Penetration Testing: Information Gathering
This document reports the findings of the information gathering phase of a penetration test against two organisations. The first organisation, which is UK based, is the political party currently running the UK government, the Conservative Party or Conservatives. The second organisation, which is based in the USA, is the political party currently controlling the lower chamber and executive of the US government, the Democratic Party or Democrats.
Conservatives.com
|
Item |
Value(s) |
Comment |
|
Domain name1 |
conservatives.com |
|
|
Registered to1 |
Statutory Masking Enabled |
Domain registrant has purchased WHO IS protection and a proxy is listed instead of registrant. |
|
Registrar1 |
Network Solutions, LLC |
|
|
Registered on1 |
10/07/1996 |
25 years ago |
|
Homepage1 |
|
|
|
Current IPv4 Hosts (A records)2 |
104.18.213.89 |
Since 16/04/2021 (7 months ago) Based in California, USA Registered to Cloudflare, Inc |
|
104.17.146.63 |
||
|
Historical IPv4 Hosts (A records)2 |
104.18.122.219 |
14/01/2021 – 16/04/2021 (3 months) and 24/07/2020 – 07/01/2021 (6 months) Registered to Cloudflare, Inc |
|
104.18.121.219 |
||
|
76.223.27.102 |
07/01/2021 – 14/01/2021 (7 days) and 21/04/202020 – 24/07/2020 (3 months) Registered to Amazon.com, Inc Hostname: a20b9ee60132ef283.awsglobalaccelerator.com, |
|
|
13.248.155.104 |
||
|
185.181.196.117 |
07/08/2018 – 21/04/2020 Registered to UKFAST.NET LIMITED |
|
|
Current IPv6 Hosts (AAAA records)2 |
2606:4700::6811:923f |
Since 16/04/2021 (7 months ago) Based in California, USA Registered to Cloudflare, Inc |
|
2606:4700::6812:d559 |
||
|
Historical IPv6 Hosts (AAAA records)2 |
2606:4700::6812:7adb |
24/07/2020 – 16/04/2021 (9 months) |
|
2606:4700::6812:79db |
||
|
2a02:21a8:0:3::2206:37eb |
16/09/2018 – 24/07/2020 (2 years) |
|
|
2A02:21A8:0:3::2206:37EB |
80/18/2017 – 16/09/2018 (1 year) |
|
|
Current name servers (NS records)2 |
GERARDO.NS.CLOUDFLARE.COM |
Since 24/07/2020 (1 year ago) Registered to Cloudflare, Inc. |
|
KATE.NS.CLOUDFLARE.COM |
||
|
Historical name servers (NS records)2 |
ns0.ukfast.net |
24/05/2017 – 24/07/2020 (3 years) Registered to UKFAST.NET LIMITED |
|
ns1.ukfast.net |
||
|
dns11.easydns.com |
23/10/2013 – 24/05/2017 (4 years) Registered to easyDNS Technologies Inc. |
|
|
dns2.easydns.com |
||
|
dns3.easydns.com |
||
|
Current mail servers (MX records)2 |
cluster2.eu.messagelabs.com |
Since 25/09/2009 (12 years ago) Registered to Google LLC Messagelabs Limited |
|
Historical mail servers (MX records)2 |
cluster2a.eu.messagelabs.com |
01/09/2008 – 25/09/2009 (1 year) Registered to Google LLC Messagelabs Limited |
|
cluster2.eu.messagelabs.com |
||
|
Open ports @ 104.18.213.89 and 104.17.146.63 (current IPv4 host)3 |
80 TCP |
Cloudflare HTTP proxy |
|
443 TCP |
Cloudflare HTTPS proxy |
|
|
8080 TCP |
Cloudflare HTTP proxy |
|
|
8443 TCP |
Cloudflare HTTPS proxy |
|
|
Open ports @ 104.18.121.219 and 104.18.121.219 (most recent historical IPv4 host)3 |
80 TCP |
Cloudflare HTTP proxy |
|
443 TCP |
Cloudflare HTTPS proxy |
|
|
8080 TCP |
Cloudflare HTTP proxy |
|
|
8443 TCP |
Cloudflare HTTPS proxy |
|
|
Open ports @ 76.223.27.102 and 13.248.155.104 (first historical non-Cloudflare host)3 |
80 TCP |
OpenResty HTTP Web App Server |
|
8080 TCP |
