Intelligence Gathering
17
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: SECMANIAC.NET
Created on: 03-Feb-10
Expires on: 03-Feb-12
Last Updated on: 03-Feb-10
Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM
We learn at that the Domain Name System (DNS) servers are hosted
by
DOMAINCONTROL.COM
, so this is a good example of systems that would
not be included in a penetration test because we would have no authority to
attack them. In most large organizations, the DNS servers are housed within
the company and are viable attack vectors. Zone transfers and similar DNS
attacks can often be used to learn more about a network from both the inside
and outside. In this scenario, because
DOMAINCONTROL.COM
is not owned
by
secmaniac.net
, we should not attack these systems and will instead move on
to a different attack vector.
Netcraft
Netcraft (
http://searchdns.netcraft.com/
) is a web-based tool that we can use to find
the IP address of a server hosting a particular website, as shown in Figure 3-1.
Figure 3-1: Use Netcraft to find the IP address of the server hosting a particular website.
Having identified
secmaniac.net
’s IP address as 75.118.185.142, we do
another
whois
lookup on that IP address:
msf >
whois 75.118.185.142
[*] exec: whois 75.118.185.142
WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1)
75.118.0.0 - 75.118.255.255
WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1)
75.118.184.0 - 75.118.191.255
We see from the
whois
lookup and a quick search that this IP
(
WIDEOPENWEST
) appears to be a legitimate service provider. While
the actual subnet range isn’t specifically registered to
secmaniac.net
or
secmaniac.com
, we can tell that this site appears to be hosted inside the
author’s home, because the IP block appears to be part of a residential
range.