Penetration Testing: Information Gathering

This document reports the findings of the information gathering phase of a penetration test against two organisations. The first organisation, which is UK based, is the political party currently running the UK government, the Conservative Party or Conservatives. The second organisation, which is based in the USA, is the political party currently controlling the lower chamber and executive of the US government, the Democratic Party or Democrats.

Conservatives.com

Item

Value(s)

Comment

Domain name1

conservatives.com

 

Registered to1

Statutory Masking Enabled

Domain registrant has purchased WHO IS protection and a proxy is listed instead of registrant.

Registrar1

Network Solutions, LLC

 https://www.networksolutions.com/

Registered on1

10/07/1996

25 years ago

Homepage1

https://www.conservatives.com/

 

Current IPv4 Hosts (A records)2

104.18.213.89

Since 16/04/2021 (7 months ago)

Based in California, USA

Registered to Cloudflare, Inc

104.17.146.63

Historical IPv4 Hosts (A records)2

104.18.122.219

14/01/2021 – 16/04/2021 (3 months) and 24/07/2020 – 07/01/2021 (6 months)

Registered to Cloudflare, Inc

104.18.121.219

76.223.27.102

07/01/2021 – 14/01/2021 (7 days) and 21/04/202020 – 24/07/2020 (3 months)

Registered to Amazon.com, Inc

Hostname: a20b9ee60132ef283.awsglobalaccelerator.com,

13.248.155.104

185.181.196.117

07/08/2018 – 21/04/2020

Registered to UKFAST.NET LIMITED

Current IPv6 Hosts (AAAA records)2

2606:4700::6811:923f

Since 16/04/2021 (7 months ago)

Based in California, USA

Registered to Cloudflare, Inc

2606:4700::6812:d559

Historical IPv6 Hosts (AAAA records)2

2606:4700::6812:7adb

24/07/2020 – 16/04/2021 (9 months)

2606:4700::6812:79db

2a02:21a8:0:3::2206:37eb

16/09/2018 – 24/07/2020 (2 years)

2A02:21A8:0:3::2206:37EB

80/18/2017 – 16/09/2018 (1 year)

Current name servers (NS records)2

GERARDO.NS.CLOUDFLARE.COM

Since 24/07/2020 (1 year ago)

Registered to Cloudflare, Inc.

KATE.NS.CLOUDFLARE.COM

Historical name servers (NS records)2

ns0.ukfast.net

24/05/2017 – 24/07/2020 (3 years)

Registered to UKFAST.NET LIMITED

ns1.ukfast.net

dns11.easydns.com

23/10/2013 – 24/05/2017 (4 years)

Registered to easyDNS Technologies Inc.

dns2.easydns.com

dns3.easydns.com

Current mail servers (MX records)2

cluster2.eu.messagelabs.com

Since 25/09/2009 (12 years ago)

Registered to Google LLC Messagelabs Limited

Historical mail servers (MX records)2

cluster2a.eu.messagelabs.com

01/09/2008 – 25/09/2009 (1 year)

Registered to Google LLC Messagelabs Limited

cluster2.eu.messagelabs.com

Open ports @ 104.18.213.89 and 104.17.146.63

(current IPv4 host)3

80 TCP

Cloudflare HTTP proxy

443 TCP

Cloudflare HTTPS proxy

8080 TCP

Cloudflare HTTP proxy

8443 TCP

Cloudflare HTTPS proxy

Open ports @ 104.18.121.219 and 104.18.121.219

(most recent historical IPv4 host)3

80 TCP

Cloudflare HTTP proxy

443 TCP

Cloudflare HTTPS proxy

8080 TCP

Cloudflare HTTP proxy

8443 TCP

Cloudflare HTTPS proxy

Open ports @ 76.223.27.102 and 13.248.155.104

(first historical non-Cloudflare host)3

80 TCP

OpenResty HTTP Web App Server

8080 TCP

OpenResty HTTPS Web App Server

Open ports @ 185.181.196.117

(second historical non-Cloudflare host)3

80 TCP

DDOSX HTTP

8080 TCP

DDOSX HTTPS

Filtered ports @  185.181.196.117

(second historical non-Cloudflare host)3

30 filtered ports, some running unknown services.

Recognised services: 53 (domain), 667 (disclose), 749 (kerberos-adm), 1069 (cognex-insight), 1108 (ratio-adp), 1137 (trim), 1154 (resacommunity), 1183 (llsurfup-http), 1594 (sixtrak), 1971 (netop-school), 3003 (cgms), 3737 (xpanel), 4449 (privatewire), 5801 (nvc-http-1), 7443 (oracleas-https), 8194 (sophos), 9666 (zoomcp), 9998 (distinct32)

 

Ports @ 2606:4700::6811:923f  and 2606:4700::6812:d559

(current IPv6 Host)3

No open ports

1000 filtered ports

Same result for all historical IPv6 hosts.

