Professional Documents
Culture Documents
l.c
1@
gm
ai
br
y6
89
om
l.c
1@
gm
ai
Target discovery
Possible additional attack vectors
System enumeration and vulnerability discovery (without ever
having to touch the customer network)
89
br
y6
113
om
gm
ai
l.c
89
1@
y6
br
om
y6
89
1@
gm
ai
Search Engines
Company Websites
Archive.org
Public Corporate Information (if applicable)
Newsgroups/Listservs
Job Listings
Technical Support Forums
Financial and Business Articles
Blogs
Social Media
br
l.c
115
om
gm
y6
89
1@
br
ai
l.c
116
om
Company Websites
l.c
gm
ai
br
y6
89
Epsilon Breach
May be less secure
1@
117
om
Company Websites
ai
l.c
1@
gm
Social Engineering
Web Assessment
br
y6
89
118
br
om
y6
89
1@
gm
ai
l.c
119
om
y6
89
br
1@
gm
ai
l.c
120
om
Email ListServs
y6
89
br
1@
gm
ai
l.c
121
om
l.c
gm
ai
1@
89
br
y6
om
Resumes
ai
l.c
br
y6
89
1@
gm
123
om
y6
89
Code Snippets
Technologies
Device Configurations
Company Data
Password Protected Documents
br
1@
gm
ai
l.c
124
om
gm
ai
l.c
1@
89
br
y6
om
Blogs
br
y6
89
1@
gm
ai
l.c
Social Media
om
ai
l.c
gm
Social Media sites all serve different purposes and have different
interactions. Three popular sites and can be used to gather various
types of information.
1@
89
y6
br
127
om
l.c
gm
ai
Competitive Intelligence
Company Financials
Potential Attack Vectors
89
1@
br
y6
128
om
ai
l.c
gm
1@
br
y6
89
129
om
ai
l.c
gm
1@
br
y6
89
130
om
ai
l.c
Google search strategies has become somewhat of an art form and can
be very powerful in extracting information on customers.
1@
gm
89
y6
Useful for identifying vulnerable servers, files with sensitive information, or login
pages.
br
132
om
l.c
gm
ai
89
1@
y6
br
133
br
y6
89
1@
gm
ai
l.c
om
134
br
y6
89
1@
gm
ai
l.c
om
135
br
y6
89
1@
gm
ai
l.c
om
136
om
ai
l.c
br
y6
89
1@
gm
om
l.c
gm
ai
br
y6
89
1@
138
br
y6
89
1@
gm
ai
l.c
om
139
br
y6
89
1@
gm
ai
l.c
om
SearchDiggity Screenshot
140
om
l.c
General Purpose
ai
gm
Jobs
Foreign Search Engines
1@
People Searches
89
Real Estate
y6
br
Information to Target
l.c
om
br
y6
89
1@
gm
ai
142
om
File Analysis
l.c
gm
ai
y6
89
br
1@
143
om
File Analysis
ai
l.c
gm
1@
br
y6
89
144
Right-click in box
to add a local file
br
y6
89
1@
gm
ai
l.c
om
145
br
y6
89
1@
gm
ai
l.c
om
Right-click in box
again to extract
metadata
146
om
l.c
gm
ai
1@
Company Websites
y6
89
br
148
3rdParty websites
l.c
om
1@
gm
ai
br
y6
89
om
l.c
1@
gm
ai
br
y6
89
om
br
y6
89
1@
gm
ai
l.c
151
om
Footprinting Methodology
l.c
ai
gm
Tracerouting
1@
br
y6
89
152
om
Footprinting Methodology
1@
gm
ai
l.c
89
br
y6
om
Gathering IP Addresses
br
y6
89
1@
gm
ai
l.c
154
br
y6
89
1@
gm
ai
l.c
om
Tracerouting
Firewalled
network
ISP?
157
br
y6
89
1@
gm
ai
l.c
om
Registration Records
Associated
network range
?
Organization
name and
address
158
om
Registration Records
ai
l.c
br
y6
89
1@
gm
Name,
Email address and
Phone Number
159
om
Next Steps
br
y6
89
1@
gm
ai
l.c
168
om
l.c
1@
gm
ai
br
y6
89
DNS Enumeration
Ninja-Sec.com
om
gm
ai
l.c
1@
89
TCP port 53 is used for large transfers (greater than 512 bytes).
y6
br
This topic will focus on the areas that are important for
penetration testers
170
om
Name Server / Domain Host - Servers that run the DNS services for
an organization.
ai
l.c
br
y6
89
1@
gm
171
1@
89
y6
br
om
l.c
ai
gm
DNS Diagram
172
om
DNS Transaction
br
y6
89
1@
gm
ai
l.c
173
om
1@
gm
ai
l.c
br
y6
89
174
om
br
y6
89
1@
gm
ai
l.c
175
l.c
gm
ai
SPAM protection
om
1@
Other netblocks
br
y6
89
c
176
om
l.c
ai
1@
gm
89
y6
br
om
l.c
gm
ai
1@
br
y6
89
178
om
l.c
y6
89
1@
br
gm
ai
Allows for a bit more granularity when querying DNS records than
the host command
Example dig command:
179
br
y6
89
1@
gm
ai
l.c
om
180
l.c
om
1@
gm
ai
89
br
y6
181
om
br
y6
89
1@
gm
ai
l.c
l.c
om
gm
ai
1@
89
br
y6
184
om
1@
gm
ai
l.c
br
y6
89
185
om
gm
ai
1@
l.c
General Methodology:
br
y6
89
186
om
gm
ai
l.c
1@
br
y6
89
om
DNSSEC
ai
l.c
br
y6
89
1@
gm
188
om
89
1@
gm
ai
l.c
br
y6
604
om
gm
ai
l.c
br
y6
89
1@
om
l.c
1@
gm
ai
br
y6
89
om
l.c
1@
gm
ai
br
y6
89
Like many aspects conducting time limited pen tests, while there are
potentially many activities that could be used to assess a customers
mail services, the tester will need to pair down activities to what is
manageable.
One effective technique may be to discover email addresses through
open source research, then verify them against the mail server and
enumerate further users
190
om
l.c
br
y6
89
1@
gm
ai
191
om
br
y6
89
1@
gm
ai
l.c
192
br
y6
89
1@
gm
ai
l.c
om
Successful validation
193
om
br
y6
89
1@
gm
ai
l.c
195
l.c
om
gm
ai
1@
y6
89
br
br
y6
89
1@
gm
ai
l.c
om
197
om
1@
gm
89
ai
l.c
br
y6
198
om
l.c
ai
gm
1@
y6
89
br