How much information about a target can you possibly get? Is there an invisible barrier that delimits when enough information is gathered? What about cross-checking results and looking for differences? Data retrieval results may vary, depending on the location source you're running for the analysis.
Let's answer these questions today, by running DMitry along with our own SurfaceBrowser™️ enterprise tool. We'll find out what happens when information is extracted from different sources so they can complement each other.
- What is DMitry?
- Testing DMitry
- Additional information for today's needs
- Final thoughts
What is DMitry?
While this small tool called DMitry is considered old code, it does have a few useful information gathering tricks up its sleeve. Check out these options:
As we see above, it can do the following tasks:
Perform an IP WHOIS check - placing a determined IP address and getting its owner information
Perform a WHOIS lookup on the domain name (this is self-explanatory)
Extract information about a target on the netcraft.com website
Utilize a subdomain finder to look upon different records available
Search the web for 'low-hanging fruit' information regarding email addresses, like the ones within WHOIS records or start of authority DNS records
Conduct port scanning and banner grabbing regarding discovered open ports
We're using the Kali Linux distribution to run this tool but you can download the source code here. Be aware that with the current version (1.3a), there's an issue regarding netcraft.com queries, which doesn't work due to the change of the URL that it points to for conducting hostname queries.
Aside from that, to emulate this inquiry you can access this link, and using this tool can look like the following example:
This check alone brings some additional information about our target in just one place. As we mentioned earlier this feature inside the tool is broken at the time of this writing.
WHOIS against IP addresses and hostnames
"Who-is" (as pronounced) is a protocol running on port TCP/43 that's used to query databases of ownership information regarding internet assets—such as domain names, autonomous systems, and internet protocol addresses block numbers.
Contrary to what one might think, IP addresses also have information regarding reverse pointer records about ownership and several other details (such as name servers), which could be obtained from WHOIS records.
While the truthfulness of this information depends on the owner of the IP range, we often find obsolete information that can be misleading. In some cases, however, it could also be treated as historical information that can be used for competitive advantage in case of a company's attack surface reduction endeavors (forgotten and vulnerable services come to mind).
DMitry, when used with the flag "-i", will query IP addresses to gather WHOIS information, and if you include a hostname it will solve the corresponding A record. After this, it will query the server and display information as shown:
When the "-w" flag is used, the execution is similar, but information regarding the specified domain name will be shown:
This will search the WHOIS record for the desired domain name and display its results to the screen.
An interesting feature included with this exploratory software is subdomain retrieval capability; it scraps the entire World Wide Web to search for possible hostnames within a certain specified registered name. This is possible by using the "-s" flag before the domain name:
For the sake of obtaining the most accurate information, we are going to double-check the subdomain surface and see what else we can find regarding this subdomain. This time, we'll do it by using our very own SurfaceBrowser™️.
Great! The resulting difference is outstanding… but why? Just to understand how DMitry works, we decided to look under the hood to check its source code. Specifically, we'll be looking at the subsearch.c file located inside the src folder:
You'll notice that these tools go to Google to get their information, as well as a website you might remember if you're old enough: Altavista. In case you're wondering what it looked like, we managed to find a historic picture from this long-gone Yahoo-powered search engine, and you can even see the similar URL search path in it:
While this speaks to the age of today's reviewed tool, it's a good example of C code to review and see how hard it was in the old days to gather useful information about a specific target.
"Old-school" TCP port scanning
DMitry implements its own port scanner, which differs greatly in speed and features if we compare it with some other tools for the task, like Masscan.
The scanning in this tool runs sequentially from port 1 to 150 only, and implements this by making a socket connection to each of them individually, and waiting for a service banner in case of success. In case of the existence of a service banner, it may or may not print it depending on whether the "-b" flag was used. Additionally, scanned-but-filtered ports can be displayed if the "-f" flag is placed. For both flags to work, the "-p" flag is mandatory.
Below is a screenshot of how a port scanning task looks with all flags featured:
So to find out more about how this scan is implemented, you can check the source code on the src/portscan.c file, the For() loop that goes across those 150 ports is highlighted:
If you're looking for a modern approach to this reconnaissance technique you may find our "Top 5 Open Port Checker Tools" list an interesting read.
Picking up emails
This hilarious technique achieves the "data mining" quest by querying both of the web search engines mentioned and bringing together their findings, as seen here:
Without any doubt, this tool provides a fun way to look at code for how to "make things work", especially if you intend to learn and write this kind of handy and clever software.
Security on information gathering remote tools
It's important to remember that security tools could also be affected by vulnerabilities and the attacker running the software (in this case ourselves, as an assessing team) could be deceived by a malformed WHOIS response.
Below we can see a report about a possible remote command execution attack, after conducting a WHOIS check against a server that could respond with a payload containing malicious code in it (intended to overflow the tool's capacity and run arbitrary code in our operating system):
We also included the corresponding CVE advisory regarding this stack-based overflow vulnerability. You can check that information in this link.
Regarding this, it's not unusual to find bugs in software but this is especially true for security tools. One might not expect to care too much about security in what might be considered "offensive" applications.
As a general rule of thumb, it's a wisely cautious measure to run this kind of code inside a secure environment (sandbox or disposable virtual machine) that will not disrupt any personal or corporate dataset.
Additional information for today's needs
So we reviewed today's tool. What else could we find about a target that could be useful without doing an in-depth analysis?
If you want or need to find extra information that could result in suspicious or even just interesting leads, there are two nice features you can find online. We'll showcase them by using SurfaceBrowser™️.
This might seem obvious but it's actually pretty handy. Sometimes there are multiple additional hostnames that can lead to a determined hostname, even if those names are outside the scope of a domain name (so you wouldn't find them in a simple subdomain search).
In the image below you'll find some domains and subdomains that are being redirected when queried to a related subdomain that we were looking for:
If we pinpoint one of them, we may find that the redirection actually happens, and while this may not seem significant, it actually widens our analysis surface a little more. By doing so, it also extends the size of your observed infrastructure's digital assets.
SSL certificate information
Secure sockets layer certificate information is frequently overlooked. While it goes beyond the scope of this article, it should be one of the most important things to look at from a social-engineering perspective.
Why? Because services that have expired certificates and are still used by people (customers, employees, or just yourself) are extremely easy to fake.
If users are accustomed to hitting the exempt button when they face a web application, they won't find it odd to hit it again. Particularly when they need to accept it again due to a man-in-the-middle attack.
Fast fact: This is especially common for system administrators, like when accessing the IPMI management interface you find that SSL certificates were created by an untrusted certificate authority and are installed within a secured isolated network, "any resemblance to reality is pure coincidence".
So, with a helpful glimpse at the number of certificates, corresponding domains or subdomains, you'll be able to expand the infrastructure map a little more in-depth.
Despite being small, DMitry was a very interesting information gathering tool when released, and may still complement up-to-date resources when checking for different ways to extract useful leads.
Under the hood, there are easy-to-read lines of code that show how the different features were implemented. They may even uncover bugs, making it a comfortable step to climb on your security learning stairway.