Skip to content

Simple Searches

Introduction

The first stage of our reconnaissance processes is to start to gather notes on the structure of the target. In particular we would like to know

  • Who are they?
  • What do they do?
  • What else are they linked to?
  • Are there any specific people identified?

Simple Searching with Google: 1

Depending on the target A search and public websites can give us a lot of information. However, the size of the organisation being targeted will affect the results.

For example, a small, local business may not have a large enough web presence for this information to be present. On the other hand, information on the structure of a large multinational (Microsoft), may highlight some key players, such as the CEO, but intermediate management may not be so easy to find.

Note

For these examples I will be making use of google. Other search engines are available, and can be used in this task.

Example. Using google to find out about NMAP

NMAP: (the network mapper) is an excellent tool for the active reconnaissance phase. It allows you to discover a networks infrastructure, the services running on it, and perform vulnerability assessment. We will look at Nmap later, but first lets see what information we can discover about it passively.

First we want to perform a simple google search on our target.

Google Search for Nmap

So without even clicking a link what have we learnt?

  • The preview of the Wikipedia page gives us:
    • A Description of what Nmap is
    • The Creators Name: Gordon Lyon (Fyodor)
    • Recent Release information
    • Related applications

Looking at the Wikipedia page can also give us lots of interesting information. Including:

  • What Nmap is Coded in (Could give clues for exploits)
  • Yet more related applications (which may just come up over the next week):
    • Kali / Backtrack
    • Metasploit
    • Nessus / OpenVAS etc.

Lets go a bit further down the Rabbit hole and search for the Creator. We have a couple of options for search terms here. Either Gordon Lyon or Fyodor Vaskovich

Google Search for Gordon Lyon

This time we get a load more information:

  • Other Sites he runs:
    • Insecure.org, Nmap.org, Seclists.org, SecTools.org
  • Social Media
    • Twitter, Facebook
  • Interviews on other sites that may give some insight into him.

These secondary sites may also give us a load of information, and as they are third party, do meet the criteria for passive reconnaissance, as we are not directly interacting with any of Gordons own sites.

We can also search under Gordons Pseudonym Fyodor Vaskovich. This yields yet more information, some of it confirming what we had discovered before, but also gives some new links to social media profiles under the pseudonym.

Example: What about an organisation?

Lets repeat the example with Coventry University.

Google Search for CU

Again there is a huge amount of information presented to us.

  • Main Web Page
  • Social Media Feed
  • Link to Linked In (which may be useful for finding staff)
  • Key Executive Staff.

However, we do hit a bit of a problem with a larger organisation, as opposed to the smaller one man band that is NMAP. While there is much more data, the information content is lower. Using a simple search we have no real access to staff members, or details of technology used.

This means we will need to be much more structured in the way we search for information, or make use of other forms of passive and active reconnaissance.

Looking on Alexa.com

Alexa is a service offered by Amazon that is aimed at Search engine optimisation. Unfortunately, they want us to sign up to get all the interesting information. But you can still do a "free search", by using the "Search top sites" bar towards the bottom of the homepage. (IMAGE??)

Alexa Free Search

Looking at the Alexa profile for Nmap.org, we can see information on the top referrals to the site (google), Where traffic comes from and related sites.

Digging Deeper: Browsing other Sites

There is a huge amount of information out there, for example:

  • Looking for people related to an organisation on LinkedIn and Facebook can be useful for gathering staff profiles.
  • Looking for these users on Technical help forums, (such as Stack Overflow, or the Microsoft Developer Network), can give some insight into the services and software.

For example. in this serverfault page we learn the Web Server Version, PHP Version, and that the user is wanting to do something that may lead to an RFI style attack. If we had previously identified them as part of an organisation, this would help shape the attack vectors we look for.

Similarly, this post on the MSDN gives us some indication of a potential flaw in this users security.

  • Finding Personal Blogs may help you prepare a phishing attack.

  • Looking through GitHub (or other public version control systems) for repositories with information on code that an organisation uses, or possibly username and password information.

However, while it can be useful to manually trawl this information, some form of automation, (or a more structured form of searching) will help you get the data you need on your target more efficiently. We will cover some automated tools, and advanced searching in later sections.

Discovering something about the network structure.

We can also use a search engine to start to discover some of the structure of our target site, detecting sub-domains associated with a target. Each of these sub-domains may represent a different service, and may leak some information about how the targets servers are configured, and the services available.

For example, Coventry university has (amongst others) the following sub-domains:

  • www.coventry.ac.uk The main website associated with the organisation
  • cumoodle.coventry.ac.uk Sub-domain hosting the on-line learning platform.
  • blogs.coventry.ac.uk Student blogs

We will take a closer look at how some advanced search-fu can help here, when we discuss Google Hacking later.

Summary

In this topic we have looked at using simple web searches to gather general information about our target. Depending on the organisation we are looking at, this phase may yield differing levels of information.

This searching phase should be iterative, each new piece of information we discover could be used in further searches. We saw this with the Nmap example, first focusing on the organisation, then using the information we discovered to find out about the author.

Task

Use the web search tools to discover information about Coventry University, what kind of information does Google show about the organisation, what about Alexa.

Discuss your findings on the aula


  1. Other Search engines are available2 

  2. Not Bing Though.