Penetration Testing: Information Gathering
This document reports the findings of the information gathering phase of a penetration test against two organisations. The first organisation, which is UK based, is the political party currently running the UK government, the Conservative Party or Conservatives. The second organisation, which is based in the USA, is the political party currently controlling the lower chamber and executive of the US government, the Democratic Party or Democrats.
Conservatives.com
|
Item |
Value(s) |
Comment |
|
Domain name1 |
conservatives.com |
|
|
Registered to1 |
Statutory
Masking Enabled |
Domain registrant has
purchased WHO IS protection and a proxy is listed instead of registrant. |
|
Registrar1 |
Network
Solutions, LLC |
|
|
Registered on1 |
10/07/1996 |
25 years ago |
|
Homepage1 |
|
|
|
Current IPv4 Hosts (A
records)2 |
104.18.213.89 |
Since 16/04/2021 (7
months ago) Based in California, USA Registered to
Cloudflare, Inc |
|
104.17.146.63 |
||
|
Historical IPv4 Hosts (A
records)2 |
104.18.122.219 |
14/01/2021 – 16/04/2021
(3 months) and 24/07/2020 – 07/01/2021 (6 months) Registered to
Cloudflare, Inc |
|
104.18.121.219 |
||
|
76.223.27.102 |
07/01/2021 – 14/01/2021
(7 days) and 21/04/202020 – 24/07/2020 (3 months) Registered to
Amazon.com, Inc Hostname:
a20b9ee60132ef283.awsglobalaccelerator.com, |
|
|
13.248.155.104 |
||
|
185.181.196.117 |
07/08/2018 – 21/04/2020 Registered to UKFAST.NET
LIMITED |
|
|
Current IPv6 Hosts (AAAA
records)2 |
2606:4700::6811:923f |
Since 16/04/2021 (7
months ago) Based in California, USA Registered to
Cloudflare, Inc |
|
2606:4700::6812:d559 |
||
|
Historical IPv6 Hosts
(AAAA records)2 |
2606:4700::6812:7adb |
24/07/2020 – 16/04/2021
(9 months) |
|
2606:4700::6812:79db |
||
|
2a02:21a8:0:3::2206:37eb |
16/09/2018 – 24/07/2020
(2 years) |
|
|
2A02:21A8:0:3::2206:37EB |
80/18/2017 – 16/09/2018
(1 year) |
|
|
Current name servers (NS
records)2 |
GERARDO.NS.CLOUDFLARE.COM |
Since 24/07/2020 (1 year
ago) Registered to
Cloudflare, Inc. |
|
KATE.NS.CLOUDFLARE.COM |
||
|
Historical name servers
(NS records)2 |
ns0.ukfast.net |
24/05/2017 – 24/07/2020
(3 years) Registered to UKFAST.NET
LIMITED |
|
ns1.ukfast.net |
||
|
dns11.easydns.com |
23/10/2013 – 24/05/2017
(4 years) Registered to easyDNS
Technologies Inc. |
|
|
dns2.easydns.com |
||
|
dns3.easydns.com |
||
|
Current mail servers (MX
records)2 |
cluster2.eu.messagelabs.com |
Since 25/09/2009 (12
years ago) Registered to Google LLC
Messagelabs Limited |
|
Historical mail servers
(MX records)2 |
cluster2a.eu.messagelabs.com |
01/09/2008 – 25/09/2009
(1 year) Registered to Google LLC
Messagelabs Limited |
|
cluster2.eu.messagelabs.com |
||
|
Open ports @
