In this lesson I'll talk about intelligence gathering. Intelligence gathering is an important aspect of proactive security because it's helping you understand your own systems. And help you understand others people's systems, if you're looking at, maybe a penetration test from external entity as well. So when looking at proactive security, you have to understand that threats are inevitable and your own systems could be a threat. So, how do you discover these threats? Well, we're going to look at some tools in this lesson that'll help you understand how to start building intelligence on your own systems or on some other systems. Now I caution you to please only do this on your own systems. Now, some of these tools, I'll tell you whether or not you can use them on our website because it won't do anything. But most of these, please don't use the information that you gain for other purposes. Because you probably don't have authorization which violates law, usually in most states and most countries. So let's start with a very simple query. So I'm going to look up a address here. So nslookup uccs.edu. Now nslookup stands for name server lookup. And this looks both in Linux and in Windows. And I'm on Windows right now, even though it looks like Linux. I have Linux built into Windows 10. However, nslookup looks for name server information. So I'm asking my name server, which is defaulted to whatever your DHCP address gets for your DNS entry. It's going to ask your default name server what this name is here. Now, I could also ask a different name server. So if I wanted to ask Google, for example, Okay, you'll notice that they come back, here's the name server Google's resolver is 8.8.8.8, and it says here are the name servers. So in a little bit different order, but still the same name servers. So let's say that I wanted to look up a different piece of information like our mail servers, for example. I could type in nslookup -type=mx, for mail exchange, and uccs.edu. So this comes back with where we're pointing our mail servers right now, and that's Office 365's email servers. So let's switch over to Linux real quick. Okay, and we're going to do the same thing but we're going to use a program called dig. dig is a little bit more powerful, and so we want to look at dig.uccs.edu. So it's going to give me a little bit more information. But we could also, there's a bunch of other queries that we can make with dig, that gives us a lot more information. Now nslookup will not let us do zone transfers. And what zone transfers do, is it'll gain all the information from a name server and show you the output. Now if you don't have zone transfers enabled then you can't do it. So we're going to try zone transfer on uccs.edu, I do not recommend you doing this, AXFR, and we get Transfer failed. Which is good, because if it did allow us to do zone transfer that's one way to say, hey, you've got a big threat here. They're scraping all the information, all the names from the name server. Okay, let's look at another source real quick. We're going to look at Google. Google has an amazing amount of information because it's crawling the Internet all the time. And if I just go to Google and I start looking around, okay, if I look up uccs.edu, I'm going to see University of Colorado, Colorado Springs. I'm going to see a bunch of information. Well, what if I want more information? Let's say I want to look at documents from, Or a docx, okay? These are all the documents that I can download from uccs.edu. So we can do other things which produce a lot more information. We can use Google to find passwords, we can find compromised information, we've used it before to find servers that had been compromised. But offensive security, and the Exploit Database actually gives you a nice tool called the Google Hacking Database that allows you to look for specific Google searches, okay? So let's see here, here we go, let's look at a cuckoo sandbox. Cuckoo sandbox is a, Is a malware analysis tool, that you can run on campus. So I'm going to say intitle:"cuckoo sandbox" "failed_reporting", let's see uccs.edu. Shouldn't find anything, because our cuckoo sandboxes aren't public. Okay, so this is good. Now if you were an organization and you had that information publicly available, it's going to show you that. So we can use this form of what's called Google dorking, D-O-R-K, to supplement our intelligence gathering. Okay, here's find unpassworded Epson printers. Okay, or let's see, here we go, Surftown HTTP servers, security breach logs. Okay, there's a whole lot that we can look at with our own systems. But you need to remember that you need to append your website address onto the end, such as uccs.edu. If you look for information like this, please don't use it, again, are you authorized to do it? Probably, probably not, more than likely, not. Okay, let's move on to the next tool here. We're going to look at Shodan. Shodan is another search engine that basically combines Google dorking with actually active scanning. So Shodan is going to show a bunch of information on vulnerable websites. I have an account here, you can type in very few bits of information for free. But I do have a full account here. And let's say that I wanted to type in uccs.edu, okay? It's going to give me information that it has crawled. Now this is specific information that is looking for vulnerabilities or intelligence gathering for security. So if I typed in uccs.edu, I'm going to find 128.198.1.103, 100, 104, 101. These are mail servers, and it's reporting in different information for email. Now you can use this to find other things too. And I'm just going to briefly type in the word password, and you'll see how many it comes up with, 1,891,306, which is not good. So a lot of these are web servers that are not secured. So if I actually were to click one of these, which I'm not going to do because I'm not authorized to do so, it would probably log me into whatever web server was running. But it is a very powerful tool to help you understand what information you may have on your network. So in conclusion, there's a whole bunch of intelligence gathering features or tools that we have at our disposal. You just have to look at, if you're trying to be proactive about security, you need to look at all of them as a whole and start doing intelligence gathering and know where the information is. So Shodan's one, Google is one, even your name servers. If you looked at our ARIN registry, for example, arin.com, that's going to bring up the registry for uccs.edu. And you'll recognize me as the administrative contact for the website, or for the domain uccs.edu. So look at all your information that you're putting out there. And hopefully, you glean some information that might be useful for you.
