Monday, 16 April 2012

HAck : Mapping your target Must Need Platform

Once you have your platform in good working order, you will need to know as much as possible about your target. In this chapter we look at "passive" ways to find information about the target. The target might be a company, a organization or a government. Where do you start your attack? This first step is gaining as much as possible information about the target - without them knowing that you are focussing your sniper scope on them. All these methods involve tools, web sites and programs that are used by the normal law abiding netizen.
Websites, MX records…DNS!
For the purpose of this document, let us assume that we want to attack CitiBank. (no hard feelings CitiBank). We begin by looking at the very obvious - www.citibank.com. You would be amazed by the amount one can learn from an official webpage. From the website we learn that Citibank has presence in many countries. Checking that Citibank have offices in Belgium we check the address of www.citibank.be and the Malaysian office www.citibank.com.my. The IP addresses are different - which means that each country' Citibank website is hosted inside the specific country. The website lists all the countries that Citibank operate in. We take the HTML source code, and try to find the websites in each country. Having a look around leaves us with 8 distinct countries. Maybe XXX.citybank.XXX is registered in the other countries? Doing a simple "host www.citibank.XXX" (scripted with all country codes and with .com and .co sub extensions of course) reveals that following sites:
www.citibank.as
www.citibank.at
www.citibank.be
www.citibank.ca
www.citibank.cc
www.citibank.ch
www.citibank.cl
www.citibank.co.at
www.citibank.co.cc
www.citibank.co.cx
www.citibank.co.dk
www.citibank.co.id
www.citibank.co.in
www.citibank.co.io
www.citibank.co.jp
www.citibank.co.ke
www.citibank.co.kr
www.citibank.co.nz
www.citibank.co.pl
www.citibank.co.pt
www.citibank.co.th
www.citibank.co.tv
www.citibank.co.tw
www.citibank.co.uk
www.citibank.co.vi
www.citibank.co.ws
www.citibank.com
www.citibank.com.ar
www.citibank.com.au
www.citibank.com.bh
www.citibank.com.bi
www.citibank.com.br

www.citibank.com.bs
www.citibank.com.co
www.citibank.com.ec
www.citibank.com.gt
www.citibank.com.gu
www.citibank.com.hk
www.citibank.com.ky
www.citibank.com.mo
www.citibank.com.mx
www.citibank.com.my
www.citibank.com.ph
www.citibank.com.pk
www.citibank.com.pl
www.citibank.com.pr
www.citibank.com.py
www.citibank.com.sg
www.citibank.com.tj
www.citibank.com.tr
www.citibank.com.tw
www.citibank.com.ws
www.citibank.cx
www.citibank.cz
www.citibank.de
www.citibank.es
www.citibank.fr
www.citibank.gr
www.citibank.hu
www.citibank.ie
www.citibank.io
www.citibank.it
www.citibank.lu
www.citibank.mc
www.citibank.mw
www.citibank.nl
www.citibank.nu
www.citibank.pl
www.citibank.ro
www.citibank.ru
www.citibank.tv
www.citibank.ws
www.citicorp.com
So much for websites - it is clear that many of these domains are used by cybersquatters - www.citibank.nu for example. We'll filter those. Also, most of above mentioned sites are simply aliases for www.citibank.com. These days most websites are hosted offsite. Mail exchangers are most of the time more closely coupled with the real network. Looking at the MX records for the domains (host -t mx citibank.XX) gives one a better idea of the IP numbers involved. Trying to do a zone transfer would also help a lot (host -l citibank.XXX). After some scripting it becomes clear which domains belongs to the real Citibank - all of these domain's MX records are pointing to the MX record for www.citibank.com, and their websites point to the official .com site. The theory that the MX records for the different branches are closer to the "satellite" network does not apply for Citibank it seems: (these are all MX records).
