The Role Of Non Obvious Relationships In The Foot Printing Process presented at Blackhat Europe 2003

by Charl van der Walt, Christoff Breytenbach,

Tags: Security Testing

Summary : During perimeter testing it is becoming more and more finding the one vulnerable server on a large network perimeter rather than finding a bug in one server. Many security companies spend huge amounts of time finding this bug - they search deep and not wide. With networks becoming more interconnected every day many large companies don't even know how many networks or hosts are connected to them. The process of obtaining a proper foot print of a company is overlooked in many cases. Footprinting starts with obtaining a list of domains related to the company. The task of obtaining a list of domains related to a specific institution is tedious as the relationship between the institution and their domains is not always obvious. Footprinting is not an exact science - large amount of domains (which translates to pieces of networks or paths into a private network) are typically overlooked during a blind penetration test. The presentation is on footprinting large institutions with focus on an automated technique of finding the "hidden" relationships between domains and institutions.
A method has been developed that will automatically provide a list of related domains (given an initial "seed" domain) with relevant "vector lengths" to the source.
The code (source and binary) to the project will be released. A paper on the subject and method will be written and released with the tool.
The presentation will include a section on a methodology developed for further domain enumeration. The method allows a user to submit one domain name and a minimum number of keywords and returns a list of domains that are also owned by the institution (over and above the list of related domains (which might not belong to the institution). The method is much more complex that a simple whois query - it makes use of following modules:
Link extraction (both to and from) with dynamic weighting
Whois selective brute forcing expansion
Normalizing of data to represent relevance decay graphically
TLD expansion
MX record vetting (both true and non-false methods)
Web site splash page fingerprint vetting (for getting rid of template sites)
Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.
Christoff Breytenbach