104.18.213.89 and 104.17.146.63 (current IPv4 host)3 |
80 TCP |
Cloudflare HTTP proxy |
|
443 TCP |
Cloudflare HTTPS proxy |
|
|
8080 TCP |
Cloudflare HTTP proxy |
|
|
8443 TCP |
Cloudflare HTTPS proxy |
|
|
Open ports @
104.18.121.219 and 104.18.121.219 (most recent historical
IPv4 host)3 |
80 TCP |
Cloudflare HTTP proxy |
|
443 TCP |
Cloudflare HTTPS proxy |
|
|
8080 TCP |
Cloudflare HTTP proxy |
|
|
8443 TCP |
Cloudflare HTTPS proxy |
|
|
Open ports @
76.223.27.102 and 13.248.155.104 (first historical
non-Cloudflare host)3 |
80 TCP |
OpenResty HTTP Web App
Server |
|
8080 TCP |
OpenResty HTTPS Web App
Server |
|
|
Open ports @
185.181.196.117 (second historical
non-Cloudflare host)3 |
80 TCP |
DDOSX HTTP |
|
8080 TCP |
DDOSX HTTPS |
|
|
Filtered ports @ 185.181.196.117 (second historical
non-Cloudflare host)3 |
30 filtered ports, some
running unknown services. Recognised services: 53
(domain), 667 (disclose), 749 (kerberos-adm), 1069 (cognex-insight), 1108
(ratio-adp), 1137 (trim), 1154 (resacommunity), 1183 (llsurfup-http), 1594
(sixtrak), 1971 (netop-school), 3003 (cgms), 3737 (xpanel), 4449
(privatewire), 5801 (nvc-http-1), 7443 (oracleas-https), 8194 (sophos), 9666
(zoomcp), 9998 (distinct32) |
|
|
Ports @
2606:4700::6811:923f and 2606:4700::6812:d559 (current IPv6 Host)3 |
No open ports 1000 filtered ports |
Same result for all
historical IPv6 hosts. |
|
Ports @
cluster2.eu.messagelabs.com3 |
25 TCP |
SMTP |
|
Website Details (https://www.conservatives.com/
) 4 |
Behind a Cloudflare
reverse proxy/CDN |
|
|
Running Varnish HTTP
cache/accelerator |
|
|
|
Any unsecured HTTP
connection rerouted to HTTPS |
Via HTTP 301 and
Strict-Transport-Security |
|
|
HTML5 |
|
|
|
JQuery |
||
|
Open Graph Protocol |
||
|
Noteworthy subdomains2,3,4,5 |
vote.conservatives.com |
Redirect via HTTP 301 to
https://www.conservatives.com/.
Hosted by AWS. Running OpenResty web server with Varnish proxy. |
|
res1.info.conservatives.com |
Hosted by AWS. Ports 80
TCP (apache HTTP redirects to HTTPS) and 443 TCP (apache HTTPS) open but
stuck in redirect loop. |
|
|
safepay.conservatives.com |
Legacy payments page.
Hostname 774447-Major2.conservativewebsites.org.uk (78.136.5.24). Ports 80
TCP (nginx HTTP redirects to HTTPS) and 443 (nginx HTTPS) open. Runs Drupal
CMS. |
|
|
e.conservatives.com |
Mailjet (www.mailjet.com) utility domain hosted
at 35.241.186.140, ports 80/tcp (unknown HTTP) and 443/tcp (unknown HTTPS)
open. |
|
|
url8202.membership.conservatives.com |
Hosted at
167.89.123.124. Ports 80 TCP (nginx HTTP) and 443 (nginx HTTPS) open but
returning HTTP 404. o16789123x124.outbound-mail.sendgrid.net also points to
this host. |
|
|
action.conservatives.com |
Host at 3.69.136.55.
Redirects to https://action.conservatives.com/vote.