Ports @ cluster2.eu.messagelabs.com3

25 TCP

SMTP

Website Details (https://www.conservatives.com/ ) 4

Behind a Cloudflare reverse proxy/CDN

 

Running Varnish HTTP cache/accelerator

 

Any unsecured HTTP connection rerouted to HTTPS

Via HTTP 301 and Strict-Transport-Security

HTML5

 

JQuery

https://jquery.com/

Open Graph Protocol

https://ogp.me/

Noteworthy subdomains2,3,4,5

vote.conservatives.com

Redirect via HTTP 301 to https://www.conservatives.com/. Hosted by AWS. Running OpenResty web server with Varnish proxy.

res1.info.conservatives.com

Hosted by AWS. Ports 80 TCP (apache HTTP redirects to HTTPS) and 443 TCP (apache HTTPS) open but stuck in redirect loop.

safepay.conservatives.com

Legacy payments page. Hostname 774447-Major2.conservativewebsites.org.uk (78.136.5.24). Ports 80 TCP (nginx HTTP redirects to HTTPS) and 443 (nginx HTTPS) open. Runs Drupal CMS.

e.conservatives.com

Mailjet (www.mailjet.com) utility domain hosted at 35.241.186.140, ports 80/tcp (unknown HTTP) and 443/tcp (unknown HTTPS) open.

url8202.membership.conservatives.com

Hosted at 167.89.123.124. Ports 80 TCP (nginx HTTP) and 443 (nginx HTTPS) open but returning HTTP 404. o16789123x124.outbound-mail.sendgrid.net also points to this host.

action.conservatives.com

Host at 3.69.136.55. Redirects to https://action.conservatives.com/vote. Port 80 TCP (http proxy) redirects to HTTP. Port 443 (https-proxy) returns bad gateway. 3 unknown services, suspected to be associated with https://unbounce.com/

remote.conservatives.com

Hosted at 109.108.141.86 by UKFAST.NET LIMITED. Running Microsoft IIS/8.5 on Windows Vista Home Premium. Port 443 open but requires authentication. Appears to be a RDWeb portal.

Democrats.org

Domain name1

democrats.org

 

Registered to1

CSC Corporate Domains, Inc.

Domain registrant has purchased WHO IS protection and a proxy is listed instead of registrant.

Registrar1

CSC Corporate Domains, Inc.

https://www.cscglobal.com/cscglobal/home/

Registered on1

26/06/1995

26 years old

Homepage1

https://democrats.org/

 

Current IPv4 Hosts (A records)2

151.101.193.210

Since 26/07/2021 (4 months ago)

Registered to Fastly

Based in California

151.101.129.210

151.101.1.210

151.101.65.210

Historical IPv4 Hosts (A records)2

192.0.66.2

26/09/2018 – 26/07/2021 (3 years)

Registered to Automattic, Inc

*

Between 16/03/2016 and 26/09/2018, A records were cycled through different set of AWS hosts every 1-7 days.

208.69.4.141

14/09/2020 – 16/03/2016 (6 years). No longer up.

208.69.4.10

01/09/2008 – 14/09/2010 (2 years). No longer up.

Current IPv6 Hosts (AAAA records)2

2a04:4e42:400::466

Since 26/07/2021 (4 months ago)

Registered to Fastly

Based in California

2a04:4e42:600::466

2a04:4e42::466

2a04:4e42:200::466

Current name servers (NS records)2

NS-1000.AWSDNS-61.NET

Since 13/03/2014 (8 years ago)

Registered to Amazon, Inc

NS-1273.AWSDNS-31.ORG

NS-1561.AWSDNS-03.CO.UK

NS-360.AWSDNS-45.COM

Historical name servers (NS records)2

ns1.democrats.org

01/09/2008 – 13/03/2014 (6 years)

Registered to Amazon, Inc

ns2.democrats.org

ns3.democrats.org

ns4.democrats.org

Current mail servers (MX records)2

aspmx3.googlemail.com

Since 24/04/2012 (10 years ago)

Registered to Google LLC

aspmx2.googlemail.com

aspmx.l.google.com

alt2.aspmx.l.google.com

alt1.aspmx.l.google.com

Historical mail servers (MX records)2

demmail2.democrats.org

11/05/2010 – 24/04/2012 (2 years).