citibank.at is a nickname for www.citibank.com
citibank.ca is a nickname for www.citibank.com
citibank.ch is a nickname for www.citibank.com
citibank.cl is a nickname for www.citibank.com
citibank.co.at is a nickname for www.citibank.com
citibank.co.kr is a nickname for www.citibank.com
citibank.co.nz is a nickname for www.citibank.com
citibank.co.vi is a nickname for www.citibank.com
citibank.com.br is a nickname for www.citibank.com
citibank.com.bs is a nickname for www.citibank.com
citibank.com.ec is a nickname for www.citibank.com
citibank.com.gt is a nickname for www.citibank.com
citibank.com.gu is a nickname for www.citibank.com
citibank.com.ky is a nickname for www.citibank.com
citibank.com.mo is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.pk is a nickname for www.citibank.com
citibank.com.pl is a nickname for www.citibank.com
citibank.com.pr is a nickname for www.citibank.com
citibank.com.py is a nickname for www.citibank.com
citibank.com.sg is a nickname for www.citibank.com
citibank.com.tr is a nickname for www.citibank.com
citibank.cz is a nickname for www.citibank.com
citibank.gr is a nickname for www.citibank.com
citibank.hu is a nickname for www.citibank.com
citibank.ie is a nickname for www.citibank.com
citibank.it is a nickname for www.citibank.com
citibank.lu is a nickname for www.citibank.com
citibank.mc is a nickname for www.citibank.com
citibank.mw is a nickname for www.citibank.com
citibank.nl is a nickname for www.citibank.com
citibank.pl is a nickname for www.citibank.com
citibank.ro is a nickname for www.citibank.com
What about the rest of the countries - are all of them cybersquatter related, or have our friends at Citibank slipped up somewhere? Let's remove above-mentioned countries from our list, and have a look those than remain. Close inspection of all the rest of the domains shows that cyber squatters (in all sizes and forms) have taken the following domains:
citibank.as
citibank.cc
citibank.co.cx
citibank.co.dk
citibank.co.ke
citibank.co.pl
citibank.co.pt
citibank.co.tv
citibank.co.ws
citibank.com.bh
citibank.com.bi
citibank.com.tj
citibank.com.ws
citibank.cx
citibank.io
citibank.nu
citibank.tv
How about the rest? We find the following hosts and services belonging to Citibank (most of this is done with scripting, manual labor, and cross checking):
www.citibank.be has address 195.75.113.39
citibank.be name server ns.citicorp.com
citibank.be name server ns2.citicorp.com
citibank.co.id mail is handled (pri=20) by egate.citicorp.com
citibank.co.in has address 203.197.24.163
www.citibank.co.jp has address 210.128.74.161
citibank.co.jp name server NS2.citidirect.citibank.co.jp
citibank.co.th mail is handled (pri=20) by egate.citibank.com
citibank.com.ar mail is handled (pri=20) by mailer2.prima.com.ar
www.citibank.com.au has address 203.35.150.146
citibank.com.au name server ns.citibank.com
citibank.com.au name server ns2.citibank.com
www.citibank.com.co has address 63.95.145.165
citibank.com.co name server CEDAR1.CITIBANK.COM
citibank.com.co name server CEDAR2.CITIBANK.COM
webp.citibank.com.sg has address 192.193.70.5
citibank.com.mx mail is handled (pri=10) by green.citibank.com.mx
citibank.com.ph mail is handled (pri=20) by egate.citicorp.com
citibank.com.tw name server dns.citibank.com.tw
dns.citibank.com.tw has address 203.66.185.3
www.citibank.com.tw has address 203.66.185.1
citibank.com.tw name server home1.citidirect.citibank.com.tw
citibank.ru has address 194.135.176.81
www.citibank.de has address 195.75.113.49
www.citibank.de has address 195.145.1.166
www.citibank.com has address 192.193.195.132
and the obvious official .com sites and MX records. But the real prize is German Citibank. In the checking scripts we also check if a DNS zone transfer was possible. In all of the domains tested a ZT was denied. All but Germany:
ehbtest.Citibank.DE has address 195.75.113.25
ehbweb.Citibank.DE has address 195.75.113.49
inter.Citibank.DE has address 193.96.156.103
localhost.Citibank.DE has address 127.0.0.1
www.Citibank.DE has address 195.145.1.166
www.Citibank.DE has address 195.75.113.49
ehbdns.Citibank.DE has address 195.145.1.166
public.Citibank.DE has address 193.96.156.104
From all of the above we can now begin to compile a list of IP numbers belonging to Citibank all over the world. We take the list, sort it, and remove any duplicates if there are any. The end result is:
148.242.127.200
192.193.195.132
192.193.195.194
192.193.195.195
192.193.195.210
192.193.196.210
192.193.70.5
192.193.77.166
193.96.156.103
193.96.156.104
194.135.176.81
195.145.1.166
195.75.113.10
195.75.113.11
195.75.113.25
195.75.113.39
195.75.113.49
200.42.0.133
203.197.24.163
203.35.150.146
203.66.185.1
203.66.185.20
203.66.185.3
210.128.74.161
63.95.145.165
Once we have these IP numbers we can go much further. We could see the netblocks these IP numbers belongs to - this might give us more IP numbers. Later these IP numbers could be fed to port scanners or the likes. Another technique is to do "reverse resolve scanning". Here one reverse resolves the subnet to see if there are other interesting DNS entries.
RIPE, ARIN, APNIC and friends
The WHOIS queries (via RIPE, ARIN,APNIC) show some interesting information. (By doing a query on "*citibank*", we find many more blocks that was not revealed in the host finding exercise!)
Citicorp Global Information Network (NETBLK-CITICORP-C)
Netblock: 192.193.0.0 - 192.193.255.0
inetnum: 195.145.1.144 - 195.145.1.255
netname: DA-CITIBANK
descr: Citibank Privatkunden AG, Germany
inetnum: 195.75.113.0 - 195.75.113.255
netname: DE-CITIBANK-NET
descr: Network of Citibank Privatkunden AG
inetnum 203.197.24.160 - 203.197.24.191
netname CITIBANKMUMBAI
descr Leased - CITIBANK MumbaOther blocks discovered with RIPE search:
i
inetnum: 193.32.128.0 - 193.32.159.255
netname: CITI-EMBA
descr: Citibank N.A.
