Learn Information Gathering By Example

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
Posts: 12
Joined: Wed Jul 06, 2005 9:12 am

Learn Information Gathering By Example

Post by Aelphaeis_Mangarae » Wed Aug 02, 2006 3:55 am

Information Gathering is usually the first done when Penetration testing.
It is indeed a very important part in Penetration testing, and no Penetration tester or Internet security enthusiast can be left with out the knowledge of not knowing how to successfully gather information on a target.
This white paper goes through the steps and tools you can use in order to successfully gather information on a target web server.

Source Code To DNS Brute:

Code: Select all

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib, "ws2_32")

//Coded By Aelphaeis Mangarae
//IRC: irc.efnet.org #d-u
//Email: adm1n1strat10n [AT] hotmail [DOT] com
//Xbox Live Gamer Tag: Aelphaeis
//Website: www.SecurZone.Org

/*Greetz To

htek, HackJoeSite, FRSilent, Read101, tomchu, nic`, BSoD, r0rkty, Nitrous,
SyS64738,  Trash-80, morning_wood, Astharot,  Fauley, Furax, PsAuX, SecurityWireless,
SysSpider,  Siegfried, fritz, darkt3ch,  Predator/ill skillz, Alchemist, BioHunter,
Digerati,  digital-flow, butthead, spiderlance, FishNET, W--, nrs, IBMWarpst, Nixus,
varu, z16bitseg,  PTP, felosi, Mega~biTe, wicked/aera, Palmeiro, Kadafiu, sNKenjoi,
tgo, melkor, mu-tiger, royal, Wex, ksv, GoTiT4FrE, CKD, Dr4g, Coldfisher, snx,
skiddieleet, ProwL,  drygol, kon, Iadnah, EwenG, belgther, sarkar112,
str0ke and Kenny & Blake from GSO.


typedef struct tagIPINFO
    u_char Ttl;                // Time To Live
    u_char Tos;                // Type Of Service
    u_char IPFlags;            // IP flags
    u_char OptSize;            // Size of options data
    u_char FAR *Options;    // Options data buffer

typedef struct tagICMPECHO
    u_long Source;            // Source address
    u_long Status;            // IP status
    u_long RTTime;            // Round trip time in milliseconds
    u_short DataSize;        // Reply data size
    u_short Reserved;        // Unknown
    void FAR *pData;        // Reply data buffer
    IPINFO    ipInfo;            // Reply options

// ICMP.DLL Export Function Pointers
HANDLE (WINAPI *pIcmpCreateFile)(VOID);
BOOL (WINAPI *pIcmpCloseHandle)(HANDLE);
DWORD (WINAPI *pIcmpSendEcho)

int main(int argc, char *argv[])


    //Checks if enough arguments as passed
    if (argc != 3)
        printf("DNS Brute - Coded by Aelphaeis Mangarae\n");
        printf("IRC: irc.efnet.org #d-u\n");
        printf("Email: adm1n1strat10n [AT] hotmail [DOT] com\n");
            printf("MSN Messenger: adm1n1strat10n [AT] hotmail [DOT] com\n");
            printf("Xbox Live Gamer Tag: Aelphaeis\n");
            printf("Website: www.SecurZone.Org\n");
        fprintf(stderr,"\nError: Incorrect Number Of Arguments Passed.\n");
        fprintf(stderr, "Usage Example: dns_brute.exe domain.com C:\\subdomains.txt\n");
        return 0;

    WSADATA wsaData;            // WSADATA
    ICMPECHO icmpEcho;            // ICMP Echo reply buffer
    HANDLE hndlIcmp;            // LoadLibrary() handle to ICMP.DLL
    HANDLE hndlFile;            // Handle for IcmpCreateFile()
    LPHOSTENT pHost;            // Pointer to host entry structure
    struct in_addr iaDest;        // Internet address structure
    DWORD *dwAddress;            // IP Address
    IPINFO ipInfo;                // IP Options structure
    int nRet;                    // General use return code
    DWORD dwRet;                // DWORD return code
    int x;

