During the Information Gathering section of a pentest, we are interested in finding out the various sub-domains of our target domain. In the past few tutorials we queried DNS servers using zone transfer requests or trying to retrieve entries using a dictionary & brute-forcing attacks. Another technique to figure out sub-domains is to query google and check if it has found any sub-domains during it’s web mining exercise on the target. Goorecon can do this. Goorecon was written by Carlos (Darkoperator) Perez.
I did have to fix the Goorecon in Backtrack 4 and I will be fixing the package today as well but if you have a issue with the email part not working you will need this fix which was posted by Steve Goldsby on his blog.
Here is the excerpt of the fix from his blog:
Goorecon recently broken when querying for email addresses (e.g. ruby goorecon.rb -e icsinc.com). Sometime between when goorecon was written and now, google changed their formatting of reposnses for email addresses from:
emailaddress@
icsinc.com to emailaddress@icsinc.com
Easy fix is to change the following line in goorecon.rb
response.scan(/[\w.-]+@#{target}/o) { |t|
to
response.scan(/[\w.-]+@<[^>]+>#{target}/o) { |t|
This will keep the code flexible enough so that if google ever changes the highlighting tag (formerly but now ) to some other html tag, goorecon will still correctly draw out emaill addresses.
The syntax of Goorecon is very simple. Lets have a look at the options:
- root@666:/pentest/enumeration/goorecon# ./goorecon.rb
- Goorecon .01
- By Carlos Perez
- Email: carlos_perez@darkoperator.com
- This is a simple tool writen for subdomain enumeration and email gathering
- during authorized penetration test engaments using Google.
- USAGE:
- ruby goorecon.rb <type> <target>
- TYPES:
- -s Subdomoin Enumeration
- -e Email gathering
As you can see there are really only 2 options. One is to look for sub domains and the other is to look for emails.
Here is a example of using the tool to gather sub domains:
- root@666:/pentest/enumeration/goorecon# ./goorecon.rb -s cnn.com
- www.cnn.com,157.166.255.19
- www.cnn.com,157.166.255.18
- www.cnn.com,157.166.226.26
- www.cnn.com,157.166.226.25
- www.cnn.com,157.166.224.26
- www.cnn.com,157.166.224.25
- edition.cnn.com,157.166.226.45
- edition.cnn.com,157.166.226.46
- edition.cnn.com,157.166.255.31
- edition.cnn.com,157.166.255.32
- marquee.blogs.cnn.com,74.200.247.187
- marquee.blogs.cnn.com,76.74.255.117
- marquee.blogs.cnn.com,76.74.255.123
- marquee.blogs.cnn.com,72.233.104.123
- marquee.blogs.cnn.com,72.233.127.217
- marquee.blogs.cnn.com,74.200.247.59
- archives.cnn.com,157.166.224.110
- archives.cnn.com,157.166.226.110
- newsroom.blogs.cnn.com,72.233.104.123
- newsroom.blogs.cnn.com,72.233.127.217
- newsroom.blogs.cnn.com,74.200.247.59
- newsroom.blogs.cnn.com,74.200.247.187
- newsroom.blogs.cnn.com,76.74.255.117
- newsroom.blogs.cnn.com,76.74.255.123
- money.cnn.com,157.166.226.108
- money.cnn.com,157.166.226.109
- money.cnn.com,157.166.255.24
- money.cnn.com,157.166.255.25
- money.cnn.com,157.166.224.108
- money.cnn.com,157.166.224.109
- campbellbrown.blogs.cnn.com,72.233.127.217
- campbellbrown.blogs.cnn.com,74.200.247.59
