redirects, crawling website Host names in application errors Virtual host names brute forcing at application layer Application host names could be missing in DNS
Passive enumeration
Public data Search engines (dorking) GPG key databases WHOIS DNS history sites Passive DNS Shodan Webarchive Internet census / scans Pick one...
Tools
Tools Bile suite Blacksheepwall DNSenum.pl DNSrecon Hostmap Fierce2 Maltego Metasploit Nmap Recon-ng Theharvester Txdns A pleteora of small scripts...
@jekil - http://jekil.sexy

More Related Content

PPT
Linux Commands
byUtkarsh Sengar
 
ODP
Rpm Introduction
byShrinivasan T
 
PDF
Doing Horrible Things with DNS - Web Directions South
byTom Croucher
 
PPTX
Awk primer and Bioawk
byHoffman Lab
 
PPT
Linux_commands
byRohit Kumar
 
PPTX
Streams for the Web
byDomenic Denicola
 
PPTX
RedisConf17 - Internet Archive - Preventing Cache Stampede with Redis and XFetch
byRedis Labs
 
PDF
Rustでパケットと戯れる
byShuyaMotouchi1
 
Linux Commands
byUtkarsh Sengar
 
Rpm Introduction
byShrinivasan T
 
Doing Horrible Things with DNS - Web Directions South
byTom Croucher
 
Awk primer and Bioawk
byHoffman Lab
 
Linux_commands
byRohit Kumar
 
Streams for the Web
byDomenic Denicola
 
RedisConf17 - Internet Archive - Preventing Cache Stampede with Redis and XFetch
byRedis Labs
 
Rustでパケットと戯れる
byShuyaMotouchi1
 

What's hot

PPT
101 3.2 process text streams using filters
byAcácio Oliveira
 
PPT
101 3.2 process text streams using filters
byAcácio Oliveira
 
PDF
Unix Basics Commands
bySameeran Jenna
 
PPTX
Tendências e Evoluções em Armazemamento de Dados
byJefferson Alcantara
 
PDF
Unix Commands
byDr.Ravi
 
PPT
Alta vista indexing and search engine
bydaomucun
 
PPTX
Large scale nlp using python's nltk on azure
bycloudbeatsch
 
KEY
Redis, Resque & Friends
byChristopher Spring
 
PPT
3.2 process text streams using filters
byAcácio Oliveira
 
PPTX
Garbage Collection in .NET
byYuriy Shapovalov
 
KEY
Mercurial
byguest4ea435
 
PDF
Fun with Ruby and Redis
byjavier ramirez
 
PDF
Natural Language Toolkit (NLTK), Basics
byPrakash Pimpale
 
PDF
Redis - for duplicate detection on real time stream
byCodemotion
 
PDF
Node Interactive Debugging Node.js In Production
byYunong Xiao
 
PPTX
Linux basics
byBhaskarNeeluru
 
PPTX
Basic unix
byRaghu nath
 
PDF
PyCon Russian 2015 - Dive into full text search with python.
byAndrii Soldatenko
 