inetnum: 194.41.64.0 - 194.41.95.255
netname: CITIBANK
descr: CITIBANK (SWITZERLAND)
inetnum: 194.50.218.0 - 194.50.218.255
netname: CITILAN
descr: CITIBANK PRAGUE
inetnum: 62.184.117.0 - 62.184.117.255
netname: GB-CITIBANKSAVINGS-NET
descr: Network of Citibank Savings
inetnum: 195.183.49.128 - 195.183.49.143
netname: GB-CITIBANKSAVINGS-NET2
descr: Network of Citibank Savings
inetnum: 194.69.69.160 - 194.69.69.167
netname: CITIBANK-ISP
descr: TRAX network
inetnum: 195.235.80.200 - 195.235.80.207
netname: CITIBANK
descr: VPN public addresses
inetnum: 194.108.183.32 - 194.108.183.47
netname: CITIBANK-CZ
descr: Citibank, a. s.
inetnum: 62.200.100.0 - 62.200.100.31
netname: DE-CITIBANK-NET4
descr: Network of Citibank Privatk unden ago
inetnum: 213.25.206.44 - 213.25.206.47
netname: CITIBANK
descr: Citibank Poland
inetnum: 213.61.189.96 - 213.61.189.127
netname: DE-COLT-CITIBANK
descr: Citibank AG
inetnum: 62.157.214.240 - 62.157.214.247
netname: DTS-NET
descr: DTS für Citibank Privatkunden
inetnum: 62.225.11.144 - 62.225.11.151
netname: CITIBANKAG-FRANKFURT-NET
descr: Citibank AG
The following blocks were discovered with ARIN search:
63.236.56.224 - 63.236.56.255
CITIBANK (NETBLK-QWEST-JSV-ECITI-PVT)
261 Madison Avenue 3rd Floor
New York, ny 10016
USA
208.58.129.224 - 208.58.129.239
CITIBANK (NETBLK-EROLS-CUST-5136)
666 5TH AVENUE 3RD FLOOR
NEWYORK, NY 10103
USA
199.228.157.0 - 199.228.159.0
CITIBANK
RUESSELSHEIM, DE
205.147.21.161 - 205.147.21.168
CitiBank (NETBLK-SLIMCAT)
12731 W. Jefferson
Los Angeles, CA 90066
USA
200.42.11.80 - 200.42.11.87
Citibank (NETBLK-PRIMA-BLK-177)
Prilidiano Pueyrredon 2989
Villa Adelina, Buenos Aires B1607ABC
AR
196.28.49.0 - 196.28.49.31
Citibank (NETBLK-PRTC-196-28-49-0)
Ave. Las Cumbres
Guaynabo, PR
US
208.44.107.32 - 208.44.107.63
Citibank (NETBLK-QWEST-208-44-107-32)
6700 Citicorp Drive
Tampa, FL 33619
US
216.233.22.128 - 216.233.22.135
Citibank (NETBLK-RNCI-52044)
909 3rd Ave (15th floor)
New York, NY 10022-4731
USA
208.46.142.160 - 208.46.142.175
Citibank (NETBLK-QWEST-208-46-142-160)
Vision Drive
Enfield, CT 06082
US
63.80.165.128 - 63.80.165.159
Citibank (NETBLK-UU-63-80-165-128)
1 Vision Dr.
Enfield, CT 06082
US
192.209.110.0 - 192.209.110.255
Citibank - Washington DC (NET-QUOTRON-LAN47)
1001 Pennsylvania Avenue
Washington, DC 20004
198.73.228.0 - 198.73.239.0
Citibank Canada - Various Subnets
192.132.9.0 - 192.132.9.255
Citibank NA (NET-CITI-UK-EIS)
Lewisham House
15 Molesworth St.
London
SE13 7EX
United Kingdom
192.209.111.0 - 192.209.111.0
Citibank NA (NET-CITIBANKPARK)
399 Park Ave.
NYC, NY 10043
216.233.56.184 - 216.233.56.191
Citibank/Dan White (NETBLK-RNCI-52043)
600 Columbus Ave
New York, NY 10024-1400
USA
216.233.123.104 - 216.233.123.111
Citibank/Frank Kovacs (NETBLK-RNCI-DSLACI68828)
2 Vreeland Ct
East Brunswick, NJ 08816-3886
USA
216.233.97.64 - 216.233.97.71
Citibank/Orobona (NETBLK-RNCI-DSLACI56122)
4 Eastern Pkwy
Farmingdale, NY 11735
US
216.233.56.176 - 216.233.56.183
Citibank/Sztabnik AND Residence (NETBLK-RNCI-5516954206)
3547 Carrollton Ave
Wantagh, NY 11793-2929
USA
208.138.110.0 - 208.138.110.255
CITICORP (NETBLK-CW-208-138-110)
399 Park Ave. 6th Floor
New York, NY 10043
US
208.132.249.0 - 208.132.249.31
CITICORP VENTURE CAPITAL (NETBLK-CW-208-132-249-0)
399 PARK AVENUE
NEW YORK, NY 10043
US
159.17.0.0 - 159.17.255.255
Citicorp (NET-CITICORP-COM)
55 Water St.
44 Floor, Zone 7
New York, NY 10043
192.209.120.0 - 192.209.120.255
Citicorp (NET-CITICORPNY)