OpenResty HTTPS Web App Server |
|
|
Open ports @ 185.181.196.117 (second historical non-Cloudflare host)3 |
80 TCP |
DDOSX HTTP |
|
8080 TCP |
DDOSX HTTPS |
|
|
Filtered ports @ 185.181.196.117 (second historical non-Cloudflare host)3 |
30 filtered ports, some running unknown services. Recognised services: 53 (domain), 667 (disclose), 749 (kerberos-adm), 1069 (cognex-insight), 1108 (ratio-adp), 1137 (trim), 1154 (resacommunity), 1183 (llsurfup-http), 1594 (sixtrak), 1971 (netop-school), 3003 (cgms), 3737 (xpanel), 4449 (privatewire), 5801 (nvc-http-1), 7443 (oracleas-https), 8194 (sophos), 9666 (zoomcp), 9998 (distinct32) |
|
|
Ports @ 2606:4700::6811:923f and 2606:4700::6812:d559 (current IPv6 Host)3 |
No open ports 1000 filtered ports |
Same result for all historical IPv6 hosts. |
|
Ports @ cluster2.eu.messagelabs.com3 |
25 TCP |
SMTP |
|
Website Details (https://www.conservatives.com/ ) 4 |
Behind a Cloudflare reverse proxy/CDN |
|
|
Running Varnish HTTP cache/accelerator |
|
|
|
Any unsecured HTTP connection rerouted to HTTPS |
Via HTTP 301 and Strict-Transport-Security |
|
|
HTML5 |
|
|
|
JQuery |
||
|
Open Graph Protocol |
||
|
Noteworthy subdomains2,3,4,5 |
vote.conservatives.com |
Redirect via HTTP 301 to https://www.conservatives.com/. Hosted by AWS. Running OpenResty web server with Varnish proxy. |
|
res1.info.conservatives.com |
Hosted by AWS. Ports 80 TCP (apache HTTP redirects to HTTPS) and 443 TCP (apache HTTPS) open but stuck in redirect loop. |
|
|
safepay.conservatives.com |
Legacy payments page. Hostname 774447-Major2.conservativewebsites.org.uk (78.136.5.24). Ports 80 TCP (nginx HTTP redirects to HTTPS) and 443 (nginx HTTPS) open. Runs Drupal CMS. |
|
|
e.conservatives.com |
Mailjet (www.mailjet.com) utility domain hosted at 35.241.186.140, ports 80/tcp (unknown HTTP) and 443/tcp (unknown HTTPS) open. |
|
|
url8202.membership.conservatives.com |
Hosted at 167.89.123.124. Ports 80 TCP (nginx HTTP) and 443 (nginx HTTPS) open but returning HTTP 404. o16789123x124.outbound-mail.sendgrid.net also points to this host. |
|
|
action.conservatives.com |
Host at 3.69.136.55. Redirects to https://action.conservatives.com/vote. Port 80 TCP (http proxy) redirects to HTTP. Port 443 (https-proxy) returns bad gateway. 3 unknown services, suspected to be associated with https://unbounce.com/ |
|
|
remote.conservatives.com |
Hosted at 109.108.141.86 by UKFAST.NET LIMITED. Running Microsoft IIS/8.5 on Windows Vista Home Premium. Port 443 open but requires authentication. Appears to be a RDWeb portal. |
Democrats.org
|
Domain name1 |
democrats.org |
|
|
Registered to1 |
CSC Corporate Domains, Inc. |
Domain registrant has purchased WHO IS protection and a proxy is listed instead of registrant. |
|
Registrar1 |
CSC Corporate Domains, Inc. |
|
|
Registered on1 |
26/06/1995 |
26 years old |
|
Homepage1 |
|
|
|
Current IPv4 Hosts (A records)2 |
151.101.193.210 |
Since 26/07/2021 (4 months ago) Registered to Fastly Based in California |
|
151.101.129.210 |
||
|
151.101.1.210 |
||
|
151.101.65.210 |
||
|
Historical IPv4 Hosts (A records)2 |
192.0.66.2 |
26/09/2018 – 26/07/2021 (3 years) Registered to Automattic, Inc |
|
* |
Between 16/03/2016 and 26/09/2018, A records were cycled through different set of AWS hosts every 1-7 days. |
|
|
