This obviously would be a concern when the customer is required to define the scope of, say, an external penetration test. These ‘forgotten’ hosts are not included and therefore do not get tested.
If this rings a bell, or it may be something you take for granted, then the following helpful tips may prove useful when confirming your external presence on the internet.
Step 1 - Determine your hosts and networks
If you aren’t sure what hosts your corporation owns, here’s a few helpful tips that you can use (or a potential hacker may use):
http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip and then searching for the company name with their data. Once we have the ASN number we can then query DNS using tools like ‘whois’ supplying the AS number (e.g. “whois -h whois.radb.net -- '-i origin AS12345' | grep -Eo "([0-9.]+){4}/[0-9]+"
Find IP Allocations - provide IP allocations dependent on region:
Find Domain Names – search for domains containing the query string (in this case the company name) ending in .com. g. whois "company*" -h whois.crsnic.net
This will return a list of hits within the company.com domain. To narrow down the search we can use the ‘-site’ directive and remove the already discovered or accounted for URLs and continue refining the result set for example: site:company.com -site:www.company.com -site:dev.company.com
And so on, until there are no more websites discovered. We can then use the list of websites discovered using nslookup to find their IP addresses and then run a whois query on the IP to get the network block and other information.
There are services and tools out there that will charge you for this service, however my advice would be to see how far you get using the above free resources before handing over any money. Also worth noting, some of the information will not be in the public domain, in which case go back to the first pointer and “follow the money” I.e. what do you pay for?
The following simple script performs some of the above queries. You could make this as complicated as you want by querying other registrars, but you should get the idea:
#!/bin/bash
# Script to attempt to find IP's and networks belonging to a company
#
ARGS=2
CORP=$1
LIST=$2
RED='\033[0;31m'
NC='\033[0m' # No Color
IFS=$'\n'
######################################
if [ $# -ne "$ARGS" ]; then
printf "Usage: `basename $0` <Company Name> <DNS names file>\n"
echo "Attempts to find IP's and domains belonging to company."
echo "Also supply a list of possible host names for DNS checks"
exit 0
fi
echo ""
printf "${RED}Attempting to find the ASN Number for the company $CORP${NC}\n"
asn_array=( `curl -s http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip | gunzip | cut -d"," -f3 | sed 's/"//g' | sort -u | grep -i $CORP` )
asn_array_length=${asn_array[@]}
echo "Number of ASNs = $asn_array_length"
if [ $asn_array_length = 0 ]; then
echo ""
echo "Company $CORP does not have an ASN number"
else
echo ""
for asn in "${asn_array[@]}"
do
echo "${asn}"
done
fi
echo ""
if [ $asn_array_length != 0 ]; then
echo ""
printf "${RED}Finding Networks belonging to $CORP's ASNs:${NC}"
echo ""
for i in "${asn_array[@]}"
do
asn_no=( `echo ${i}|cut -d" " -f1` )
network=( `whois -h whois.radb.net -- "-i origin ${asn_no}" | grep -Eo "([0-9.]+){4}/[0-9]+"` )
echo "$network belongs to ${asn_no} "
done
fi
echo ""
printf "${RED}Attempting to find other domains with $CORP in name:${NC}"
echo ""
echo "`whois "$CORP*" -H -h whois.crsnic.net `"
echo ""
printf "${RED}Attempting to find IPs allocated to $CORP from arin.net:${NC}"
echo ""
echo "`whois "$CORP*" -H -h whois.arin.net `"
echo ""
printf "${RED}Attempting to find hosts belonging to $CORP.com domain:${NC}"
echo ""
NS=$(dig +short SOA $CORP.com|cut -d' ' -f1)
for server in $(cat $LIST); do
host $server.$CORP.com $NS|grep 'has address \| is an alias'
done
Step 2 – Next Steps
After having gathered as much information from research and reconnaissance the next steps should involve ping sweeping, port scanning, vulnerability scanning and penetration testing the hosts discovered to ensure your entire external network infrastructure is secure. This whole process should be carried out on a continual regular basis to ensure that you are confident that all your hosts you are responsible for are tested and remain secure.
If you'd like to discuss your security posture and see how we can help you in your journey to a more secure network, please feel free to contact us! We provide a number of cybersecurity related services, PCI Compliance, P2PE, PIN, websecurity solutions, pen testing and threat detection to name just a few!