First day into my VAPT – Vulnerability Assessment and Penetration Testing, (Hacking, in short) was a blunder. I had not contacted my mentor that I was going to start from 15th of April. I forgot :D. Neither did I know his time of arrival to the office, so that I could reach just on time to talk to him and get the project details.
Anyways, reached xyz (the company for whom I work) at around 9:10 am. I contacted my mentor, Mr Danny Nagdev just before reaching their. He asked me to come at 10, since he was in a meeting. Passed my time on Level 9, started my laptop, and began playing Burnout Paradise … believe me, its a superb game, with all the stunts and races and what not … cool cars, great graphics … ok, later, back to the topic.
I was re-directed to another office of xyz, after meeting Mr. Danny, where the security administrator used to work from. Finally, after having a chai with Mr. Namit Kasliwal, the Security Administrator of xyz, I got my project. I did have a choice of skipping office since that was the first day, but I started off with my job, due to 2 reasons, 1) no friends on the campus and 2) i am a workaholic.
The Project:
I was asked to Hack into the xyz servers. Yo. That would be fun! Lets start off. The project was going to be a Black Box type, i.e. the company would provide me with no information, its me who has to find out everything! Imagine, EVERYTHING!!!! Fine, lets go ahead.
Starting off with the Project:
The company people were good enough to provide me with an ethernet cable to connect to their internal network. Good, atleast that would help me find some more information about them!
The only thing I knew about the company (other than its name, and the 2 people I met), was the website. After connecting to the local internet, I found the basic information:
– the subnet I was connected to (IP address and the subnet mask)
– the DNS used by the company
– the default gateway
After this, the logical step was to find out the final gateway of the company, i.e. the final server which connected xyz the world, the Internet. So, for that, I did a traceroute to the google and orkut servers and from there. Traceroute gives you a list of all the hops on the way to the servers. Looking (DNS Lookup) up each one of them, I came to know of the last internal ip address which would take all the requests of xyz to the Internet. Hence, found the NAT Server!
The next step which I took, was in the Internet side. I queried the Whois database for information on the company’s website. Finding a few fields which were unknown to me, I went on to look for details of the fields which are included in the Whois query answer. I found this wonderful site http://www.apnic.net/db/ref/attributes/attributes-inetnum.html which listed all the fields and their descriptions. Having queried the Whois database, I found a lot many details about the company, like the Name of the contact person for the website, the address of the registrant, phone numbers, email addresses, and the most important, the DNS records!! I dont know why the whois database is open for all; well, good for people like me ;).
For the Whois query, I used http://www.samspade.org for the same. I haven’t tried finding how it queries the Whois database, but I did find out how to query the samspade whois database.
http://www.samspade.org/whois?query=;server=auto. This URL would take you to the Whois page of the IP/Domain.
Also, from the Whois query, I came to know that xyz hosted its website on a public domain, and it wasnt in their servers … wow … pretty intelligent!
Having found the DNS records from the Whois page, the next step was to find the subdomains and the other domains, if registered.
Since it was the first day, I din’t want to go into much of details, and so used the tools on the page http://member.dnsstuff.com/pages/tools.php to get more information on the web server. Using the Whois wouldnt have made much of a difference, since all the whois queries would return the same answer!
Used all the tools available on that page to check what all information I get my hands on.
After all this, I sat surfing their website, looking for more information about the company; their products, services, addresses …. anything, everything.
There is a pretty good addon to firefox, “Extract Links”. It would extract all the links from the specified page and print it on a new tab, separating all the links and the domains. Through this, I found various sub domains of the company xyz. Pretty neat. I dint have to use much of the DNS tools to get the sub domains π
There is one more addon, External IP Address. This shows the public IP Address which you are using to connect to the Internet. Through this, I got the IP Address range which the company xyz uses! Simple, huh π
Lastly, having certain restrictions on surfing the web, I found the page http://www.torproject.org. I installed a client for this and started surfing without any problems! Yo! π
Cheers π
xpl0it ... the vulnerabilities 
Leave a comment