Pentest-Tools.com Blog

Security testing from the cloud

Network Fingerprinting Using Online Tools

In this post we will show how to perform effective fingerprinting / reconnaissance against a target network using online tools. Let’s say we have this scenario where we must do an external penetration test (black-box) to a client company and the only initial information that we receive is the company name. The first phase of the test must be to do information gathering and footprinting the client’s external network. Let’s see how this can be done using a set of tools that are available online.

In order to have a practical example, let’s suppose we are hired to do an external penetration test against Facebook, Inc. We chose this company because they have a bug bounty program and they are open to security researchers that are ethically searching for vulnerabilities within their systems.

Since we do not have any information about the company’s network, our first objective is to find all possible entry points, meaning all external IP addresses and their associated DNS names.

Note: In this scenario we do not take into consideration client-side attacks – which may be a more effective attack approach – but our scope will be limited to network-only attacks.

1. Finding domain names of the Company

We start by manually searching public sources (e.g. Google, Bing) for domain names belonging to the target company (Facebook). Of course, facebook.com is the company’s main domain and a simple Whois Lookup on this name gives us the response below (snip):

Domain Name:                      facebook.com
Registrar WHOIS Server:           whois.markmonitor.com
Registrar URL:                    http://www.markmonitor.com
Updated Date:                     2013-06-06T04:00:37-0700
Creation Date:                    2010-04-01T11:56:37-0700
Registrar Registration Exp Date:  2020-03-29T21:00:00-0700
Registrar:                        MarkMonitor, Inc.
Registrar Abuse Contact Email:    compliance@markmonitor.com
Registrar Abuse Contact Phone:    +1.2083895740
Registry Registrant ID:
Registrant Name:                  Domain Administrator
Registrant Organization:          Facebook, Inc.
Registrant Street:                1601 Willow Road,
Registrant City:                  Menlo Park
Registrant State/Province:        CA
Registrant Postal Code:           94025
Registrant Country:               US
Registrant Phone:                 +1.6505434800
Registrant Phone Ext:
Registrant Fax:                   +1.6505434800
Registrant Fax Ext:
Registrant Email:                 domain@fb.com

This tells us that a representative of Facebook (the registrant) went to MarkMonitor (the registrar) and registered the domain name facebook.com on April 2010. We can also see the official address of the company, contact phone number and the email address domain@fb.com which suggests that fb.com is another domain belonging to Facebook. A similar Whois Lookup confirms that this is indeed a second domain name belonging to the target company.

2. Finding subdomains and network ranges

In order to expand our search and map the company’s perimeter as good as possible, we start looking for subdomains of the main domains that we previously found. These subdomains will probably point to different IP addresses that will give us the network ranges belonging to Facebook.

For this we use the Find Subdomains tool, which implements three different methods for finding subdomains:

    • Try DNS zone transfers
    • DNS names bruteforce (based on wordlist)
    • Query public search engines

By using the tool on facebook.com domain, we get 109 unique subdomain names:

