The final part of this chapter looks at domain ownership and how to find who owns a specific domain. This is something that an attacker might want to establish and something an owner might want to disguise. There is a variety of ways that someone can identify the IP address and type of web server and the web server’s location. Let’s begin by the structure of the Internet.
The Internet began back in 1969, and what was then just a small collection of networks has evolved into the Internet we know today. The Internet Society governs the Internet. This nonprofit group was established in 1992 to control the policies and procedures that define how the Internet functions. One of these control authorities is the Internet Assigned Numbers Authority (IANA).
IANA is responsible for preserving the central coordinating functions of the global Internet for the public good. IANA also globally manages domain names and addresses. IANA works closely with the Internet Engineering Task Force (IETF) on specific Request for Comments (RFCs) and high-level protocols such as IP.
IANA is one place that can serve as a good starting point to find out more information about domain ownership. Figure 3-11 shows the IANA home page. To find out more information about domain ownership, start with the generic top-level domains link. This is where you can find more WHOIS information.
IN THE LAB
The risk here is that individuals may obtain names, phone numbers, or other information about domain ownership that you would rather not provide. You can mitigate these risks by using a domain registration proxy. This allows you
to mask the true owner’s identity. In the lab, you want to look at your own organizations’ information to see what is revealed and explore how domain proxies work. A good place to start is at http://domainsbyproxy.com. Both sites can provide more information about how this process works.
Figure 3-11 IANA home page.
WHOIS
WHOIS databases are tools that enable you to query the information an orga-nization entered when they registered their domain. WHOIS can typically be queried by either domain name or by IP. All the information found on the IANA site is searched by domain address. When reviewing the WHOIS database in a lab scenario, you should be looking for information exposure.
Internet Corporation for Assigned Names and Numbers (ICANN) regulations require all domain holders to submit WHOIS information. The information available includes the registrant, admin, billing, and technical contact infor-mation. A non-security-minded person will probably place far too much information in the WHOIS records, superfluous information that can be used by a potential attacker. However, on the opposite side of the spectrum, a security-savvy individual may script a very well-spoofed entry that might actually mislead or distract an attacker.
Let’s look at what is required to obtain a WHOIS record using IANA as our starting point. The target of investigation in this example is theSMU.edu domain:
1. Begin by proceeding to the top-level domain page at the IANA site. At this point, you will see a list of the various top-level domains, including the following:
The .aero domain The .asia domain The .biz domain The .cat domain The .com domain The .coop domain The .info domain The .jobs domain The .mobi domain The .museum domain The .name domain The .net domain The .org domain The .pro domain The .tel domain The .travel domain The .gov domain The .edu domain The .mil domain The .int domain
Notice that after each domain listing, an entity is identified that accred-its or registers organizations that use that particular domain extension.
For example, the.edudomains are registered through Educause.
2. Proceed toEducause.eduand click on their WHOIS link. Figure 3-12 shows the returned page.
3. Now enterSMU.eduand press Enter. What’s returned should look simi-lar to what is shown in Figure 3-13. From the data returned, notice that the first field is about the registrant. In this example, you can see it is Southern Methodist University. The second field is the administrative contact. The administrative contact for this domain is Bruce Meikle.
The fourth field is the technical contact; here again, you can see Bruce Meikle’s name. Typically, it’s a good idea to place a title in both of those
Figure 3-12 IANA Top Level Domains.
Figure 3-13 IANA Domain Details.
contact-name fields and not use a real name. Remember that attackers are looking for information to exploit.
N O T E As long as you have even one human in your organization, your organization is at risk of social engineering information-gathering attempts.
Because it’s impossible to completely eliminate this threat, you want to limit to
the fullest extent possible the availability of sensitive information that a social engineer might exploit to your eventual grief.
Although some of this information might not seem especially useful, con-sider its value to a social engineer. Names can be used for social engineering.
Email addresses can be used for spoofing, as can the discovery of any naming scheme. Even phone numbers can be useful to identify possible ranges for wardialing. The final field contains DNS information. In this example, you can see the domain name and IP address for several of SMU’s DNS servers. Make sure to review your own organization’s DNS records and adjust accordingly.