153 E. 53rd St. 5th Fl.
NYC, NY 10022
169.160.0.0 - 169.195.0.0
Citicorp (NET-CITICORP-B-BLK)
1900 Campus Commons Drive
Reston, VA 22091
208.231.68.0 - 208.231.68.255
Citicorp (NETBLK-UU-208-231-68)
909 3rd Avenue
New York City, NY 10022
US
63.67.86.0 - 63.67.86.255
Citicorp (NETBLK-UU-63-67-86)
2 Penn's Way
New Castle, DE 19720
US
63.71.124.192 - 63.71.124.255
Citicorp (NETBLK-UU-63-71-124-192)
1 Vision Drive
Enfield, CT 06082
US
63.72.243.0 - 63.72.243.255
Citicorp (NETBLK-UU-63-72-243)
1751 Pinnacle Drive
McLean, VA 22102
US
192.246.55.0 - 192.246.55.255
Citicorp Crossmar (NET-CITINET)
4 Sylvan Way
Parsippany, NJ 07054
63.74.88.64 - 63.74.88.79
Citicorp (NETBLK-UU-63-74-88-64)
6700 Citicorp Drive
Tampa, FL 33617
US
192.148.191.0 - 192.148.191.255
Citicorp Global Distibutions Systems (NET-CITIGDS)
1400 Treat Blvd.
Walnut Creek, CA 94596
163.35.0.0 - 163.39.255.255
Citicorp Global Information Network (NETBLK-CITICORP-B)
1 Court Square, 40th Floor
Long Island City, NY 11120
161.75.0.0 - 161.75.255.255
Citicorp Japan (NET-CITICORP-JP)
Citicorp Center Tokyo
2-3-14 Higashi-Shinagawa
Shinagawa-ku, Tokyo 140
Japan
192.48.247.0 - 192.48.247.255
Citicorp North American Investment Bank (NET-CCNAIBFIR)
55 Water Street, 44th Floor
New York, NY 10043
The following was discovered with APNIC:
(note! APNIC does not allow you to scan for words!!)
inetnum 203.66.184.0-203.66.184.255
netname CT-NET
descr Citibank Taiwan
inetnum 203.66.185.0 - 203.66.185.255
netname CT-NET
63.95.145.165
The IP numbers that does not fall in above mentioned blocks seems to be on ISP-like netblocks (The Russian block is marked as Space Research though). ISP-blocks are blocks of a network that the customer lease, but that is not specifically assigned to Citibank (in terms of AS numbers or netblocks).
We see that there are different size blocks - some are just a few IPs and others a single class C and some several class Cs. Let us break the list of blocks down in two categories - Class C or sub class C on the one side, and Class C+ on the other. We are left with a table that looks like this:
Class C or sub Class C:
192.132.9.0-192.132.9.255
192.148.191.0-192.148.191.255
192.209.110.0-192.209.110.255
192.209.111.0-192.209.111.0
192.209.120.0-192.209.120.255
192.246.55.0-192.246.55.255
192.48.247.0-192.48.247.255
194.108.183.32-194.108.183.47
194.50.218.0-194.50.218.255
194.69.69.160-194.69.69.167
195.183.49.128-195.183.49.143
195.235.80.200-195.235.80.207
196.28.49.0-196.28.49.31
200.42.11.80-200.42.11.87
203.66.184.0-203.66.184.255
203.66.185.0-203.66.185.255
205.147.21.161-205.147.21.168
208.132.249.0-208.132.249.31
208.138.110.0-208.138.110.255
208.231.68.0-208.231.68.255
208.44.107.32-208.44.107.63
208.46.142.160-208.46.142.175
208.58.129.224-208.58.129.239
213.25.206.44-213.25.206.47
213.61.189.96-213.61.189.127
216.233.123.104-216.233.123.111
216.233.22.128-216.233.22.135
216.233.56.176-216.233.56.183
216.233.56.184-216.233.56.191
216.233.97.64-216.233.97.71
62.157.214.240-62.157.214.247
62.184.117.0-62.184.117.255
62.200.100.0-62.200.100.31
62.225.11.144-62.225.11.151
63.236.56.224-63.236.56.255
63.67.86.0-63.67.86.255
63.71.124.192-63.71.124.255
63.72.243.0-63.72.243.255
63.74.88.64-63.74.88.79
63.80.165.128-63.80.165.159
Class C +:
199.228.157.0-199.228.159.0
198.73.228.0-198.73.239.0
194.41.64.0-194.41.95.255
193.32.128.0-193.32.159.255
159.17.0.0-159.17.255.255
161.75.0.0-161.75.255.255
163.35.0.0-163.39.255.255
169.160.0.0-169.195.0.0
192.193.0.0-193.192.255.255
Routed or not?
