Intelligence Gathering

17

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: SECMANIAC.NET
      Created on: 03-Feb-10
      Expires on: 03-Feb-12
      Last Updated on: 03-Feb-10

Domain servers in listed order:

      NS57.DOMAINCONTROL.COM
      NS58.DOMAINCONTROL.COM

We learn at   that the Domain Name System (DNS) servers are hosted 

by 

DOMAINCONTROL.COM

, so this is a good example of systems that would 

not be included in a penetration test because we would have no authority to 
attack them. In most large organizations, the DNS servers are housed within 
the company and are viable attack vectors. Zone transfers and similar DNS 
attacks can often be used to learn more about a network from both the inside 
and outside. In this scenario, because 

DOMAINCONTROL.COM

 is not owned 

by 

secmaniac.net

, we should not attack these systems and will instead move on 

to a different attack vector.

Netcraft

Netcraft (

http://searchdns.netcraft.com/

) is a web-based tool that we can use to find 

the IP address of a server hosting a particular website, as shown in Figure 3-1.

Figure 3-1: Use Netcraft to find the IP address of the server hosting a particular website.

Having identified 

secmaniac.net

’s IP address as 75.118.185.142, we do 

another 

whois

 lookup on that IP address:

msf > 

whois 75.118.185.142

[*] exec: whois 75.118.185.142
WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1)
                                  75.118.0.0 - 75.118.255.255
WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1)
                                  75.118.184.0 - 75.118.191.255

We see from the 

whois

 lookup and a quick search that this IP 

(

WIDEOPENWEST

) appears to be a legitimate service provider. While 

the actual subnet range isn’t specifically registered to 

secmaniac.net

 or 

secmaniac.com

, we can tell that this site appears to be hosted inside the 

author’s home, because the IP block appears to be part of a residential 
range.