ThE hARvESTER: DISCOvERING AND LEvERAGING E-MAIL ADDRESSES
5. select “theHarvester” (note, tools are listed in alphabetical order).
You can also open a terminal window and navigate to the Harvester directory by issuing the following command:
regardless of whether you have downloaded the Harvester or used the ver- sion installed in Backtrack, we will use it to collect additional information about our target. Be sure you are in theHarvester folder and run the following command:
./theHarvester.py –d syngress.com –l 10 –b google
this command will search for e-mails, subdomains, and hosts that belong to syngress.com. figure 2.3 shows our results.
Before discussing the results of our tool, let us examine the command a little closer. “./theHarvester.py” is used to invoke the tool. A lowercase “–d” is used to specify the target domain. A lowercase “–l” (that is an l not a 1) is used to limit the number of results returned to us. in this case, the tool was instructed to return only 10 results. the “–b“ is used to specify what public repository we want to search. we can choose among google, Bing, PgP, or linkedin—for this example, we chose to search using google.
now that you fully understand the command that was run, let us take a look at the results.
As you can see, the Harvester was effective in locating at least two e-mail addresses that could be of value to us. Please note, the e-mail addresses in the screenshot have been circled and obfuscated. the Harvester was also successful
If you are using an operating system other than Backtrack, you can download the tool directly from Edge Security at: http://www.edge-security.com. Once you have got it downloaded, you can unpack the downloaded tar file by running the following command in a terminal:
tar xf theHarvester
Please note the capital “H” that is used when untarring the code. Linux is case sensitive, so the operating system sees a difference between “theHarvester” and “theharvester.” You will need to pay attention to the executable to determine if you should use a capital or lowercase “h.” If the cases do not match exactly, you will typically get a message saying “no such file or directory.” This is a good indication that you have mistyped the name of the file.
in finding at least two additional subdomains. Both “booksite.syngress.com” and “ebook__www.syngress.com” need to be fully recon’d. we simply add these new domains to our target list and begin the reconnaissance process again. step 1 of reconnaissance is very cyclical because in-depth reconnaissance often leads to the discovery of new targets, which, in turn, leads to additional recon- naissance. As a result, the amount of time to complete this phase will vary from several hours to several weeks. remember, a determined malicious hacker understands not only the power of good reconnaissance but also that of a nearly limitless amount of time. As an aspiring penetration tester, you should devote as much time as possible to practicing and conducting information gathering.
A very simple but effective means for collecting additional information about our target is whois. the whois service allows us to access specific information about our target including the iP addresses or host names of the company’s domain name systems (dns) servers and contact information usually con- taining an address and phone number.
whois is built into the linux operating system. the simplest way to use this service is to open a terminal and enter the following command:
whois target_domain fIGURE 2.3
for example, to find out information about syngress, we would issue the fol- lowing command: “whois syngress.com.” figure 2.4 shows a partial output from the result of this tool.
it is important to record all the information and pay special attention to the dns servers. if the dns servers are listed by name only, as shown in figure 2.4, we will use the Host command to translate those names into iP addresses. we will discuss the host command in the next section. You can also use a web browser to search whois. By navigating to http://www.whois.net, you can search for your target in the “wHois lookup” box as shown in figure 2.5. Again it is important to closely review the information you are presented with. sometimes, the output will not provide many details. we can often access these additional details by querying the specific whois server listed in the out- put of our original search. figure 2.6 shows an example of this.
Partial Output from a Whois Query.
we can conduct a further whois search by following the link provided in the “referral Url:” field. You may have to search the webpage for a link to their whois service. By using safename’s whois service, we can extract a significantly larger amount of information as shown here:
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.[whois.safenames.net]
Safenames Whois Server Version 2.0 Domain Name: SYNGRESS.COM
Organisation Name: Elsevier Ltd Contact Name: Domain Manager Address Line 1: The Boulevard
Address Line 2: Langford Lane, Kidlington City/Town: Oxfordshire State/Province: Zip/Postcode: OX5 1GB Country: UK Telephone: 44 (18658) 43830 Fax: 44 (18658) 53333 Email: firstname.lastname@example.org [ADMIN]
Organisation Name: Safenames Ltd
Contact Name: International Domain Administrator Address Line 1: PO Box 5085
Address Line 2:
City/Town: Milton Keynes MLO State/Province: Bucks Zip/Postcode: MK6 3ZE Country: UK Telephone: 44 (19082) 00022 Fax: 44 (19083) 25192 Email: email@example.com fIGURE 2.6
Organisation Name: International Domain Tech Contact Name: International Domain Tech Address Line 1: PO Box 5085
Address Line 2:
City/Town: Milton Keynes MLO State/Province: Bucks Zip/Postcode: MK6 3ZE Country: UK Telephone: 44 (19082) 00022 Fax: 44 (19083) 25192 Email: firstname.lastname@example.org
Another great source of information is netcraft. You can visit their site at http://news.netcraft.com. start by searching for your target in the “what’s that site running?” textbox as shown in figure 2.7.
netcraft will return any websites it is aware of that contain your search words. in our example we are presented with three sites: syngress.com, www.syngress. com, and booksite.syngress.com. if any of these sites have escaped our previous searches, it is important to add them to our potential target list. the returned results page will allow us to click on a “site report.” Viewing the site report should provide us with some valuable information as shown in figure 2.8. As you can see, the site report provides us with some great information about our target including the iP address and os of the web server as well as the dns server. once again all this information should be cataloged and recorded.
oftentimes, our reconnaissance efforts will result in host names rather than iP addresses. when this occurs, we can use the “host” tool to perform a transla- tion for us. the host tool is built into Backtrack. we can access it by opening a terminal and typing:
root@bt~# host target_hostname
in our previous searches, we uncovered a dns server with the host name “ns1. dreamhost.com.” to translate this into an iP address, we would enter the fol- lowing command in a terminal:
figure 2.9 shows the result of this tool.
the host command can also be used in reverse. it can be used to translate iP addresses into host names. to perform this task, simply enter:
root@bt~# host IP address
Using the “-a” switch will provide you with verbose output and possibly reveal additional information about your target. it is well worth your time to review the “host” documentation and help files. You can do so by issuing the “man host” command in a terminal window. this help file will allow you to become familiar with the various options that can be used to provide additional func- tionality to the “host” tool.