Given the sheer size of the Class C + netblocks, it would take forever to do a reverse scan or traceroute to all the blocks. The European and some of the American blocks seems very straight forward - most of them are only parts of a subnet. Why not find out which networks in the larger netblocks are routed on the Internet? How do we do this? Only the core routers on the Internet know which networks are routed. We can get access to these routers - very easily, and totally legally. Such a router is route1.saix.net. We simply telnet to this giant of a Cisco router, do a show ip route | include [start of large netblock] and capture the output. This core router contains over 40 000 routes. Having done this for the larger netblocks, we find the following:
199.228.157.0-199.228.159.0 None
198.73.228.0-198.73.239.0 None
194.41.64.0-194.41.95.255 None
193.32.128.0-193.32.159.255
193.32.161.0/24
193.32.254.0/24
193.32.208.0/23
193.32.192.0/20
193.32.176.0/20
159.17.0.0-159.17.255.255 None
161.75.0.0-161.75.255.255 None
163.35.0.0-163.39.255.255 None
169.160.0.0-169.195.0.0 None 192.193.0.0-192.193.255.255
192.193.183.0/24
192.193.192.0/24
192.193.73.0/24
192.193.182.0/24
192.193.208.0/24
192.193.193.0/24
192.193.74.0/24
192.193.194.0/24
192.193.211.0/24
192.193.75.0/24
192.193.180.0/24
192.193.210.0/24
192.193.195.0/24
192.193.196.0/24
192.193.77.0/24
192.193.201.0/24
192.193.172.0/24
192.193.188.0/24
192.193.187.0/24
192.193.186.0/24
192.193.70.0/24
192.193.184.0/24
192.193.71.0/24
Traceroute & world domination
The blocks not marked with a "none" are routed on the Internet today. Where are these plus the smaller blocks routed? Since a complete class C network is routed to the same place, we can traceroute to a arbitrary IP within the block. We proceed to do so, tracerouting to the next available IP in the block (e.g. for netblock 62.157.214.240 we would trace to 62.157.214.241) in each netblock. Looking at the last confirmed hop in the traceroute should tell us more about the location of the block. Most of the European blocks are clearly defined - but what about the larger blocks such as the 192.193.0.0 block and the 193.32.0.0 block? The information gained is very interesting:
62.157.214.240-62.157.214.247 Germany
62.184.117.0/24 Not routed
62.200.100.0-62.200.100.31 Germany
62.225.11.144-62.225.11.151 Germany
63.236.56.224-63.236.56.255 USA
63.67.86.0/24 USA
63.71.124.192-63.71.124.255 USA
63.72.243.0/24 USA
63.74.88.64-63.74.88.79 USA
63.80.165.128-63.80.165.159 USA
192.132.9.0/24 Not routed
192.148.191.0/24 Not routed
192.193.172.0/24 USA
192.193.180.0/24 USA
192.193.182.0/24 USA
192.193.183.0/24 USA
192.193.184.0/24 USA
192.193.186.0/24 USA
192.193.187.0/24 USA
192.193.188.0/24 USA
192.193.192.0/24 USA
192.193.193.0/24 USA
192.193.194.0/24 USA
192.193.195.0/24 USA
192.193.196.0/24 USA
192.193.201.0/24 USA
192.193.208/24 USA
192.193.210.0/24 USA
192.193.211.0/24 USA
192.193.70.0/24 Singapore
192.193.71.0/24 USA
192.193.73.0/24 Singapore
192.193.74.0/24 Philippines
192.193.75.0/24 Singapore
192.193.77.0/24 Japan
192.209.110.0/24 Not routed
192.209.111.0/24 Not routed
192.209.120.0/24 Not routed
192.246.55.0/24 Not routed
192.48.247.0/24 Not routed
193.32.128.0/24 Not routed
193.32.161.0/24 UK
193.32.176.0/20 UK
193.32.192.0/20 UK
193.32.208.0/23 UK
193.32.254.0/23 UK
194.108.183.32-194.108.183.47 Czech Republic
194.50.218.0/24 Not routed
194.69.69.160-194.69.69.167 Not routed
195.183.49.128-195.183.49.143 Not routed
195.235.80.200-195.235.80.207 UK
195.75.113.0/24 Germany
196.28.49.0-196.28.49.31 USA
200.42.11.80-200.42.11.87 Argentina
203.197.24.0/24 India
203.66.184.0/24 Taiwan
203.66.185.0/24 Taiwan
205.147.21.161-205.147.21.168 USA
208.132.249.0-208.132.249.31 USA
208.138.110.0/24 USA
208.231.68.0/24 USA
208.44.107.32-208.44.107.63 USA
208.46.142.160-208.46.142.175 USA
208.58.129.224-208.58.129.239 USA
213.25.206.44-213.25.206.47 Poland
213.61.189.96-213.61.189.127 Germany
216.233.123.104-216.233.123.111 USA
216.233.22.128-216.233.22.135 USA
216.233.56.176-216.233.56.183 USA
216.233.56.184-216.233.56.191 USA
216.233.97.64-216.233.97.71 USA
It is interesting to note that none of the 192.193 IP blocks are routed to Europe. Citibank has thus registered unique individual blocks for Europe based branches, and are routing some of its 192.193 class B class Cs to Asia. It seems that many of the Citibank websites are running on "ISP blocks". If the idea is to get to the core of Citibank these sites might not be worthwhile to attack, as we are not sure that there is any connection with back-ends (sure, we cannot be sure that the Citibank registered blocks are more interesting, but at least we know that Citibank is responsible for those blocks).
Taking all mentioned information into account, we can start to build a map of Citibank around the globe. This exercise is left for the reader :)).