- campbellbrown.blogs.cnn.com,74.200.247.187
- campbellbrown.blogs.cnn.com,76.74.255.117
- campbellbrown.blogs.cnn.com,76.74.255.123
- campbellbrown.blogs.cnn.com,72.233.104.123
- us.cnn.com,157.166.255.19
- us.cnn.com,157.166.224.25
- us.cnn.com,157.166.224.26
- us.cnn.com,157.166.226.25
- us.cnn.com,157.166.226.26
- us.cnn.com,157.166.255.18
- politicalticker.blogs.cnn.com,76.74.255.123
- politicalticker.blogs.cnn.com,72.233.104.123
- politicalticker.blogs.cnn.com,72.233.127.217
- politicalticker.blogs.cnn.com,74.200.247.59
- politicalticker.blogs.cnn.com,74.200.247.187
- politicalticker.blogs.cnn.com,76.74.255.117
- www.studentnews.cnn.com,157.166.226.112
- www.studentnews.cnn.com,157.166.224.112
- tech.fortune.cnn.com,72.233.69.6
- tech.fortune.cnn.com,74.200.243.251
- tech.fortune.cnn.com,74.200.244.59
- tech.fortune.cnn.com,76.74.254.120
- tech.fortune.cnn.com,76.74.254.123
- tech.fortune.cnn.com,72.233.2.58
- transcripts.cnn.com,157.166.226.110
- transcripts.cnn.com,157.166.224.110
- joybehar.blogs.cnn.com,72.233.104.123
- joybehar.blogs.cnn.com,72.233.127.217
- joybehar.blogs.cnn.com,74.200.247.59
- joybehar.blogs.cnn.com,74.200.247.187
- joybehar.blogs.cnn.com,76.74.255.117
- joybehar.blogs.cnn.com,76.74.255.123
- pagingdrgupta.blogs.cnn.com,72.233.127.217
- pagingdrgupta.blogs.cnn.com,74.200.247.59
- pagingdrgupta.blogs.cnn.com,74.200.247.187
- pagingdrgupta.blogs.cnn.com,76.74.255.117
- pagingdrgupta.blogs.cnn.com,76.74.255.123
- pagingdrgupta.blogs.cnn.com,72.233.104.123
- ricksanchez.blogs.cnn.com,72.233.104.123
- ricksanchez.blogs.cnn.com,72.233.127.217
- ricksanchez.blogs.cnn.com,74.200.247.59
- ricksanchez.blogs.cnn.com,74.200.247.187
- ricksanchez.blogs.cnn.com,76.74.255.117
- ricksanchez.blogs.cnn.com,76.74.255.123
- sportsillustrated.cnn.com,157.166.224.105
- sportsillustrated.cnn.com,157.166.226.104
- sportsillustrated.cnn.com,157.166.226.105
- sportsillustrated.cnn.com,157.166.255.22
- sportsillustrated.cnn.com,157.166.255.23
- sportsillustrated.cnn.com,157.166.224.104
- insession.blogs.cnn.com,76.74.255.117
- insession.blogs.cnn.com,76.74.255.123
- insession.blogs.cnn.com,72.233.104.123
- insession.blogs.cnn.com,72.233.127.217
- insession.blogs.cnn.com,74.200.247.59
- insession.blogs.cnn.com,74.200.247.187
- behindthescenes.blogs.cnn.com,76.74.255.123
- behindthescenes.blogs.cnn.com,72.233.104.123
- behindthescenes.blogs.cnn.com,72.233.127.217
- behindthescenes.blogs.cnn.com,74.200.247.59
- behindthescenes.blogs.cnn.com,74.200.247.187
- behindthescenes.blogs.cnn.com,76.74.255.117
- newspulse.cnn.com,157.166.226.32
- newspulse.cnn.com,157.166.224.31
- newspulse.cnn.com,157.166.224.32
- newspulse.cnn.com,157.166.226.31
- tips.blogs.cnn.com,76.74.255.117
- tips.blogs.cnn.com,76.74.255.123
- tips.blogs.cnn.com,72.233.104.123
- tips.blogs.cnn.com,72.233.127.217
- tips.blogs.cnn.com,74.200.247.59
- tips.blogs.cnn.com,74.200.247.187
- afghanistan.blogs.cnn.com,74.200.247.187
- afghanistan.blogs.cnn.com,76.74.255.117
- afghanistan.blogs.cnn.com,76.74.255.123
- afghanistan.blogs.cnn.com,72.233.104.123
- afghanistan.blogs.cnn.com,72.233.127.217
- afghanistan.blogs.cnn.com,74.200.247.59
- weather.cnn.com,157.166.224.118