208.69.4.141 |
14/09/2020 – 16/03/2016 (6 years). No longer up. |
|
|
208.69.4.10 |
01/09/2008 – 14/09/2010 (2 years). No longer up. |
|
|
Current IPv6 Hosts (AAAA records)2 |
2a04:4e42:400::466 |
Since 26/07/2021 (4 months ago) Registered to Fastly Based in California |
|
2a04:4e42:600::466 |
||
|
2a04:4e42::466 |
||
|
2a04:4e42:200::466 |
||
|
Current name servers (NS records)2 |
NS-1000.AWSDNS-61.NET |
Since 13/03/2014 (8 years ago) Registered to Amazon, Inc |
|
NS-1273.AWSDNS-31.ORG |
||
|
NS-1561.AWSDNS-03.CO.UK |
||
|
NS-360.AWSDNS-45.COM |
||
|
Historical name servers (NS records)2 |
ns1.democrats.org |
01/09/2008 – 13/03/2014 (6 years) Registered to Amazon, Inc |
|
ns2.democrats.org |
||
|
ns3.democrats.org |
||
|
ns4.democrats.org |
||
|
Current mail servers (MX records)2 |
aspmx3.googlemail.com |
Since 24/04/2012 (10 years ago) Registered to Google LLC |
|
aspmx2.googlemail.com |
||
|
aspmx.l.google.com |
||
|
alt2.aspmx.l.google.com |
||
|
alt1.aspmx.l.google.com |
||
|
Historical mail servers (MX records)2 |
demmail2.democrats.org |
11/05/2010 – 24/04/2012 (2 years). No longer up |
|
demmail.democrats.org |
||
|
demmail.democrats.org |
20/12/2009 – 11/05/2010 (5 months). No longer up |
|
|
pbmail.democrats.org |
09/04/2009 – 20/12/2009 (9 months) No longer up |
|
|
mailservices.democrats.org |
||
|
mail-fallback.democrats.org |
||
|
pbmail.democrats.org |
01/09/2008 – 09/04/2009 (7 months) No longer up |
|
|
mailservices.democrats.org |
||
|
mail-fallback.democrats.org |
||
|
mail1.democrats.org |
||
|
Open ports @ 151.101.193.210, 151.101.129.210, 151.101.1.210 and 151.101.65.210 (current IPv4 hosts)3 |
80 TCP |
Fastly HTTP reverse proxy with Varnish cache |
|
443 TCP |
Fastly HTTPS reverse proxy with Varnish cache |
|
|
Open ports @ 192.0.66.2 (most recent historical IPv4 hosts)3 |
80 TCP |
Nginx HTTP server returning HTTP 404 |
|
443 TCP |
Nginx HTTPS server returning HTTP 404 |
|
|
Open ports @ 54.230.19.62, 54.230.19.182, 54.230.19.174, 54.230.19.110 (most recent AWS hosts)3 |
80 TCP |
Amazon CloudFront HTTP returning “ERROR: The request could not be satisfied” |
|
443 TCP |
Amazon CloudFront HTTPS returning “ERROR: The request could not be satisfied” |
|
|
Ports @ 2a04:4e42:400::466, 2a04:4e42:600::466, 2a04:4e42::466 and 2a04:4e42:200::466 (current IPv6 hosts)3 |
1000 filtered ports |
|
|
Ports @ *.googlemail.com and *.google.com3 |
25 TCP |
Google gsmtp |
|
Website Details (https://www.conservatives.com/ ) 4 |
Behind Fastly CDN |
|
|
Running Varnish HTTP cache/accelerator |
|
|
|
Nginx web server/reverse proxy |
|
|
|
HTTP redirects to HTTPS |
Via HTTP 301, RedirectLocation header and Strict-Transport-Security header |
|
|
Wordpress powered |
https://wordpress.com/ |
|
|
HTML5 |
|
|
|
JQuery |
||
|
Open Graph Protocol |
||
|
Noteworthy subdomains2,3,4 |
my.democrats.org |
Hosted at 104.16.73.40, 104.16.74.40, 2606:4700::6810:4928, 2606:4700::6810:4a28 by Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. HTTPS redirects to https://secure.actblue.com/donate/legacy-support-dems-19 |
|
finance.democrats.org |
Hosted at 104.16.73.40, 104.16.74.40, 2606:4700::6810:4a28, 2606:4700::6810:4928 by Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. HTTPS redirects to https://fundraising.democrats.org/onlineactions/7wu3xXimQU2efbX92liE6w2 |