Reverse DNS entries
As promised, the next step would be reverse resolve scanning some nets. By doing this we could possibly see interesting reverse DNS names that might give away information about the host. We proceed to reverse scan all the mentioned blocks, as well as the corresponding class C block of the IPs that does not fall in above mentioned blocks (the ISP-like blocks). Extracts of the reverse scan looks like this:
1.195.193.192.IN-ADDR.ARPA domain name pointer global1.citicorp.com
2.195.193.192.IN-ADDR.ARPA domain name pointer global2.citicorp.com
3.195.193.192.IN-ADDR.ARPA domain name pointer global3.citicorp.com
4.195.193.192.IN-ADDR.ARPA domain name pointer global4.citicorp.com
119.195.193.192.IN-ADDR.ARPA domain name pointer arrow1.citicorp.com
119.195.193.192.IN-ADDR.ARPA domain name pointer arrow1-a.citicorp.com
120.195.193.192.IN-ADDR.ARPA domain name pointer global120.citicorp.com
150.195.193.192.IN-ADDR.ARPA domain name pointer fw-a-pri.ems.citicorp.com
151.195.193.192.IN-ADDR.ARPA domain name pointer fw-b-pri.ems.citicorp.com
192.195.193.192.IN-ADDR.ARPA domain name pointer egate3.citicorp.com
194.195.193.192.IN-ADDR.ARPA domain name pointer egate.citicorp.com
232.195.193.192.IN-ADDR.ARPA domain name pointer iss-pix11.citicorp.com
233.195.193.192.IN-ADDR.ARPA domain name pointer iss-pix12.citicorp.com
234.195.193.192.IN-ADDR.ARPA domain name pointer nr1.citicorp.com
121.196.193.192.IN-ADDR.ARPA domain name pointer qapbgweb1.pbg.citicorp.com
122.196.193.192.IN-ADDR.ARPA domain name pointer qapbgweb1b.pbg.citicorp.com
123.196.193.192.IN-ADDR.ARPA domain name pointer qapbgweb3a.pbg.citicorp.com
231.196.193.192.IN-ADDR.ARPA domain name pointer iss2.citicorp.com
232.196.193.192.IN-ADDR.ARPA domain name pointer iss-pix21.citicorp.com
233.196.193.192.IN-ADDR.ARPA domain name pointer iss-pix22.citicorp.com
190.74.128.210.IN-ADDR.ARPA domain name pointer telto-gw.dentsu.co.jp
190.74.128.210.IN-ADDR.ARPA domain name pointer citibank-gw.dentsu.co.jp
192.74.128.210.IN-ADDR.ARPA domain name pointer webby-gcom-net.dentsu.co.jp
10.38.193.192.IN-ADDR.ARPA domain name pointer pbgproxy1a.pbg.citicorp.com
11.38.193.192.IN-ADDR.ARPA domain name pointer pbgproxy1b.pbg.citicorp.com
12.38.193.192.IN-ADDR.ARPA domain name pointer pbggd1a.pbg.citicorp.com
53.73.193.192.IN-ADDR.ARPA domain name pointer www.citicommerce.com
Most of the non-192.193 block does not resolve to anything. Some of the 192.193 reverse DNS names tells us about the technology used. There are PIX firewalls (nr-pix21.citicorp.com_), possible ISS scanners or IDS systems (iss2.citicorp.com) and proxy servers (cd-proxy.citicorp.com). We also see that there are other Citibank-related domains - citicorp.com, citicorpmortgage.com, citimarkets.com, citiaccess.com and citicommerce.com. It can clearly be seen that most of the IP numbers reverse resolves to the citicorp.com domain. There are sub-domains within the Citicorp domain - ems.citicorp.com, pki.citicorp.com, pbg.citicorp.com and edc.citicorp.com.
How do we get reverse entries for hosts? Well – there is two ways. Just as you can do a Zone Transfer for a domain, you can do a Zone transfer for a netblock. Really. Check this out:
#host -l 74.128.210.in-addr.arpa
74.128.210.in-addr.arpa name server www.inter.co.jp
74.128.210.in-addr.arpa name server ns1.iij.ad.jp
126.74.128.210.in-addr.arpa domain name pointer cabinet-gw.dentsu.co.jp
128.74.128.210.in-addr.arpa domain name pointer telto-net.dentsu.co.jp
etc. etc.
And just as some Zone Transferes are denied on some domains, some ZTs are also denied on netblocks. This does not keep us from getting the actual reverse DNS entry. If we start at getting the reverse DNS entry for 210.128.74.1 and end at 210.128.74.255 (one IP at a time), we still have the complete block. See the script reversescan.pl at the end of the chapter for how to do it nicely.
Summary
To attack a target you must know where the target is. On numerous occasions we have seen that attacking the front door is of no use. Rather attack a branch or subsidiary and attack the main network from there. If a recipe exists for mapping a network from the Internet it would involve some or all of the following steps:
• Find out what "presence" the target has on the Internet. This include looking at web server-, mail exchanger and NS server IP addresses. If a zone transfer can be done it is a bonus. Also look for similar domains (in our case it included checks for all country extensions(with .com and .co appended) and the domain citicorp.com) It might involve looking at web page content, looking for partners and affiliates. Its mainly mapping known DNS names to IP address space.
