Poking around someone else’s infrastructure

I recently had reason (and permission) to go digging in someone else’s backyard, and I thought a list of things to look at might be useful to someone else. This is just off the top of my head, so there’ll be a bunch of holes, but it works as a decent starting point for me. It doesn’t include anything overtly malicious, but do be careful (and of course I’m not in any way responsible for how you use the information in here). Have fun!

  • Google the shit out of them. No seriously, at least combine their name with a few things:
    • Emails and names
    • Blog
    • Forums
    • Reviews
    • Competitors
    • Alternatives
    • Engineering
    • Social Media
    • Google News
  • For any IPs
    • Reverse DNS (dig -x)
    • Whois
    • Find any other sites that are being hosted on the IP (try Censys, Shodan, DNSDumpster & crt.sh for a start, and search for it in Bing with an ip: prefix)
  • For any domains
    • Whois
    • Run it through Mozilla’s Observatory: https://observatory.mozilla.org/
    • Run it through the Wayback Machine
    • robtex.com to get tons of information about the domain and DNS
    • whatsmydns.net to see what DNS returns around the globe
    • Look at robots.txt/humans.txt and sitemap.xml
    • dig
      • MX
      • TXT (spf, dmarc etc)
      • A, AAAA, CNAME
      • NS
      • SOA
      • ANY (don’t be surprised if you don’t get anything from this)
  • Find whatever subdomains you can (try here for a start)
  • Use the shit out of the inspector. You can look for:
    • Headers
    • JS includes (metrics, monitoring etc)
    • CDNs
    • Indications of a CMS
    • Other subdomains
    • Mobile readiness
    • Indications of build process, tooling, language and platform
    • Code comments
    • Console output
  • Other domains with similar owner info. This one’s a pretty inexact science, and is pretty seriously hampered by whois privacy
  • Port scan (see A Basic Nmap Scan). Be careful not to piss too many people off here, and don’t do it from your home machine.
  • traceroute
  • Decompile and/or strings any native apps
  • Monitor traffic from native apps of flash applets with – wireshark and/or tcpdump (I prefer to use the former to process the output of the latter)
  • Look at the source of any email correspondence
  • Run any TLS endpoints through SSL Test and check for a default cert if using SNI
  • Specifics:
    • Run wpscan on wordpress
  • Tools and links:
    • http://backtrack.offensive-security.com/index.php?title=Tools
    • https://github.com/makefu/dnsmap
    • https://github.com/jvehent/cipherscan
    • https://censys.io/
    • http://www.wolframalpha.com/
    • https://github.com/laramies/theHarvester
    • https://sshcheck.com/
    • sitemaps
    • spam RBLs