    // Dynamically load the ICMP.DLL
    hndlIcmp = LoadLibrary("ICMP.DLL");
    if (hndlIcmp == NULL)
        fprintf(stderr,"\nCould not load ICMP.DLL\n");
        return 0;
    // Retrieve ICMP function pointers
    pIcmpCreateFile = (HANDLE (WINAPI *)(void))
    pIcmpCloseHandle = (BOOL (WINAPI *)(HANDLE))
    pIcmpSendEcho = (DWORD (WINAPI *)
    // Check all the function pointers
    if (pIcmpCreateFile == NULL        ||
        pIcmpCloseHandle == NULL    ||
        pIcmpSendEcho == NULL)
        fprintf(stderr,"\nError getting ICMP proc address\n");
        return 0;

    FILE *inputDNS;
    int count = 0;
    char buffer[32];
    char *domain;
    char *path;
    char *n;

    printf("DNS Brute - Coded by Aelphaeis Mangarae\n");
    printf("IRC: irc.efnet.org #d-u\n");
    printf("Email: adm1n1strat10n [AT] hotmail [DOT] com\n");
          printf("MSN Messenger: adm1n1strat10n [AT] hotmail [DOT] com\n");
        printf("Xbox Live Gamer Tag: Aelphaeis\n");
    printf("Usage Example: dns_brute.exe domain.com C:\\subdomains.txt\n");

        //Checks to see if the length of the domain is no more than 32 characters.
        //We wouldn't want a Buffer Overflow would we?
        //And yes I know your thinking "Who the hell is going to exploit dns brute?"
        if (strlen(argv[1]) > 32)
         printf("Error: Domain passed is longer than 32 characters\n");
        domain = argv[1];
        path = argv[2];

    //Opens file for reading
    inputDNS = fopen(path, "r");
    if ( inputDNS == NULL)
    printf("Error Opening File.\n");

    //Reads from file
    //This is also a piece of secure code.
        //The app doesn't read in anymore than the size of the buffer per line.
       while (fgets(buffer, sizeof(buffer), inputDNS) )

    //Used to make sure fgets doesn't input a new line character
    if ((n = strchr(buffer, '\n')) != NULL)
        *n = '\0';

    //Joins the two strings together
    strncat(buffer, domain, strlen(domain));
    printf("%s", buffer);

    // Init WinSock
    nRet = WSAStartup(0x0101, &wsaData );
    if (nRet)
        fprintf(stderr,"\nWSAStartup() error: %d\n", nRet);
        return 0;
    // Check WinSock version
    if (0x0101 != wsaData.wVersion)
        fprintf(stderr,"\nWinSock version 1.1 not supported\n");
        return 0;

    // Lookup destination
    // Use inet_addr() to determine if we're dealing with a name
    // or an address
    iaDest.s_addr = inet_addr(buffer);
    if (iaDest.s_addr == INADDR_NONE)
        pHost = gethostbyname(buffer);
        pHost = gethostbyaddr((const char *)&iaDest,
                        sizeof(struct in_addr), AF_INET);
    if (pHost == NULL)
        fprintf(stderr, "\n%s not found\n", argv[1]);
        goto here;
        //We jump back up to where we were before
        //if the host we tried doesn't exist.

    // Tell the user what we're doing
    printf("\nPinging %s [%s]", pHost->h_name,

    // Copy the IP address
    dwAddress = (DWORD *)(*pHost->h_addr_list);

    // Get an ICMP echo request handle
    hndlFile = pIcmpCreateFile();
    for (x = 0; x < 4; x++)
        // Set some reasonable default values
        ipInfo.Ttl = 255;
        ipInfo.Tos = 0;
        ipInfo.IPFlags = 0;
        ipInfo.OptSize = 0;
        ipInfo.Options = NULL;
        //icmpEcho.ipInfo.Ttl = 256;
        // Reqest an ICMP echo
        dwRet = pIcmpSendEcho(
            hndlFile,        // Handle from IcmpCreateFile()
            *dwAddress,        // Destination IP address
            NULL,            // Pointer to buffer to send
            0,                // Size of buffer in bytes
            &ipInfo,        // Request options
            &icmpEcho,        // Reply buffer
            sizeof(struct tagICMPECHO),
            5000);            // Time to wait in milliseconds
        // Print the results
        iaDest.s_addr = icmpEcho.Source;
        printf("\nReply from %s  Time=%ldms  TTL=%d",

        if (icmpEcho.Status)
            printf("\nError: icmpEcho.Status=%ld",

    // Close the echo request file handle


    return 0;


Post Reply