Re: Reconnaissance

From: jc (antihacker.jc@gmail.com)
Date: Thu Mar 06 2008 - 13:40:52 EST

• Next message: me: "Activex potential BOF"
• Previous message: leonard@eccouncil.org: "EC-Council Network Security Administrator Course attains the NSA / CNSS 4011 Certification"
• In reply to: JD Lampard: "Reconnaissance"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

While I'm not sure as to how you're defining recon, one method I've
used in the past
along with an iron-clad Get Out of Jail Free contract/def.
(exceptionally important in this instance)
was utilizing a few of the email verification services.

Note: Sure, u could spend all sorts of time coding yourself, but it
sure is a timesaver to use the
services, and the independent oversight isn't bad, either. They also
provide pretty charts and
certified time-stamping for those that are impressed by that sort of
thing.

By garnering some of the organization's email addy's off of search
engines, a few specially crafted emails were
sent out, which brought us a plethora of information, especially as to
platform and IP. We achieved better
information disclosures from those who posted to old-skool USENET...go
figure.

While the internal corp. network was locked down fairly tight, we
could ascertain a pretty good picture
of the layout, especially as the messages were passed between
departments. The results also gave
us a grouping of previously unknown IP's to explore.

Key vulns. were exposed when corporate executives opened email on
their home machines,
which gave us the IP's, which, when scanned, showed holes...and with
full exec buy off
on the mission, it was determined that passwords, docs, and other
juicy work-related tidbits on the poorly-updated
home machines could have been exploited, i.e., Keys to the Castle.

-jc

On Mar 5, 2008, at 12:15 PM, JD Lampard wrote:

> I am interested in hearing about others' preferred
> sites for conducting reconnaissance. I know in part
> the sources will varying depending on the target. The
> vast majority of my targets are financial
> institutions. So, for example, I always hit a variety
> of banking association sites. But what others are
> valuable?
>
> Thanks,
> JD

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: me: "Activex potential BOF"
• Previous message: leonard@eccouncil.org: "EC-Council Network Security Administrator Course attains the NSA / CNSS 4011 Certification"
• In reply to: JD Lampard: "Reconnaissance"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:27 EDT