- weather.cnn.com,157.166.226.117
- weather.cnn.com,157.166.224.117
- news.blogs.cnn.com,72.233.69.6
- news.blogs.cnn.com,74.200.243.251
- news.blogs.cnn.com,74.200.244.59
- news.blogs.cnn.com,76.74.254.120
- news.blogs.cnn.com,76.74.254.123
- news.blogs.cnn.com,72.233.2.58
- weather.edition.cnn.com,157.166.224.118
- weather.edition.cnn.com,157.166.226.117
- weather.edition.cnn.com,157.166.224.117
- inthefield.blogs.cnn.com,76.74.255.123
- inthefield.blogs.cnn.com,72.233.104.123
- inthefield.blogs.cnn.com,72.233.127.217
- inthefield.blogs.cnn.com,74.200.247.59
- inthefield.blogs.cnn.com,74.200.247.187
- inthefield.blogs.cnn.com,76.74.255.117
- cgi.money.cnn.com,157.166.224.12
- scitech.blogs.cnn.com,74.200.247.187
- scitech.blogs.cnn.com,76.74.255.117
- scitech.blogs.cnn.com,76.74.255.123
- scitech.blogs.cnn.com,72.233.104.123
- scitech.blogs.cnn.com,72.233.127.217
- scitech.blogs.cnn.com,74.200.247.59
- mxp.blogs.cnn.com,74.200.247.59
- mxp.blogs.cnn.com,74.200.247.187
- mxp.blogs.cnn.com,76.74.255.117
- mxp.blogs.cnn.com,76.74.255.123
- mxp.blogs.cnn.com,72.233.104.123
- mxp.blogs.cnn.com,72.233.127.217
And here is a example of using Goorecon to grab email address’s:
- root@666:/pentest/enumeration/goorecon# ./goorecon.rb -e louisville.edu
- itstore@emlouisville.edu
- onnie.dean@emlouisville.edu
- john.drees@emlouisville.edu
- a0pere03@emlouisville.edu
- nmschu03@emlouisville.edu
- aceldr01@emlouisville.edu
- mcconnell@emlouisville.edu
- helpdesk@emlouisville.edu
- rachel.neal@emlouisville.edu
- lgt@emlouisville.edu
- charlie.rown@emlouisville.edu
- yani.vozos@emlouisville.edu
- lackfamilyconference@emlouisville.edu
- commence@emlouisville.edu
- asela01@emlouisville.edu
- charlie.moyer@emlouisville.edu
- susmita.datta@emlouisville.edu
- lcdosk01@emlouisville.edu
- tjgray01@emlouisville.edu
- w0song03@emlouisville.edu
- scdesa01@emlouisville.edu
- s0kona01@emlouisville.edu
- naolt01@emlouisville.edu
- rhondauchanan@emlouisville.edu
- ewa@emlouisville.edu
- cultural@emlouisville.edu
- advocate@emlouisville.edu
- finaid@emlouisville.edu
- chenxi.wang@emlouisville.edu
- karen.kopelson@emlouisville.edu
- k.haee@emlouisville.edu
- a.thompson@emlouisville.edu
- alhowa04@emlouisville.edu
- rowell@emlouisville.edu
- gradadm@emlouisville.edu
- nw.aker@emlouisville.edu
- scott.campell@emlouisville.edu
- kielkopf@emlouisville.edu
- timive01@emlouisville.edu
- glynis.ridley@emlouisville.edu
- laeric02@emlouisville.edu
- peter.yoo@emlouisville.edu
- guy.rock@emlouisville.edu
- ulprint@emlouisville.edu
- roger.radshaw@emlouisville.edu
- hmdett01@emlouisville.edu
- hccoll01@emlouisville.edu
- s0kim023@emlouisville.edu
- nomura01@emlouisville.edu
- rstyag01@emlouisville.edu
- lavanc02@emlouisville.edu
- Collections@emlouisville.edu
- llwill01@emlouisville.edu
- irsurvey@emlouisville.edu
- itcompctr@emlouisville.edu
- i2a@emlouisville.edu
- smena01@emlouisville.edu
- stu.williams@emlouisville.edu
- o.fores@emlouisville.edu
Goorecon is a great script to use along side some other the other tools we have written about to make sure you have all of your targets sub domains thus increasing your attack surface and the chances of a successful penetration.
1 Comment