The other thing that may also be valuable here is DNS zone transfers. Whois is the registration database that says abc.com is registered by, and is owned by, and is managed by, and that's public information. Anybody can get that just by going out to the whois website or any of the websites, and access to whois database and putting in a simple query, and just returning back information. It's free of charge. Doesn't cost anything. You're not breaking any laws. All that information is publicly available worldwide for any company anywhere in the world. But a DNS zone transfer is a different story. It's not that it's not publicly available. It's not that you may or may not be able to get the information. You're not breaking any laws by trying to get it. But if an administrator, a DNS admin is smart, they have locked down the capabilities for zone transfer or the managing system that they are using. Whoever's in charge at the ISP? They're using hosted DNS, has locked down their DNS zone so that it's only transferred only available to authorized DNS servers. So the idea with the DNS zone transfer is that we pretend or at least we attempt to pretend we spoof being a DNS server, by using a tool called nslookup. And there are other tools we can use but, nslookup is one that will often work. And when you load or use nslookup on a system, you open it from a command prompt. You go ahead, you type in nslookup, the program loads and then you can have access to the command shell. In the shell we can set our IP address and specify that we are a DNS server. Simple command string to do. When we've done that we can then go and issue a command that will list the domain or list the individual records in a domain, in a zone, a namespace and we can target the server that's what we call authoritative that's in charge of that registration. Again, all just using some simple commands at a command line inside the tool. By doing that, if the system is not set correctly, if it will talk to strangers in effect, we can actually transfer that zone information and get a copy of all the name registration records. The a records, or host records, the PTR, the pointer records, or reverse look up records, if they exist, the MX records, the mail server records, the c name records, the alias records, the SOA the start of authority record, the NS records plural usually, name server records, other DNS servers that are used and or are authoritative in the system or are getting copies of the zone and sharing it. By mapping out all this information, we've been given an effect, the names and the IP addresses of every machine of importance inside of the domain. I don't have to go probe behind the firewall to figure that out. I've got a map. Oh you want to go and talk to the domain controller? I've got that right here. Oh you want to see our web servers? Yep I've got those. They're listed right here. They're over there. All you got to do is go to this IP. You'll be able to find that. I've got all that information already. This is a huge huge win for us during a penetration test. We can get this information because it gives us an advantage. It tells us the names of the machines, tells us the internal IP range or if there's external IPs associated with them because they're being proxied or published out from behind a system. We'll have the alias and things of that nature. We'll know what all that is. We now can use that information once we get past the gateway, the border devices, to go specifically and target that machine because we already know where it is. We know what it's called. And we know how to find it. So if we can transfer the zone information, this is going to be pretty big for us. Now normally zone transfers are blocked these days anyway. They're blocked by default, depending on the nature of the DNS system you use and the default settings of the server that should be the case. But it wasn't always. Back several years ago in the earlier days of networking where we didn't realize the DNS zone transfer information could be a potential big win for a hacker and a liability for us from a security standpoint. Not every operating system, not every DNS service would block zone transfers by default. As a matter of fact, we used to allow that by default at certain points in time. This has obviously changed. We've become smarter about this. But, there are still systems that have not either for whatever reason change that behavior, or have not figured out it's a bad idea, and they allow unrestricted zone transfers. We do allow zone transfers, but we allow them to specified servers by default traditionally. And if you allow unrestricted zone transfers, somebody may be able to come in and take that information. Keep that in mind. That's just another example of the ways in which we may through reconnaissance, network mapping, in phase two, actually gather very useful information. Network mapping allows us to go in and as I said paint the picture, find out what all the little pings on the map are,put a name and an IP address with them. Obviously a DNS zone transfer would be a great way to figure that out. We may be able to use services and systems that do this. There are programs, network view, and a variety of different programs. The Winds has a really good one that you can go out and you can use that will effectively go out and scan and ping every machine and arrange and then come back and tell you what's there. You could then graphically represent that or create a plot. There's different ways to do that. Ultra port scanner, angry IP scanner. All these different programs that will effectively do this. Network mapping techniques allow us to go in and use a variety of connection methodologies or scans. Some are noisy, some are quiet, some are stealthy, some are obvious. Just depends on the nature of the scan we want to use. Something as simple as I mentioned is a ping, where we send out a ping packet, we get back the ping information from the system. Are you there? One dot two dot three dot four. We got back four replies in sequence very quickly if we are. Yes I am, yes I am, yes I am, yes I am. And then we know that machine is there answering on that IP range or that IP address. So, an ICP on ICMP echo request will allow us very quickly and authoritatively to validate whether a machine is on line. But we have evidence of ping traffic and we know what it is, we track it. If you do it from outside the firewall, the gateway devices maybe designed specifically to block inbound ping traffic, because we know the only reason that you're outside the network trying to ping in, it's because you want to locate something. If you want to locate something and you're not already in the network and you don't know where it is, chances are good you don't need to see it. So we're probably not going to let you respond or get that response back out. We're going to block that. We're going to effectively absorb your ping request at the gateway. But we're going to be prevent it from coming back out of the network. And as a result of that, we're not going to allow inbound ping traffic from outside, at least the smart network security administrator would do that. So that may or may not work. But remember if it's a white box test we're on the inside of the network, we already know the machines are there, but we may use a ping request just to validate connectivity. We should be able to do that from inside the network because chances are good. We're not blocking ping traffic once we're inside. So that may or may not work. More often than not it doesn't work from outside. But we want to keep that in mind and be aware of that. A TCP connect scan is a noisy scan. It's a full three way handshake. The TCP three way handshake involves the idea of setting up a connection, effectively synchronizing a conversation, starting it off, agreeing that both parties are going to talk, and then how that is going to happen, is what we call the TCP three way handshake. So it starts with what we call a SYN request. SYN is short for synchronize, s, y, n. The sender will send to the recipient that we want to target a connection with a SYN packet to set up and synchronize. That's part one of the handshake. The recipient has to acknowledge the SYN or the synchronization request, and then send their own SYN or synchronization request back to complete the circuit going the other way.