PDF
Serializing Ruby Objects in Redis
byBrian Kaney
 
DOCX
Linux midterm quiz
byAndrew Ibrahim
 
101 3.2 process text streams using filters
byAcácio Oliveira
 
101 3.2 process text streams using filters
byAcácio Oliveira
 
Unix Basics Commands
bySameeran Jenna
 
Tendências e Evoluções em Armazemamento de Dados
byJefferson Alcantara
 
Unix Commands
byDr.Ravi
 
Alta vista indexing and search engine
bydaomucun
 
Large scale nlp using python's nltk on azure
bycloudbeatsch
 
Redis, Resque & Friends
byChristopher Spring
 
3.2 process text streams using filters
byAcácio Oliveira
 
Garbage Collection in .NET
byYuriy Shapovalov
 
Mercurial
byguest4ea435
 
Fun with Ruby and Redis
byjavier ramirez
 
Natural Language Toolkit (NLTK), Basics
byPrakash Pimpale
 
Redis - for duplicate detection on real time stream
byCodemotion
 
Node Interactive Debugging Node.js In Production
byYunong Xiao
 
Linux basics
byBhaskarNeeluru
 
Basic unix
byRaghu nath
 
PyCon Russian 2015 - Dive into full text search with python.
byAndrii Soldatenko
 
Serializing Ruby Objects in Redis
byBrian Kaney
 
Linux midterm quiz
byAndrew Ibrahim
 

Similar to Names and virtual host discovery

PPTX
DNS for Developers - NDC Oslo 2016
byMaarten Balliauw
 
PDF
Internet Host Name
byadil raja
 
PDF
What You Need to Know - Domain Name System (DNS)
byWes Morgan
 
DOCX
Linux basics andng hosti
byPatruni Chidananda Sastry
 
PPTX
DNS for Developers - ConFoo Montreal
byMaarten Balliauw
 
PDF
Presentation on Domain Name System
byChinmay Joshi
 
PPT
DNS – Domain Name Service
byJohnny Fortune
 
PPT
Domain Name Server
byvipulvaid
 
PPT
DNS
byviditsir
 
PDF
alfonsin web
byFran Alfonsin
 
PDF
Bh eu 05-kaminsky
byDan Kaminsky
 
PDF
Bh eu 05-kaminsky
byDan Kaminsky
 
PDF
Internet Domains
byadil raja
 
PPT
10 - Domain Name System.ppt
byssuserf7cd2b
 
PPTX
Dns
byhoangdinhhanh88
 
DNS for Developers - NDC Oslo 2016
byMaarten Balliauw
 
Internet Host Name
byadil raja
 
What You Need to Know - Domain Name System (DNS)
byWes Morgan
 
Linux basics andng hosti
byPatruni Chidananda Sastry
 
DNS for Developers - ConFoo Montreal
byMaarten Balliauw
 
Presentation on Domain Name System
byChinmay Joshi
 
DNS – Domain Name Service
byJohnny Fortune
 
Domain Name Server
byvipulvaid
 
DNS
byviditsir
 
alfonsin web
byFran Alfonsin
 
Bh eu 05-kaminsky
byDan Kaminsky
 
Bh eu 05-kaminsky
byDan Kaminsky
 
Internet Domains
byadil raja
 
10 - Domain Name System.ppt
byssuserf7cd2b
 
Dns
byhoangdinhhanh88
 

More from jekil

PDF
Cuckoo Sandbox: Automated malware analysis
byjekil
 
ODP
Android Introduzione All Architettura Programmazione Sicurezza Serate A Tema ...
byjekil
 
PDF
Client Side Security Settordici Lugts
byjekil
 
PDF
Android: Introduzione all'architettura, alla programmazione e alla sicurezza
byjekil
 
PDF
Security by example
byjekil
 
PDF
Sviluppo web con Ruby on Rails
byjekil
 
PDF
XPath Injection
byjekil
 
ODP
Web Application Insecurity Uncensored
byjekil
 
ODP
Web Application Insecurity L D2007
byjekil
 
PDF
Anonimato In Rete Summer Of Linux2007
byjekil
 
PDF
Linux Nelle Aziende Summer Of Linux 2007
byjekil
 
ODP
Linux Nelle Aziende Installfest2007
byjekil
 
ODP
Sicurezza Informatica Nelle Aziende Installfest2007
byjekil
 
PDF
Introduzione all'analisi forense
byjekil
 
PDF
MySQL
byjekil
 
PDF
MySQL 5
byjekil
 
ODP
Intrusion Detection Systems
byjekil
 
ODP
La sicurezza informatica nello studio legale
byjekil
 
Cuckoo Sandbox: Automated malware analysis
byjekil
 
Android Introduzione All Architettura Programmazione Sicurezza Serate A Tema ...
byjekil
 
Client Side Security Settordici Lugts
byjekil
 
Android: Introduzione all'architettura, alla programmazione e alla sicurezza
byjekil
 
Security by example
byjekil
 
Sviluppo web con Ruby on Rails
byjekil
 
XPath Injection
byjekil
 
Web Application Insecurity Uncensored
byjekil
 
Web Application Insecurity L D2007
byjekil
 
Anonimato In Rete Summer Of Linux2007
byjekil
 
Linux Nelle Aziende Summer Of Linux 2007
byjekil
 
Linux Nelle Aziende Installfest2007
byjekil
 
Sicurezza Informatica Nelle Aziende Installfest2007
byjekil
 
Introduzione all'analisi forense
byjekil
 
MySQL
byjekil
 
MySQL 5
byjekil
 
Intrusion Detection Systems
byjekil
 
La sicurezza informatica nello studio legale
byjekil
 

Recently uploaded

PPTX
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
PDF
Networking 2 Syllabus using cisco packet tracer simulator
byODINARARCH
 
PPTX
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
PDF
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
PDF
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
PDF
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
Networking 2 Syllabus using cisco packet tracer simulator
byODINARARCH
 
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 

Names and virtual host discovery

  • 1.
    Names and virtualhost discovery Can you spot all names?
  • 2.
    @jekil Cuckoo Sandbox(cuckoosandbox.org) Malwr (malwr.com) Secdocs (secdocs.org) Ghiro (getghiro.org) Hostmap
  • 3.
  • 4.
    Virtual hosting 21/tcp(FTP) 42.0.0.42 80/tcp (HTTP) default (42.0.0.42) ftp.antani.com corp.antani.com default (42.0.0.42) www.antani.com admin.antani.com
  • 5.
    Check Enumeration process 42.0.0.42 DNS Query Vulnerability Brute force Public DB Info leaks IP list Name list
  • 6.
  • 7.
    DNS queries PTR(reverse lookup) NS (name server lookup) MX (mail server lookup) AXFR (zone transfer vuln) SRV (service location lookup) Many resource record types http://en.wikipedia.org/wiki/List_of_DNS_record_types
  • 8.
    DNS names bruteforce Perform many A (AAAA) queries It takes a lot of time It could overload DNS servers You need a good wordlist Not stealth
  • 9.
  • 10.
    Banner grabbing Servicesprone to host name leak Host names in response banner By default, by design $ nc 216.18.179.54 25! 220 barracuda.ord1.reflected.net ESMTP (e5fb20dbadbd8bd56b3600247242f162)
  • 11.
  • 12.
    X.509 Certificate Servicesover SSL/TLS Some properties could expose host names or IP Example: Common Name (CN) $ openssl s_client -showcerts -connnect 151.22.70.92:443! ....! subject=/C=IT/ST=Venezia/L=Venezia/OU=IT/ O=SAVE S.P.A./CN=my.veniceairport.it
  • 13.
  • 14.
    Tough applications Hostname leak in application/protocol Following HTTP redirects, crawling website Host names in application errors Virtual host names brute forcing at application layer Application host names could be missing in DNS
  • 15.
  • 16.
    Public data Searchengines (dorking) GPG key databases WHOIS DNS history sites Passive DNS Shodan Webarchive Internet census / scans Pick one...
  • 17.
  • 18.
    Tools Bile suite Blacksheepwall DNSenum.pl DNSrecon Hostmap Fierce2 Maltego Metasploit Nmap Recon-ng Theharvester Txdns A pleteora of small scripts...
  • 20.