• Reverse DNS scanning will tell you if the blocks the target it is contains more equipment that belongs to the target. The reverse names could also give you an indication of the function and type of equipment.
• Finding more IP addresses - this can be done by looking if the target owns the netblock were the mail exchanger/web server/name server is located. It could also include looking at the Registries (APNIC,RIPE and ARIN) for additional netblocks and searches where possible.
• Tracerouting to IP addresses within the block to find the actual location of the endpoints. This helps you to get an idea which blocks bound together and are physically located in the same spot.
• Look at routing tables on core routers. Find out which parts of the netblocks are routed - it makes no sense to attack IP numbers that is not routed over the Internet.
The tools used in this section are actually quite simple. They are the Unix "host" command, "traceroute", and a combination of PERL, AWK, and standard Unix shell scripting. I also used some websites that might be worth visiting:
• APNIC http://www.apnic.net (Asian pacific)
• RIPE http://www.ripe.net/cgi-bin/WHOIS (Euopean)
• ARIN http://www.arin.net/WHOIS/index.html (American)
For completeness sake I put the (really not well written) shell and PERL scripts here. They are all very simple...:
Reversescanner.pl:
(the input for this script is a IP range e.g. 160.124.19.0-160.124.19.100. Output is sent to STDOUT so >& it...)
#!/usr/bin/perl
# Usage: perl reversecanner.pl 160.124.19.0-160.124.19.100
$|=1;
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
@ip2=split(/\./,@een[$#een]);
for ($a=@ip1[0]; $a<1+@ip2[0]; $a++) {
for ($b=@ip1[1]; $b<1+@ip2[1]; $b++) {
for ($c=@ip1[2]; $c<1+@ip2[2]; $c++) {
for ($d=@ip1[3]; $d<1+@ip2[3]; $d++) {
print "$a.$b.$c.$d : ";
system "host $a.$b.$c.$d";
}}}}
Tracerouter.pl:
Input is a network or subnet e.g. 160.124.19.10. Output is to STDOUT so >& it. It takes the next IP in the specified input block and trace to it. (the script also provides for the a.b.c.d-w.x.y.z input format as the reversescanner)
#!/usr/bin/perl
# Usage: perl tracerouter.pl 160.124.21.92
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
my $string;
$string=@ip1[0].".".@ip1[1].".".@ip1[2].".".(1+@ip1[3]);
system "traceroute -m 50 $string";
Domain_info.sh:
All the domains you want to investigate should be in a file called "domains". Output is appended to file called "all". Change as you wish...:)
#!/usr/local/bin/tcsh
foreach a (`cat domains`)
echo " " >> all
echo ====Domain: $a >> all
echo --Zone transfer: >> all
host -l $a >> all
echo --Webserver: >> all
host www.$a >> all
echo --Nameservers: >> all
host -t ns $a >> all
echo --Mailservers: >> all
host -t mx $a >> all
continue
end
Get_routes.pl:
This perl script logs into core router route1.saix.net and displays to STDOUT the routing tables that matches any given net. Input field is the route search term (makes use of the Net::Telnet module that can be found on CPAN).
#!/usr/local/bin/perl
#Usage: perl get_routes.pl 192.193
use Net::Telnet ();
$t = new Net::Telnet (Timeout => 25,Prompt=>'/\>/');
$t->open("route1.saix.net");
$soeker=@ARGV[0];
$t->waitfor('/>/');
@return=$t->cmd("terminal length 0");
@return=$t->cmd("show ip route | include $soeker");
print "@return\n";
The rest of the results were compiled using these tools in scripts or piping output to other ad hoc scripts, but this is not worth listing here.
