This time I wanna show you how to collect information about target using tools in the backtrack OS.
Firts, I'm using nmap to check how many ports are open, what services that working, and what OS is using on it:
root@bt:~# nmap -sS -sV -O is2c-dojo.com Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-19 23:42 WIT Nmap scan report for is2c-dojo.com (198.24.129.218) Host is up (0.26s latency). rDNS record for 198.24.129.218: gudeg.partnerit.us Not shown: 929 filtered ports, 60 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 53/tcp open domain MikroTik RouterOS named or OpenDNS Updater 80/tcp open http Apache httpd 2.2.23 ((Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635) 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 443/tcp open http Apache httpd 2.2.23 ((Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635) 465/tcp open ssl/smtp Exim smtpd 4.80 587/tcp open smtp Exim smtpd 4.80 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d Device type: general purpose|storage-misc|firewall|broadband router Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (90%), Linksys Linux 2.6.X (89%), IPCop Linux 2.6.X (89%), IPFire Linux 2.6.X (89%), Check Point embedded (85%), Cymphonix embedded (85%), Endian Linux 2.6.X (85%) OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:ipcop:linux:2.6 cpe:/o:ipfire:linux:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.4 cpe:/h:cymphonix:ex550 cpe:/o:endian:linux:2.6 Aggressive OS guesses: Linux 2.6.32 (90%), Linux 2.6.18 (89%), IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (89%), OpenWrt Kamikaze 8.09 (Linux 2.6.25.20) (89%), Linux 3.2.1 (89%), Linux 3.2 (88%), IPFire firewall 2.11 (Linux 2.6.32) (87%), Linux 3.1.9 (87%), Linux 2.6.35 (87%), Linux 3.5 (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 19 hops OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 74.36 seconds root@bt:~#
Using that method I got 11 open ports, with Apache httpd 2.2.23, and many others, and the OS is Linux 2.6.32.
After that I will check the dns using dns enum
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl --enum is2c-dojo.com dnsenum.pl VERSION:1.2.2 Warning: can't load Net::Whois::IP module, whois queries disabled. ----- is2c-dojo.com ----- Host's addresses: __________________ is2c-dojo.com 6164 IN A 198.24.129.218 Name Servers: ______________ ns1.partnerit.us 6042 IN A 198.24.129.218 ns2.partnerit.us 6042 IN A 198.24.129.219 ns2.partnerit.us 6042 IN A 198.24.129.219 ns1.partnerit.us 6042 IN A 198.24.129.218 Mail (MX) Servers: ___________________ aspmx.l.google.com 110 IN A 74.125.141.26 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for is2c-dojo.com on ns2.partnerit.us ... AXFR record query failed: NOERROR ns2.partnerit.us Bind Version: &9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 Trying Zone Transfer for is2c-dojo.com on ns1.partnerit.us ... AXFR record query failed: NOERROR ns1.partnerit.us Bind Version: &9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 Scraping is2c-dojo.com subdomains from Google: _______________________________________________ ---- Google search page: 1 ---- Google Results: ________________ perhaps Google is blocking our queries. Check manually. brute force file not specified, bay. root@bt:/pentest/enumeration/dns/dnsenum#
Using that method I got the A dns is 198.24.129.218 and name servers are:
ns1.partnerit.us 6042 IN A 198.24.129.218
ns2.partnerit.us 6042 IN A 198.24.129.219
ns2.partnerit.us 6042 IN A 198.24.129.219
ns1.partnerit.us 6042 IN A 198.24.129.218
I also got mail server is aspmx.l.google.com, its look like the website is using google mail as their email provider.
Not satisfied only with that 2 tools, then I check whois information using whois tools in backtrack.
root@bt:~# whois is2c-dojo.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: IS2C-DOJO.COM
Registrar: CV. JOGJACAMP
Whois Server: whois.resellercamp.com
Referral URL: http://www.resellercamp.com
Name Server: NS1.PARTNERIT.US
Status: clientTransferProhibited
Updated Date: 04-nov-2012
Creation Date: 14-jan-2012
Expiration Date: 14-jan-2013
>>> Last update of whois database: Wed, 19 Dec 2012 20:12:46 UTC <<<
Domain Name: IS2C-DOJO.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Creation Date: 14-Jan-2012
Expiration Date: 14-Jan-2013
Domain servers in listed order:
ns1.partnerit.us
ns2.partnerit.us
Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Status:LOCKED
Note: This Domain Name is currently Locked. In this status the domain
name cannot be transferred, hijacked, or modified. The Owner of this
domain name can easily change this status from their control panel.
This feature is provided as a security measure against fraudulent domain name hijacking.
Unfortunately I cant get any contact information, because privacyprotect.
There are hundred maybe thousand tools out there that you can use for information gathering.
Try Harder..!!