Port 80 TCP (http proxy) redirects to HTTP. Port 443 (https-proxy) returns
bad gateway. 3 unknown services, suspected to be associated with https://unbounce.com/ |
|
|
remote.conservatives.com |
Hosted at 109.108.141.86
by UKFAST.NET LIMITED. Running Microsoft IIS/8.5 on Windows Vista Home
Premium. Port 443 open but requires authentication. Appears to be a RDWeb
portal. |
Democrats.org
|
Domain name1 |
democrats.org |
|
|
Registered to1 |
CSC
Corporate Domains, Inc. |
Domain registrant has
purchased WHO IS protection and a proxy is listed instead of registrant. |
|
Registrar1 |
CSC
Corporate Domains, Inc. |
|
|
Registered on1 |
26/06/1995 |
26 years old |
|
Homepage1 |
|
|
|
Current IPv4 Hosts (A
records)2 |
151.101.193.210 |
Since 26/07/2021 (4
months ago) Registered to Fastly Based in California |
|
151.101.129.210 |
||
|
151.101.1.210 |
||
|
151.101.65.210 |
||
|
Historical IPv4 Hosts (A
records)2 |
192.0.66.2 |
26/09/2018 – 26/07/2021
(3 years) Registered to
Automattic, Inc |
|
* |
Between 16/03/2016 and
26/09/2018, A records were cycled through different set of AWS hosts every
1-7 days. |
|
|
208.69.4.141 |
14/09/2020 – 16/03/2016
(6 years). No longer up. |
|
|
208.69.4.10 |
01/09/2008 – 14/09/2010
(2 years). No longer up. |
|
|
Current IPv6 Hosts (AAAA
records)2 |
2a04:4e42:400::466 |
Since 26/07/2021 (4
months ago) Registered to Fastly Based in California |
|
2a04:4e42:600::466 |
||
|
2a04:4e42::466 |
||
|
2a04:4e42:200::466 |
||
|
Current name servers (NS
records)2 |
NS-1000.AWSDNS-61.NET |
Since 13/03/2014 (8
years ago) Registered to Amazon,
Inc |
|
NS-1273.AWSDNS-31.ORG |
||
|
NS-1561.AWSDNS-03.CO.UK |
||
|
NS-360.AWSDNS-45.COM |
||
|
Historical name servers
(NS records)2 |
ns1.democrats.org |
01/09/2008 – 13/03/2014
(6 years) Registered to Amazon,
Inc |
|
ns2.democrats.org |
||
|
ns3.democrats.org |
||
|
ns4.democrats.org |
||
|
Current mail servers (MX
records)2 |
aspmx3.googlemail.com |
Since 24/04/2012 (10
years ago) Registered to Google LLC |
|
aspmx2.googlemail.com |
||
|
aspmx.l.google.com |
||
|
alt2.aspmx.l.google.com |
||
|
alt1.aspmx.l.google.com |
||
|
Historical mail servers
(MX records)2 |
demmail2.democrats.org |
11/05/2010 – 24/04/2012
(2 years). No longer up |
|
demmail.democrats.org |
||
|
demmail.democrats.org |
20/12/2009 – 11/05/2010
(5 months). No longer up |
|
|
pbmail.democrats.org |
09/04/2009 – 20/12/2009
(9 months) No longer up |
|
|
mailservices.democrats.org |
||
|
mail-fallback.democrats.org |
||
|
pbmail.democrats.org |
01/09/2008 – 09/04/2009
(7 months) No longer up |
|
|
mailservices.democrats.org |
||
|
mail-fallback.democrats.org |
||
|
mail1.democrats.org |
||
|
Open ports @ 151.101.193.210, 151.101.129.210,
151.101.1.210 and 151.101.65.210 (current IPv4 hosts)3 |
80 TCP |
Fastly HTTP reverse
proxy with Varnish cache |
|
443 TCP |
Fastly HTTPS reverse
proxy with Varnish cache |
|
|
Open ports @ 192.0.66.2 (most recent historical
IPv4 hosts)3 |
80 TCP |
Nginx HTTP server
returning HTTP 404 |
|
443 TCP |
Nginx HTTPS server
returning HTTP 404 |
|
|
Open ports @
54.230.19.62, 54.230.19.182, 54.230.19.174, 54.230.19.110 (most recent AWS hosts)3 |
80 TCP |
Amazon CloudFront HTTP
returning “ERROR: The request could not be satisfied” |
|
443 TCP |
Amazon CloudFront HTTPS
returning “ERROR: The request could not be satisfied” |
|
|
Ports @ 2a04:4e42:400::466, 2a04:4e42:600::466,
2a04:4e42::466 and 2a04:4e42:200::466 (current IPv6 hosts)3 |
1000 filtered ports |
|
|
Ports @ *.googlemail.com
and *.google.com3 |
25 TCP |
Google gsmtp |
|
Website Details (https://www.conservatives.com/
) 4 |
Behind Fastly CDN |
|
|
Running Varnish HTTP
cache/accelerator |
|
|
|
Nginx web server/reverse
proxy |
|
|
|
HTTP redirects to HTTPS |
Via HTTP 301,
RedirectLocation header and Strict-Transport-Security header |
|
|
Wordpress powered |
https://wordpress.com/ |
|
|
HTML5 |
|
|
|
JQuery |
||
|
Open Graph Protocol |
||
|
Noteworthy subdomains2,3,4 |