Added later: hey! I wrote a script that does a lot of these things for you automatically. It uses a nifty tool called “The Geektools proxy”, written by a very friendly chap named Robb Ballard <robb@centergate.com> . Before you try this, ask Robb if you may have the PERL code to the script – he is generally a cool dude, and without it you miss a lot of functionality. Oh BTW, it also uses Lynx for site crawling. Hereby the code (its really lots of glue code – so bear with me):
#!/usr/bin/perl
use Socket;
$domain=@ARGV[0];
$nameserver="196.4.160.2";
sub qprint
{
open(db,">>$domain.report") || die "Couldnt open quickwrite\n";
print db @_;
close (db);
}
open (IN,"@ARGV[1]") || die "Couldnt open brute force DNS names file\n";
while (<IN>){
chomp;
@tries[$i]=$_;
$i++;
}
qprint "==Report begin\n";
###############################first get the www record
@results=`host -w www.$domain $nameserver`;
if ($#results<1) {qprint "No WWW records\n";}
else
{
foreach $line (@results) {
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$www=@quick[1]; chomp $www;
qprint "Webserver have address $www\n";
}
}
}
$counter=0;
##################################### MX records
$counter=0; @mxdb=();
@results=`host -w -t mx $domain $nameserver`;
if ($#results<1) {qprint "No MX records\n";}
else {
foreach $line (@results) {
@quick=split(/by /,$line);
@pre=split(/pri=/,$line);
@pre1=split(/\)/,@pre[1]);
$mx=@quick[1];
chomp $mx;
if (length($mx)>0) {
@resolve=`host -w $mx $nameserver`;
foreach $line2 (@resolve) {
chomp $line2;
if ($line2 =~ /has address/) {
@quicker=split(/has address/,$line2);
}
}
$mxip=@quicker[1];
$mxip=~s/ //g;
chomp $mxip;
@ip[$counter]=$mxip;
qprint "MX record priority @pre1[0] : $mxip\n";
$counter++;
}
}
}
#Check Zonetransfer
@results=`host -w -l $domain`;
if ($#results<2) {
qprint "==Could not do ZT - going to do brute force\n";
#########################################Brute force
foreach $try (@tries){
@response=`host $try.$domain`;
foreach $line (@response){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
}
######################################## normal ZT
else {
qprint "==Zone Transfer\n";
foreach $line (@results){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
###################################### PART II ###############Now we want to check the class Cs
# we have names in @name and ips in @ip
@sip=sort @ip;
@sname=sort @name;
###################################class Cs & uniq:
qprint "\n";
foreach $line (@sip){
if (!($line =~ /127.0.0.1/)){
@splitter=split(/\./,$line);
$classc=@splitter[0].".".@splitter[1].".".@splitter[2];
$justc{$classc}++;
}
}
$counter=0;
@sclassc=sort (keys (%justc));
foreach $line (@sclassc){
@class[$counter]=$line;
qprint "ClassC with $justc{$line} : $line\n";
$counter++;
}
foreach $line (@sname){
$justnames{$line}=1;
}
$counter=0;
@namesl=sort (keys (%justnames));
foreach $line (@namesl){
@nam[$counter]=$line;
qprint "names: $line\n";
$counter++;
}
######################### do some whois - GEEKTOOLS
foreach $subnet (@class){
qprint "==Geektools whois of block $subnet:\n";
@response=`perl whois.pl $subnet`;
qprint @response;
}
################################reversescans
#first try quick way
foreach $subnet (@class){
@splitter=split(/\./,$subnet);
$classr=@splitter[2].".".@splitter[1].".".@splitter[0].".in-addr.arpa";
@results=`host -l $classr`;
if ($#results<1) {
qprint "==No reverse entry for block $subnet - have go manual\n";
for ($d=1; $d<255; $d++) {
@response=`host $subnet.$d`;
foreach $line (@response){
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
else
{
qprint "==Reverse lookup for block $subnet permitted\n";
foreach $line (@results) {
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
################################### ping sweeps
foreach $subnet (@class){
qprint "\n==Nmap pingsweep of subnet $subnet\n\n";
@results=`nmap -sP -PI $subnet.1-255`;
qprint @results;
}
#system "rm *.dat";
#############################search the webpage
qprint "\n==Doing WWW harvest\n";
@dummy=`lynx -accept_all_cookies -crawl -traversal http://www.$domain`;
qprint "http://www.$domain\n";
@response = `cat ./reject.dat`;
foreach $line (@response){
chomp $line;
if ($line =~ /http/){
@splitter=split(/\//,$line);
$uniql{@splitter[2]}++;
}
if ($line =~ /mailto/){
@splitter=split(/:/,$line);
$uniqm{@splitter[1]}++;
}
}
foreach $links (keys (%uniql)){
qprint "External link $uniql{$links} : $links\n";
}
foreach $links (keys (%uniqm)){
qprint "External email $uniqm{$links} : $links\n";
}
The file “common” looks like this (its used for guessing common DNS names within a domain(its not really in 3 columns, I just save some trees. )
www
ftp
ns
mail
3com
aix
apache
back
bastion
bind
border
bsd
business
chains
cisco
content
corporate
cvp
debian
dns
domino
dominoserver
download
e-bus
e-business
e-mail
e-safe
email
esafe
external
extranet
firebox
firewall
freebsd
front
ftp
fw
fw-
fwe
fwi
gate
gatekeeper
gateway
gauntlet
group
help
hop
hp
hp-ux
hpjet
hpux
http
https
hub
ibm
ids
info
inside
internal
internet
intranet
ipchains
ipfw
irix
jet
list
lotus
lotusdomino
lotusnotes
lotusserver
mail
mailfeed
mailgate
mailgateway
mailgroup
mailhost
maillist
mailmarshall
mailpop
mailrelay
mandrake
mimesweeper
ms
msproxy
mx
nameserver
news
newsdesk
newsfeed
newsgroup
newsroom
newsserver
nntp
notes
noteserver
notesserver
ns
nt
openbsd
outside
pix
pop
pop3
pophost
popmail
popserver
print
printer
printspool
private
proxy
proxyserver
public
qpop
raptor
read
redcreek
redhat
route
router
router
scanner
screen
screening
secure
seek
slackware
smail
smap
smtp
smtpgateway
smtpgw
sniffer
snort
solaris
sonic
spool
squid
sun
sunos
suse
switch
transfer
trend
trendmicro
unseen
vlan
wall
web
webmail
webserver
webswitch
win2000
win2k
win31
win95
win98
winnt
write
ww
www
xfer

No comments:

Post a Comment

LinkWithin

Related Posts Plugin for WordPress, Blogger...

Popular Posts