4:50 PM -- The world of network security has a few regular tools in its arsenal. Probably the most famous is nmap (network mapper), which was designed to help find out what's on a network and what ports are open. There are other competitive products out there, like unicornscan, that attempt to perform their tests much faster, and also with a lot more noise. But is that really where an attacker starts?
When an attacker looks at a network, the first thing he does is find out the IP address ranges for the network. That's not as simple as it sounds and is a mostly overlooked part of penetration testing. The very first thing that most attackers do is a whois or nslookup to find the IP addresses of the target. The whois lookup might give IP ranges, but more often than not it won't, and even if it does it's rarely complete.
I spent my holiday weekend building a lookup tool in PERL called Fierce to solve exactly this problem. It takes a combined list of common company names, and iterates though them -- things like "www" and "intranet" as well as more esoteric things like "vantive" and "peoplesoft" that very well may have external interfaces. Using this technique you can often find mis-configured DNS entries that will allow the attacker to locate internal IP addresses. Pretty nasty.
But that's not all: Once a target is located in an IP range it will scan the subnet looking for other targets nearby with the same search criteria. In this way you can uncover hundreds or thousands of targets on most large Websites, instead of the dozen or so you might by doing by hand.
Additionally the attacker can uncover non-contiguous blocks of IP addresses. Lots of times you'll see companies that outsource certain parts of their Websites, or use a different hosting provider for certain things. Since it does forward and reverse lookups, Fierce can locate a lot more than your traditional scan might.
Using a simple technique like forward and reverse lookups might sound trivial. But given that most companies don't do much to protect their DNS servers, and aren't smart about using non-obvious names as well as disclosing internal addresses, Fierce is a powerful domain reconnaissance tool. Data collected from Fierce makes an attacker's job far easier as they can feed the results into nmap or unicornscan to get even better results.
Lesson learned? Make sure your DNS records aren't leaking too much information about your company.