18
Chapter 3
NSLookup
To get additional server information, we’ll use Back|Track to leverage
nslookup
, a
tool built into most operating systems, to find information about
secmaniac.net
.
root@bt:~#
nslookup
set type=mx
>
secmaniac.net
Server: 172.16.32.2
Address: 172.16.32.2#53
Non-authoritative answer:
secmaniac.net mail exchanger = 10 mailstore1.secureserver.net.
secmaniac.net mail exchanger = 0 smtp.secureserver.net.
We see in this listing that the mail servers are pointing to
mailstore1
.secureserver.net
and
smtp.secureserver.net
. Some quick research on these mail
servers tells us that this website is hosted by a third party, which would not
be within the scope of our penetration test.
At this point, we have gathered some valuable information that we might
be able to use against the target later on. Ultimately, however, we have to
resort to active information gathering techniques to determine the actual
target IP, which is 75.118.185.142.
NOTE
Passive information gathering is an art that is not easily mastered in just a few pages
of discussion. See the
Penetration Testing Execution Standard (PTES; http://
www.pentest-standard.org/)
for a list of potential ways to perform additional pas-
sive intelligence gathering.
Active Information Gathering
In active information gathering, we interact directly with a system to learn
more about it. We might, for example, conduct port scans for open ports on
the target or conduct scans to determine what services are running. Each system
or running service that we discover gives us another opportunity for exploita-
tion. But beware: If you get careless while active information gathering, you
might be nabbed by an IDS or intrusion prevention system (IPS)—not a
good outcome for the covert penetration tester.
Port Scanning with Nmap
Having identified the target IP range with passive information gathering as
well as the
secmaniac.net
target IP address, we can begin to scan for open ports
on the target by
port scanning
, a process whereby we meticulously connect to
ports on the remote host to identify those that are active. (Obviously, in a
larger enterprise, we would have multiple IP ranges and things to attack
instead of only one IP.)
Nmap
is, by far, the most popular port scanning tool. It integrates with
Metasploit quite elegantly, storing scan output in a database backend for