|
|
store.democrats.org |
Hosted at 23.227.38.74 by Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP redirects to HTTPS. SSL error on port 8080. Port 8443 shows an “IP address banned” message. Shopify powered website (https://www.shopify.com/) |
|
|
live.democrats.org |
Hosted at 198.185.159.144, 198.185.159.145, 198.49.23.144, 198.49.23.145 by SquareSpace. Open ports: 80 TCP (HTTP Squarespace), 443 TCP (HTTPS Squarespace). HTTP redirecs to HTTPS. |
|
|
events.democrats.org |
Hosted at 104.17.31.62, 104.17.30.62, 2606:4700::6811:1e3e, 2606:4700::6811:1f3 by Cloudflare, Inc. Ports 80 TCP and 8080 TCP (Cloudflare HTTP proxy), 443 and 8443 (Cloudflare HTTPS proxy) open. HTTP and port 8080 redirect to HTTPS. Wordpress powered site with OpenGraph and HTML5. Many email addresses could be scraped. |
|
|
everest.democrats.org |
Hosted at 3.225.212.24, 3.229.105.215 by AWS. Open ports 80 TCP (Nginx HTTP), 443 TCP (Ngninx HTTPS). Both HTTP and HTTPS redirect to https://www.validity.com/everest/250ok/ |
Tools
5 tools were used during this exercise. The superscript number in the item column of the tables indicates which tools were used to discover the information. The five tools, along with their numerical IDs are listed below:
• 1 WHOIS lookup from Domain Tools web application (https://whois.domaintools.com)
• 2 SecurityTrails domain information web application (https://securitytrails.com)
• 3 Nmap Linux tool (https://nmap.org/)
• 4 WhatWeb Linux tool (https://www.whatweb.net/)
• 5 Telnet Linux tool (https://linux.die.net/man/1/telnet)
WHOIS lookup is a tool from Domain Tools the enables users to query a variety of WHOIS databases regarding a domain name. The tool enables users to find information such as when the domain was registered and the legal owner of the domain. There is a premium version that costs $1000 a year and offers more features.
SecurityTrails are a security firm that offer a free domain lookup service. The service is capable of providing the current DNS configuration for the domain, however it’s most useful feature is the ability to view historical DNS configurations (dating all the way back to 2008) and subdomains.
Nmap was originally a command line Linux tool, however it has now been ported to most major operating systems and various GUIs have been developed for it. Nmap can be used to scan hosts for open ports, detect which services are running on a host and guess what operating system is being used. It’s functionality can be extended with various 3rd party scripts.
WhatWeb is cross-platform ruby based website scanner that can be run as a command line utility or as a web application. WhatWeb scans websites and aims to report which technologies they are employing. It can provide information such as server type and version, web frameworks, Content Management Systems (CMS), JavaScript libraries and many more.
Telnet is an archaic Unix tool originally designed to facilitate terminal sessions on remote machines. Today it can be used to interact directly with network protocols at a low level. Telnetting into remote machines indicates if a port is open and can be used to glean clues about what software is running as well as experimenting with various commands.
Full Report: https://www.jbm.fyi/static/info_gathering.pdf