Subdomain IP address Netname (whois) Country (whois)
el-gr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
es-la.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
tl-ph.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
act.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
es.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
developers.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
zh-cn.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
cs-cz.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
fi-fi.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
code.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
tr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
th-th.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
dns.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
fr-fr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
vi-vn.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
csf.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
x.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ca-es.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
bc.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ar-ar.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
es-es.fbjs.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ja-jp.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
id-id.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
static.ak.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
sk-sk.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
nic.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
w.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
blog.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
et-ee.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
nb-no.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www.hs.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
rdg.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www2.facebook.com 31.13.81.121 IE-FACEBOOK-20110418 IE
ads.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
fa-ir.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ro-ro.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
zh-tw.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www.k.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
touch.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
hu-hu.fr-fr.vi-vn.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www.zh-cn.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
fb-lt.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ru-ru.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
nsa.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
pt-br.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
pt-pt.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
abc.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
he-il.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ko-kr.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
postmaster.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ww.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
bg-bg.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ed.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
pacific.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
about.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
da-dk.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
sv-se.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
en-gb.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
nova.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
vi-vn.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
de-de.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
nl-nl.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
upload.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ko-kr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
apps.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
zh-hk.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ar-ar.vn-ni.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
v4help.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
national.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
mbasic.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
it-it.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ro-ro.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
fr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
nl.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
zh-cn.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
wwww.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
c.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
tr-tr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
register.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
fr-ca.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
es-es.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
iphone.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
m.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
hr-hr.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
it.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
bs-ba.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ms-my.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
secure.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
pixel.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
sr-rs.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www.cz.connect.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
pl-pl.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
badge.facebook.com 31.13.81.113 IE-FACEBOOK-20110418 IE
ns2.facebook.com 69.171.255.12 TFBNET3 US
ns1.facebook.com 69.171.239.12 TFBNET3 US
intern.facebook.com 10.82.0.4 PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED US
ntp.facebook.com 10.170.0.4 PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED US
lists.facebook.com 10.8.151.47 PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED US
o.facebook.com 173.252.101.49 FACEBOOK-INC US
fr-fr.o.facebook.com 173.252.101.49 FACEBOOK-INC US
www.o.o.o.o.facebook.com 173.252.101.49 FACEBOOK-INC US
www.prod.facebook.com 173.252.79.22 FACEBOOK-INC US
0.facebook.com 173.252.101.49 FACEBOOK-INC US
d.facebook.com 173.252.103.44 FACEBOOK-INC US
vi-vn.o.facebook.com 173.252.101.49 FACEBOOK-INC US
h.facebook.com 173.252.100.26 FACEBOOK-INC US
ns3.facebook.com 66.220.151.20 TFBNET3 US
beta.facebook.com 66.220.152.10 TFBNET3 US

By running Find Subdomains tool on the other domain name, fb.com, we get another 9 subdomain names with their IP addresses:

Subdomain IP address Netname (whois) Country (whois)
accounts.fb.com 173.252.71.139 FACEBOOK-INC US
files.fb.com 173.252.71.133 FACEBOOK-INC US
vsp.fb.com 173.252.71.136 FACEBOOK-INC US
docs.fb.com 173.252.71.139 FACEBOOK-INC US
search.fb.com 173.252.71.139 FACEBOOK-INC US
investor.fb.com 2.20.113.254 AKAMAI-PA EU
newsroom.fb.com 2.20.113.254 AKAMAI-PA EU
s.fb.com 31.13.81.113 IE-FACEBOOK-20110418 IE
www.fb.com 31.13.81.113 IE-FACEBOOK-20110418 IE

Until now we managed to discover a set of IP ranges owned by our target company. There is a good probability that attacking one of the systems from these ranges might lead to compromising other internal systems which may also lead to compromising the company’s internal network. Of course, this is a hypothetical scenario and we did not attempt to do any real attack against the company’s systems.

We also found that the public DNS servers of Facebook can be used to resolve internal names to internal IP addresses (this has been reported to Facebook and it is an accepted functionality for them). Now a potential attacker knows also some internal IP addresses / ranges from the company’s network:

    • intern.facebook.com -> 10.82.0.4
    • ntp.facebook.com  ->  10.170.0.4
    • lists.facebook.com  -> 10.8.151.47

So the external network ranges that we identified as belonging to our target company until now are listed below:

NetRange CIDR NetName OrgName
31.13.64.0 – 31.13.127.255 31.13.64.0/18 IE-FACEBOOK-20110418 Facebook Ireland Ltd
69.171.224.0 – 69.171.255.255 69.171.224.0/19 TFBNET3 Facebook, Inc.
66.220.144.0 – 66.220.159.255 66.220.144.0/20 TFBNET3 Facebook, Inc.
173.252.64.0 – 173.252.127.255 173.252.64.0/18 FACEBOOK-INC Facebook, Inc.

