background image

18

Chapter 3

NSLookup

To get additional server information, we’ll use Back|Track to leverage 

nslookup

, a 

tool built into most operating systems, to find information about 

secmaniac.net

.

root@bt:~# 

nslookup

set type=mx

secmaniac.net

Server:         172.16.32.2
Address:        172.16.32.2#53

Non-authoritative answer:
secmaniac.net   mail exchanger = 10 mailstore1.secureserver.net.
secmaniac.net   mail exchanger = 0 smtp.secureserver.net.

We see in this listing that the mail servers are pointing to 

mailstore1

.secureserver.net

 and 

smtp.secureserver.net

. Some quick research on these mail 

servers tells us that this website is hosted by a third party, which would not 
be within the scope of our penetration test.

At this point, we have gathered some valuable information that we might 

be able to use against the target later on. Ultimately, however, we have to 
resort to active information gathering techniques to determine the actual 
target IP, which is 75.118.185.142.

NOTE

Passive information gathering is an art that is not easily mastered in just a few pages 
of discussion. See the 

Penetration Testing Execution Standard (PTES; http://

www.pentest-standard.org/)

 for a list of potential ways to perform additional pas-

sive intelligence gathering.

Active Information Gathering

In active information gathering, we interact directly with a system to learn 
more about it. We might, for example, conduct port scans for open ports on 
the target or conduct scans to determine what services are running. Each system 
or running service that we discover gives us another opportunity for exploita-
tion. But beware: If you get careless while active information gathering, you 
might be nabbed by an IDS or intrusion prevention system (IPS)—not a 
good outcome for the covert penetration tester.

Port Scanning with Nmap

Having identified the target IP range with passive information gathering as 
well as the 

secmaniac.net

 target IP address, we can begin to scan for open ports 

on the target by 

port scanning

, a process whereby we meticulously connect to 

ports on the remote host to identify those that are active. (Obviously, in a 
larger enterprise, we would have multiple IP ranges and things to attack 
instead of only one IP.)

Nmap

 is, by far, the most popular port scanning tool. It integrates with 

Metasploit quite elegantly, storing scan output in a database backend for