No longer up

demmail.democrats.org

demmail.democrats.org

20/12/2009 – 11/05/2010 (5 months). No longer up

pbmail.democrats.org

09/04/2009 – 20/12/2009 (9 months)

No longer up

mailservices.democrats.org

mail-fallback.democrats.org

pbmail.democrats.org

01/09/2008 – 09/04/2009 (7 months)

No longer up

mailservices.democrats.org

mail-fallback.democrats.org

mail1.democrats.org

Open ports @  151.101.193.210, 151.101.129.210, 151.101.1.210 and 151.101.65.210

(current IPv4 hosts)3

80 TCP

Fastly HTTP reverse proxy with Varnish cache

443 TCP

Fastly HTTPS reverse proxy with Varnish cache

Open ports @ 192.0.66.2

(most recent historical IPv4 hosts)3

80 TCP

Nginx HTTP server returning HTTP 404

443 TCP

Nginx HTTPS server returning HTTP 404

Open ports @ 54.230.19.62, 54.230.19.182, 54.230.19.174, 54.230.19.110

(most recent AWS hosts)3

80 TCP

Amazon CloudFront HTTP returning “ERROR: The request could not be satisfied”

443 TCP

Amazon CloudFront HTTPS returning “ERROR: The request could not be satisfied”

Ports @  2a04:4e42:400::466, 2a04:4e42:600::466, 2a04:4e42::466 and 2a04:4e42:200::466

(current IPv6 hosts)3

1000 filtered ports

 

Ports @ *.googlemail.com and *.google.com3

25 TCP

Google gsmtp

Website Details (https://www.conservatives.com/ ) 4

Behind Fastly CDN

 

Running Varnish HTTP cache/accelerator

 

Nginx web server/reverse proxy

 

HTTP redirects to HTTPS

Via HTTP 301, RedirectLocation header and Strict-Transport-Security header

Wordpress powered

https://wordpress.com/

HTML5

 

JQuery

https://jquery.com/

Open Graph Protocol

https://ogp.me/

Noteworthy subdomains2,3,4

my.democrats.org

Hosted at 104.16.73.40, 104.16.74.40, 2606:4700::6810:4928, 2606:4700::6810:4a28 by Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. HTTPS redirects to https://secure.actblue.com/donate/legacy-support-dems-19

finance.democrats.org

Hosted at 104.16.73.40, 104.16.74.40, 2606:4700::6810:4a28, 2606:4700::6810:4928 by Cloudflare, Inc.  Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. HTTPS redirects  to  https://fundraising.democrats.org/onlineactions/7wu3xXimQU2efbX92liE6w2

store.democrats.org

Hosted at 23.227.38.74 by Cloudflare, Inc.  Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. SSL error on port 8080. Port 8443 shows an “IP address banned” message. Shopify powered website (https://www.shopify.com/)

live.democrats.org

Hosted at 198.185.159.144, 198.185.159.145, 198.49.23.144, 198.49.23.145 by SquareSpace. Open ports: 80 TCP (HTTP Squarespace), 443 TCP (HTTPS Squarespace). HTTP redirecs to HTTPS.

events.democrats.org

Hosted at 104.17.31.62, 104.17.30.62, 2606:4700::6811:1e3e, 2606:4700::6811:1f3 by Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP and port 8080 redirect to HTTPS. Wordpress powered site with OpenGraph and HTML5. Many email addresses could be scraped.

everest.democrats.org

Hosted at 3.225.212.24, 3.229.105.215 by AWS. Open ports 80 TCP (Nginx HTTP), 443 TCP (Ngninx HTTPS). Both HTTP and HTTPS redirect to https://www.validity.com/everest/250ok/

Tools

5 tools were used during this exercise. The superscript number in the item column of the tables indicates which tools were used to discover the information. The five tools, along with their numerical IDs are listed below:

1 WHOIS lookup from Domain Tools web application (https://whois.domaintools.com)

2 SecurityTrails domain information web application (https://securitytrails.com)

3 Nmap Linux tool (https://nmap.org/)

4 WhatWeb Linux tool (https://www.whatweb.net/)

5 Telnet Linux tool (https://linux.die.net/man/1/telnet)

WHOIS lookup is a tool from Domain Tools the enables users to query a variety of WHOIS databases regarding a domain name. The tool enables users to find information such as when the domain was registered and the legal owner of the domain. There is a premium version that costs $1000 a year and offers more features.

SecurityTrails are a security firm that offer a free domain lookup service. The service is capable of providing the current DNS configuration for the domain, however it’s most useful feature is the ability to view historical DNS configurations (dating all the way back to 2008) and subdomains.

Nmap was originally a command line Linux tool, however it has now been ported to most major operating systems and various GUIs have been developed for it. Nmap can be used to scan hosts for open ports, detect which services are running on a host and guess what operating system is being used. It’s functionality can be extended with various 3rd party scripts.

WhatWeb is cross-platform ruby based website scanner that can be run as a command line utility or as a web application. WhatWeb scans websites and aims to report which technologies they are employing. It can provide information such as server type and version, web frameworks, Content Management Systems (CMS), JavaScript libraries and many more.

Telnet is an archaic Unix tool originally designed to facilitate terminal sessions on remote machines. Today it can be used to interact directly with network protocols at a low level. Telnetting into remote machines indicates if a port is open and can be used to glean clues about what software is running as well as experimenting with various commands.

Full Report: https://www.jbm.fyi/static/info_gathering.pdf