3. Finding live hosts 

Knowing some of the network ranges of the company, we can start searching for live hosts that will be effectively the entry points within the company’s perimeter.

We do this by using the Ping Sweep tool that actually uses nmap to do host discovery on a given network range. The tool does not scan for open ports but it will just determine if the host is up or not. For this example we will scan just a small portion of the company’s network ranges – 173.252.71.0/24 - to see how the results look like:


Nmap scan report for 173.252.71.65
Host is up (0.20s latency).
Nmap scan report for 173.252.71.66
Host is up (0.20s latency).
Nmap scan report for 173.252.71.67
Host is up (0.19s latency).
Nmap scan report for 173.252.71.76
Host is up (0.19s latency).
Nmap scan report for 173.252.71.77
Host is up (0.19s latency).
Nmap scan report for files.fb.com (173.252.71.133)
Host is up (0.19s latency).
Nmap scan report for sftp.fb.com (173.252.71.134)
Host is up (0.21s latency).
Nmap scan report for vip-vsp.fb.com (173.252.71.136)
Host is up (0.19s latency).
Nmap scan report for vip-sentry-fb.com (173.252.71.137)
Host is up (0.20s latency).
Nmap scan report for tdocs.fb.com (173.252.71.138)
Host is up (0.19s latency).
Nmap scan report for pdocs.fb.com (173.252.71.139)
Host is up (0.21s latency).
Nmap scan report for tv.fb.com (173.252.71.147)
Host is up (0.20s latency).
Nmap scan report for mailwest.thefacebook.com (173.252.71.148)
Host is up (0.20s latency).
Nmap scan report for www.facebooksuppliers.com (173.252.71.149)
Host is up (0.19s latency).
Nmap scan report for www.facebooksupplierstest.com (173.252.71.150)
Host is up (0.20s latency).
Nmap scan report for prn-isupplydevvip01.thefacebook.com (173.252.71.151)
Host is up (0.19s latency).
Nmap scan report for prn-ztlanding01.fb.com (173.252.71.153)
Host is up (0.20s latency).
Nmap scan report for prn-zlanding01.fb.com (173.252.71.154)
Host is up (0.20s latency).
Nmap scan report for prn-wlc.corp.tfbnw.net (173.252.71.155)
Host is up (0.19s latency).
Nmap scan report for mirror.facebook.net (173.252.71.156)
Host is up (0.20s latency).
Nmap scan report for irc1.tfbnw.net (173.252.71.157)
Host is up (0.19s latency).
Nmap scan report for vpn01.prn1.thefacebook.com (173.252.71.158)
Host is up (0.20s latency).
Nmap scan report for vpntest01.prn1.thefacebook.com (173.252.71.159)
Host is up (0.20s latency).
Nmap scan report for prn-ppt004.thefacebook.com (173.252.71.161)
Host is up (0.21s latency).
Nmap scan report for remoteassist.thefacebook.com (173.252.71.162)
Host is up (0.19s latency).
Nmap scan report for osbdevext.thefacebook.com (173.252.71.163)
Host is up (0.20s latency).
Nmap scan report for osbtestext.thefacebook.com (173.252.71.164)
Host is up (0.19s latency).
Nmap scan report for osbprdext.thefacebook.com (173.252.71.165)
Host is up (0.20s latency).
Nmap scan report for prn-crs-dev.thefacebook.com (173.252.71.166)
Host is up (0.20s latency).
Nmap scan report for prn-crs-prd.thefacebook.com (173.252.71.167)
Host is up (0.19s latency).
Nmap scan report for vip-prn-zappman.thefacebook.com (173.252.71.168)
Host is up (0.19s latency).
Nmap scan report for prn-asavpn01.thefacebook.com (173.252.71.183)
Host is up (0.19s latency).
Nmap scan report for prn-savpn01.thefacebook.com (173.252.71.184)
Host is up (0.19s latency).
Nmap scan report for prn-riskIQ01.thefacebook.com (173.252.71.185)
Host is up (0.20s latency).
Nmap scan report for sundance.fb.com (173.252.71.186)
Host is up (0.20s latency).
Nmap scan report for prn-wlc2.corp.tfbnw.net (173.252.71.191)
Host is up (0.19s latency).
Nmap scan report for fs.sales.fb.com (173.252.71.193)
Host is up (0.20s latency).
Nmap scan report for vendoor.thefacebook.com (173.252.71.194)
Host is up (0.19s latency).
Nmap scan report for m-nexus.thefacebook.com (173.252.71.195)
Host is up (0.20s latency).
Nmap scan report for 173.252.71.196
Host is up (0.20s latency).
Nmap scan report for appstore.fb.com (173.252.71.198)
Host is up (0.20s latency).
Nmap scan report for 173.252.71.199
Host is up (0.20s latency).
Nmap scan report for prn-plm-prd-ext.thefacebook.com (173.252.71.208)
Host is up (0.20s latency).
Nmap scan report for audienceinsightsprototype.fb.com (173.252.71.209)
Host is up (0.19s latency).
Nmap scan report for fs.fb.com (173.252.71.211)
Host is up (0.20s latency).
Nmap scan report for review.buffy.fb.com (173.252.71.212)
Host is up (0.20s latency).
Nmap scan report for prn-scomlogw01.thefacebook.com (173.252.71.213)
Host is up (0.19s latency).
Nmap scan report for test-54993.thefacebook.com (173.252.71.214)
Host is up (0.19s latency).
Nmap scan report for m-audience.fb.com (173.252.71.215)
Host is up (0.19s latency).
Nmap scan report for 173.252.71.217
Host is up (0.20s latency).
Nmap scan report for 173.252.71.218
Host is up (0.19s latency).
Nmap scan report for gompk.com (173.252.71.219)
Host is up (0.21s latency).
Nmap scan report for prn1-cmdf-dc1-wlra5-6.corp.tfbnw.net (173.252.71.220)
Host is up (0.20s latency).
Nmap scan report for prn1-cmdf-dc1-wlra7-8.corp.tfbnw.net (173.252.71.221)
Host is up (0.19s latency).
Nmap scan report for irc1-test.tfbnw.net (173.252.71.222)
Host is up (0.20s latency).

