We're happy to release a couple of simple transforms via the TDS that assist with the foot printing / enumeration of infrastructure. These are:
- NetblockToNetblocks
- NetblockToIPs
- WebsitetoDNSName
- NStoDNSName
- MXtoDNSName
- enumerateHostNamesNumerically
Examples
How is this interesting at all (because frankly, on the surface it looks pretty boring) ? Let's look at examples. Let's assume we are are foot printing a domain called eop.gov (if you missed that class - EOP is the Executive Office of the President - which, network wise, is a lot more interesting than whitehouse.gov). We run the 'Find common DNS name' transform on this, and end up with a graph like this:
Clearly ns1 is a good candidate to be enumerated numerically. And so we shall:
The transform will ask us for some transform settings:
And ends up producing a graph looking like so:
With a couple of more transforms, a little re-arrangements and manual linking we get:
The resultant DNS entries (at the bottom of the screen shot, and produced by looking at reverse DNS within those netblocks) also looks yummy for numerical enum, so we'll run them too (but perhaps from 0 to 99 with one digit padding). You end up with graph looking like this:
In the end we'll take all of the DNS names, copy them to a new graph and resolve them to IP addresses. This gives us:
For the next step we'll use one of the other new transforms. We'll take the two blocks, and enum them to individual IP address entities. Why? You'll soon see. But first, this is what it should look like:
The blue dots are the IP addresses. The 'hands' sticking out at the sides are IP addresses that were discovered from two transforms, resolving the DNS names, and the enum. Sonowwhat? Now, we'll put every IP address into a search engine and see if there is any results. EH? Well, when anyone browses the 'net the site that they browse probably records the IP address in a log...and sometimes, just sometimes...those logs get index by a search engine. So - we end up with a graph that gives us a list of websites that were visited by that IP address. You might think it does that happen a lot - but you'll be surprised. Hereby the resultant graph:
The blue dots are IP addresses, the pink ones are websites where that IP address was found. This is the edge weighted view, so the larger the sphere, the more IP addresses pointed there. Of course, IP addresses don't just end up in logs that gets indexed. This closeup shows you why:
In fact, the more interesting sites are the ones that are only visited once or twice. We can also weed out the false positives (sorry Rob, in this case that's you) by searching our graph for words like 'usage stats' and the likes. The results then start looking a lot better - here is a small portion of the graph:
In the detail view we can see when and what were visited:
If you missed the point of this whole mission - it was to see if we can figure out to which web sites the people in the Whitehouse browsed to..
Anyhow - this was just a *brief* idea of where you can go with these transforms. On their own they are boring and bland, but when used with others they sparkle.
OK, initially I thought "brief" and then I ended up spending 45 minutes on it (most of the time copy and pasting the graphs, cropping them and struggling with this web interface blog editor).
Also, before I forget, and your reward for reading all of this - the seed for these transforms can be found here:
- https://cetas.paterva.com/TDS/runner/showseed/Infrastructure
Crisp out,
RT
