That pretty well takes care of the domain-related searches, but what about IP-related
registrations? As explained earlier, IP-related issues are handled by the various RIRs
under ICANN’s ASO. Let’s see how we go about querying this information.
The WHOIS server at ICANN (IANA) does not currently act as an authoritative
registry for all the RIRs as it does for the TLDs, but each RIR does know which IP ranges
it manages. This allows us to simply pick any one of them to start our search. If we pick
the wrong one, it will tell us which one we need to go to.
Let’s say that while perusing your security logs (as I’m sure you do religiously,
right?), you run across an interesting entry with a source IP of 61.0.0.2. You start by
entering this IP into the WHOIS search at http://www.arin.net, which tells
you that this range of IPs is actually managed by APNIC. You then go to APNIC’s site athttp://www.apnic.net to continue your search. Here you find out that this
IP address is actually managed by the National Internet Backbone of India.
This process can be followed to trace back any IP address in the world to its owner,
or at least to a point of contact that may be willing to provide the remaining details. As
with anything else, cooperation is almost completely voluntary and will vary as you deal
with different companies and different governments. Always keep in mind that there are
many ways for a hacker to masquerade their true IP. In today’s cyberworld, it’s more
likely to be an illegitimate IP address than a real one. So the IP that shows up in your logs
may be what we refer to as a laundered IP address—almost untraceable.
We can also find out IP ranges and BGP autonomous system numbers that an
organization owns by searching the RIR WHOIS servers for the organization’s literal
name. For example, if we search for “Google” at http://www.arin.net, we see the IP
ranges that Google owns under its name as well as its AS number, AS15169.It might be useful to explain why finding BGP data would be useful. IP address
information is probably pretty obvious. BGP info is probably not obvious.
The administrative contact is an important piece of information because it may tell
you the name of the person responsible for the Internet connection or firewall. Our query
also returns voice and fax numbers. This information is an enormous help when you’re
performing a dial-in penetration review. Just fire up the war-dialers in the noted range,
and you’re off to a good start in identifying potential modem numbers. In addition, an
intruder will often pose as the administrative contact using social engineering on
unsuspecting users in an organization. An attacker will send spoofed e-mail messages
posing as the administrative contact to a gullible user. It is amazing how many users will
change their passwords to whatever you like, as long as it looks like the request is being
sent from a trusted technical support person.The record creation and modification dates indicate how accurate the information is.
If the record was created five years ago but hasn’t been updated since, it is a good bet
some of the information (for example, administrative contact) may be out of date.
The last piece of information provides us with the authoritative DNS servers, which
are the sources or records for name lookups for that domain or IP. The first one listed is
the primary DNS server; subsequent DNS servers will be secondary, tertiary, and so on.
We will need this information for our DNS interrogation.
Additionally, we can try to use the network range listed as a starting point for our
network query of the ARIN database.
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন