{"id":25,"date":"2021-02-25T16:24:34","date_gmt":"2021-02-25T16:24:34","guid":{"rendered":"https:\/\/cas.cybercop-training.ch\/?page_id=25"},"modified":"2021-05-31T14:22:00","modified_gmt":"2021-05-31T14:22:00","slug":"osint-passive-reconnaissance","status":"publish","type":"page","link":"https:\/\/cas.cybercop-training.ch\/index.php\/osint-passive-reconnaissance\/","title":{"rendered":"OSINT: Passive Reconnaissance"},"content":{"rendered":"<h2>1. Task description<\/h2>\n<p>After you&#8217;ve learned some techniques of <code>Passive Fingerprinting<\/code> your task is to write a report of your findings against the <code>target<\/code> <a href=\"https:\/\/www.compass-security.com\">https:\/\/www.compass-security.com<\/a>. Please note that you only use passive techniques and do not scan or actively penetrate the target, their products and services. Your report should include the methodology you&#8217;ve used and the following informations:<\/p>\n<ul>\n<li>\n<p>list of hostnames and ip addresses of Compass Security<\/p>\n<\/li>\n<li>\n<p>list of domains owned by Compass Security<\/p>\n<\/li>\n<li>\n<p>list of providers and their ASN (BGP)<br \/>\nBonus:<\/p>\n<\/li>\n<li>\n<p>(mail adresses used by company Compass Security)<\/p>\n<\/li>\n<\/ul>\n<h2>2. Methodology and Results<\/h2>\n<p>First I&#8217;ll use <code>dig<\/code> to find the ip adresses, name servers and mail servers of the domain <a href=\"https:\/\/compass-security.com\">https:\/\/compass-security.com<\/a> and <a href=\"https:\/\/compass-security.ch\">https:\/\/compass-security.ch<\/a><\/p>\n<blockquote>\n<p>dig compass-security.ch + short<\/p>\n<\/blockquote>\n<p><b>80.74.140.119<\/b><\/p>\n<blockquote>\n<p>dig compass-security.com + short<\/p>\n<\/blockquote>\n<p><b>80.74.140.133<\/b><\/p>\n<blockquote>\n<p>dig compass-security.ch -t ns +short<\/p>\n<\/blockquote>\n<p><b>ns2.compass-security.com<\/b><br \/>\n<b>ns1.compass-security.com<\/b><\/p>\n<blockquote>\n<p>dig compass-security.com -t ns +short<\/p>\n<\/blockquote>\n<p><b>ns2.compass-security.com<\/b><br \/>\n<b>ns1.compass-security.com<\/b><\/p>\n<blockquote>\n<p>dig compass-security.ch -t mx +short<\/p>\n<\/blockquote>\n<p><b>mx2.compass-security.com<\/b><br \/>\n<b>mx1.compass-security.ch<\/b><\/p>\n<blockquote>\n<p>dig +short +answer ns1.compass-security.com<\/p>\n<\/blockquote>\n<p><b>193.135.215.40<\/b><\/p>\n<blockquote>\n<p>dig +short +answer ns2.compass-security.com<\/p>\n<\/blockquote>\n<p><b>80.74.140.181<\/b><\/p>\n<blockquote>\n<p>dig +short +answer mx1.compass-security.com<\/p>\n<\/blockquote>\n<p><b>193.135.215.41<\/b><\/p>\n<blockquote>\n<p>dig +short +answer mx2.compass-security.com<\/p>\n<\/blockquote>\n<p><b>62.2.85.154<\/b><\/p>\n<h2>2.1 List of hostnames and ip addresses of Compass Security<\/h2>\n<ol>\n<li>compass-security.ch &#8211;&gt; 80.74.140.119<\/li>\n<li>compass-security.com &#8211;&gt; 80.74.140.133<\/li>\n<li>ns1.compass-security.com &#8211;&gt; 193.135.215.40<\/li>\n<li>ns2.compass-security.com &#8211;&gt; 80.74.140.181<\/li>\n<li>mx1.compass-security.com &#8211;&gt; 193.135.215.41<\/li>\n<li>mx2.compass-security.com &#8211;&gt; 62.2.85.154<\/li>\n<\/ol>\n<p>To get a list of domains owned by compass-security I did install the tool reconspider from the following github source:<br \/>\n<a href=\"https:\/\/github.com\/bhavsec\/reconspider\">https:\/\/github.com\/bhavsec\/reconspider<\/a><\/p>\n<p>As I&#8217;ve learned in previous exercises I&#8217;ll create a virtual python environment for that:<br \/>\n<img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/02\/recon_spider1.png\" alt=\"\" \/><br \/>\nAfter entering the URL compass-security.ch I get a new menu and select the ReverseIP module:<br \/>\n<img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/02\/recon_spider2.png\" alt=\"\" \/><\/p>\n<h2>2.2 List of Domains owned by Compass-Security<\/h2>\n<p>Reconspider give me the following list of domains back:<\/p>\n<blockquote>\n<p>&gt;<\/p>\n<ul>\n<li>badger.ch<\/li>\n<li>challenges.hacking-lab.com<\/li>\n<li>compass-cyber-defense.com<\/li>\n<li>compass-security-cyber-defense.com<\/li>\n<li>compass-security.at<\/li>\n<li>compass-security.berlin<\/li>\n<li>compass-security.ch<\/li>\n<li>compass-security.co.uk<\/li>\n<li>compass-security.de<\/li>\n<li>compass-security.eu<\/li>\n<li>compass-security.fr<\/li>\n<li>compass-security.gmbh<\/li>\n<li>compass-security.info<\/li>\n<li>compass-security.it<\/li>\n<li>compass-security.li<\/li>\n<li>compass-security.net<\/li>\n<li>compass-security.org<\/li>\n<li>compass-security.sg<\/li>\n<li>compass-security.swiss<\/li>\n<li>compass-security.us<\/li>\n<li>crl.compass-security.com<\/li>\n<li>cscd.ch<\/li>\n<li>csnc.at<\/li>\n<li>csnc.ch<\/li>\n<li>csnc.de<\/li>\n<li>cyber-defense.ch<\/li>\n<li>cyber-tycoons.com<\/li>\n<li>cyber-tycoons.org<\/li>\n<li>eucsc.hacking-lab.com<\/li>\n<li>filebox-solution.de<\/li>\n<li>fileboxsolution.ch<\/li>\n<li>fileboxsolution.com<\/li>\n<li>hacking-lab-ctf.com<\/li>\n<li>media.compass-security.com<\/li>\n<li>media.hacking-lab.com<\/li>\n<li>penetrationtest.ch<\/li>\n<li>security-competence.ch<\/li>\n<li>securitycompetence.ch<\/li>\n<li>sicherheitstest.ch<\/li>\n<li>tiger-team.ch<\/li>\n<li>tigerteam.ch<\/li>\n<li>urb80-74-140-119.ch-meta.net<\/li>\n<\/ul>\n<\/blockquote>\n<h2>2.3 Further DNS enumeration<\/h2>\n<p>Further DNS enumeration can be done via Certification Transparency (<a href=\"https:\/\/cert.sh\">https:\/\/cert.sh<\/a>)<br \/>\n<img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/02\/cert_sh1.png\" alt=\"\" \/><\/p>\n<p>I copy the results and putting them in CyberChef with the modules <code>Extract domains<\/code> and <code>unique<\/code>. This give me the following list of domains:<\/p>\n<blockquote>\n<p>&gt;<br \/>\nsecure.compass-security.com<br \/>\nwww.digicert.com<br \/>\npbx.compass-security.com<br \/>\nanalytics.compass-security.com<br \/>\nmedia.compass-security.com<br \/>\nfeedback.compass-security.com<br \/>\ncrl.compass-security.com<br \/>\ndeli.compass-security.com<br \/>\nosiris.compass-security.com<br \/>\ncompass-security.com<br \/>\nwww.compass-security.com<br \/>\nblog.compass-security.com<br \/>\nres.compass-security.com<br \/>\nfb.compass-security.com<br \/>\ndfir.compass-security.com<br \/>\napps.compass-security.com<br \/>\nmx1.compass-security.com<br \/>\nmx2.compass-security.com<br \/>\nmimir.compass-security.com<br \/>\nopenshift.compass-security.com<br \/>\napps.openshift.compass-security.com<br \/>\ngit.openshift.compass-security.com<br \/>\ngrobi.compass-security.com<br \/>\nwodan.compass-security.com<br \/>\nosiris2.compass-security.com<\/p>\n<\/blockquote>\n<h2>2.4 Identify providers and their ASN (BGP)<\/h2>\n<blockquote>\n<p>&gt;<br \/>\n\u256d\u2500 ~\/Desktop\/Exercise3\/OSINT \u2714<br \/>\n\u2570\u2500 whois -h riswhois.ripe.net &#8218;80.74.140.133&#8216; | egrep -i &quot;origin|desc&quot;<br \/>\n% IPv4 or IPv6 address to origin prefix match<br \/>\norigin: AS21069<br \/>\ndescr: ASN-METANET METANET AG, CH<br \/>\n&gt;<br \/>\n\u256d\u2500 ~\/Desktop\/Exercise3\/OSINT \u2714<br \/>\n\u2570\u2500 whois -h riswhois.ripe.net &#8218;80.74.140.119&#8216; | egrep -i &quot;origin|desc&quot;<br \/>\n% IPv4 or IPv6 address to origin prefix match<br \/>\norigin: AS21069<br \/>\ndescr: ASN-METANET METANET AG, CH<br \/>\n&gt;<br \/>\n\u256d\u2500 ~\/Desktop\/Exercise3\/OSINT \u2714<br \/>\n\u2570\u2500 whois -h riswhois.ripe.net &#8218;80.74.140.181&#8216; | egrep -i &quot;origin|desc&quot;<br \/>\n% IPv4 or IPv6 address to origin prefix match<br \/>\norigin: AS21069<br \/>\ndescr: ASN-METANET METANET AG, CH<br \/>\n&gt;<br \/>\n\u256d\u2500 ~\/Desktop\/Exercise3\/OSINT \u2714<br \/>\n\u2570\u2500 whois -h riswhois.ripe.net &#8218;193.135.215.40&#8216; | egrep -i &quot;origin|desc&quot;<br \/>\n% IPv4 or IPv6 address to origin prefix match<br \/>\norigin: AS3303<br \/>\ndescr: SWISSCOM Swisscom (Schweiz) AG, CH<br \/>\n&gt;<br \/>\n\u256d\u2500 ~\/Desktop\/Exercise3\/OSINT \u2714<br \/>\n\u2570\u2500 whois -h riswhois.ripe.net &#8218;193.135.215.41&#8216; | egrep -i &quot;origin|desc&quot;<br \/>\n% IPv4 or IPv6 address to origin prefix match<br \/>\norigin: AS3303<br \/>\ndescr: SWISSCOM Swisscom (Schweiz) AG, CH<br \/>\n&gt;<br \/>\n\u256d\u2500 ~\/Desktop\/Exercise3\/OSINT \u2714<br \/>\n\u2570\u2500 whois -h riswhois.ripe.net &#8218;62.2.85.154&#8216; | egrep -i &quot;origin|desc&quot;<br \/>\n% IPv4 or IPv6 address to origin prefix match<br \/>\norigin: AS6830<br \/>\ndescr: LibertyGlobal Liberty Global B.V., AT<br \/>\norigin: AS6830<br \/>\ndescr: LibertyGlobal Liberty Global B.V., AT<\/p>\n<\/blockquote>\n<h2>2.5 Search for mail adresses used by company compass security<\/h2>\n<p>I&#8217;ve tried the search engine <a href=\"https:\/\/hunter.io\">https:\/\/hunter.io<\/a> for that. Before you can search you&#8217;ve to register and you can&#8217;t unlock all results. For an attacker this can be interessting to find potentially usernames and email adresses.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/02\/hunter1.png\" alt=\"\" \/><\/p>\n<blockquote>\n<p>&gt;<br \/>\njan-tilo.kirchhoff@compass-security.com<br \/>\npatrick.vananti@compass-security.com<br \/>\nivan.buetler@compass-security.com<br \/>\ncyrill.brunschwiler@compass-security.com<br \/>\nsylvain.heiniger@compass-security.com<br \/>\nalessandro.zala@compass-security.com<br \/>\nstephan.sekula@compass-security.com<br \/>\nnicolas.heiniger@compass-security.com<br \/>\ndaniel.schenker@compass-security.com<br \/>\nkarin.bamert@compass-security.com<\/p>\n<\/blockquote>\n<p>PDF Report:<br \/>\n<a href=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/02\/OSINT1.pdf\" class=\"mtli_attachment mtli_pdf\" title=\"OSINT#1\">OSINT#1<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. Task description After you&#8217;ve learned some techniques of Passive Fingerprinting your task is to write a report of your findings against the target https:\/\/www.compass-security.com. Please note that you only use passive techniques and do not scan or actively penetrate the target, their products and services. Your report should include the methodology you&#8217;ve used and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-25","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages\/25","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/comments?post=25"}],"version-history":[{"count":9,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages\/25\/revisions"}],"predecessor-version":[{"id":1340,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages\/25\/revisions\/1340"}],"wp:attachment":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/media?parent=25"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}