my.democrats.org |
Hosted at
104.16.73.40, 104.16.74.40, 2606:4700::6810:4928, 2606:4700::6810:4a28 by
Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and
8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. HTTPS redirects
to https://secure.actblue.com/donate/legacy-support-dems-19 |
|
finance.democrats.org |
Hosted at
104.16.73.40, 104.16.74.40, 2606:4700::6810:4a28, 2606:4700::6810:4928 by
Cloudflare, Inc. Ports 80 TCP and 8080
TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP
redirects to HTTPS. HTTPS redirects
to https://fundraising.democrats.org/onlineactions/7wu3xXimQU2efbX92liE6w2 |
|
|
store.democrats.org |
Hosted at
23.227.38.74 by Cloudflare, Inc. Ports
80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS
proxy) open. HTTP redirects to HTTPS. SSL error on port 8080. Port 8443 shows
an “IP address banned” message. Shopify powered website (https://www.shopify.com/) |
|
|
live.democrats.org |
Hosted at
198.185.159.144, 198.185.159.145, 198.49.23.144, 198.49.23.145 by
SquareSpace. Open ports: 80 TCP (HTTP Squarespace), 443 TCP (HTTPS
Squarespace). HTTP redirecs to HTTPS. |
|
|
events.democrats.org |
Hosted at
104.17.31.62, 104.17.30.62, 2606:4700::6811:1e3e, 2606:4700::6811:1f3 by
Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443
(Cloudflare HTTPS proxy) open. HTTP and port 8080 redirect to HTTPS.
Wordpress powered site with OpenGraph and HTML5. Many email addresses could
be scraped. |
|
|
everest.democrats.org |
Hosted at 3.225.212.24,
3.229.105.215 by AWS. Open ports 80 TCP (Nginx HTTP), 443 TCP (Ngninx HTTPS).
Both HTTP and HTTPS redirect to https://www.validity.com/everest/250ok/ |
Tools
5 tools were used during this exercise. The superscript number in the item column of the tables indicates which tools were used to discover the information. The five tools, along with their numerical IDs are listed below:
• 1 WHOIS lookup from Domain Tools web application (https://whois.domaintools.com)
• 2 SecurityTrails domain information web application (https://securitytrails.com)
• 3 Nmap Linux tool (https://nmap.org/)
• 4 WhatWeb Linux tool (https://www.whatweb.net/)
• 5 Telnet Linux tool (https://linux.die.net/man/1/telnet)
WHOIS lookup is a tool from Domain Tools the enables users to query a variety of WHOIS databases regarding a domain name. The tool enables users to find information such as when the domain was registered and the legal owner of the domain. There is a premium version that costs $1000 a year and offers more features.
SecurityTrails are a security firm that offer a free domain lookup service. The service is capable of providing the current DNS configuration for the domain, however it’s most useful feature is the ability to view historical DNS configurations (dating all the way back to 2008) and subdomains.
Nmap was originally a command line Linux tool, however it has now been ported to most major operating systems and various GUIs have been developed for it. Nmap can be used to scan hosts for open ports, detect which services are running on a host and guess what operating system is being used. It’s functionality can be extended with various 3rd party scripts.
WhatWeb is cross-platform ruby based website scanner that can be run as a command line utility or as a web application. WhatWeb scans websites and aims to report which technologies they are employing. It can provide information such as server type and version, web frameworks, Content Management Systems (CMS), JavaScript libraries and many more.
Telnet is an archaic Unix tool originally designed to facilitate terminal sessions on remote machines. Today it can be used to interact directly with network protocols at a low level. Telnetting into remote machines indicates if a port is open and can be used to glean clues about what software is running as well as experimenting with various commands.
Full Report: https://www.jbm.fyi/static/info_gathering.pdf