By doing reverse DNS on the live hosts that we found, we also discovered additional domain names belonging to Facebook:

    • tfbnw.net
    • gompk.com
    • thefacebook.com
    • facebook.net
    • facebooksuppliers.com
    • facebooksupplierstest.com

At this point, the fingerprinting process can be expanded by doing Ping Sweeps on the other network ranges belonging to the company. Also, the new domain names can be used as input to Find Subdomains tool,  Ping Sweep again on the new network ranges and so on. However, we consider that the results above are enough for the purpose of this post.

4. Discovering open ports and running services 

In order to see what services are running on the live hosts, we must do a port scan and service identification. This can be done using the tools TCP Port Scan and UDP Port Scan that are actually web interfaces for the well known nmap tool.

For instance, if we run a tcp scan on ip 173.252.71.156 (mirror.facebook.net) for ports 1-1024, we get the following results:


Nmap scan report for mirror.facebook.net (173.252.71.156)
Host is up (0.19s latency).
Not shown: 1021 filtered ports
PORT      STATE    SERVICE    VERSION
21/tcp    open     ftp        vsftpd 2.0.8 or later
80/tcp    open     http       Apache httpd 2.2.15
873/tcp   open     rsync      (protocol version 30)
Device type: load balancer
Running (JUST GUESSING): F5 Networks embedded (87%)
Aggressive OS guesses: F5 BIG-IP 3650 Local Traffic Manager load balancer (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.86 ms bb0-vlan50-th1.59-bdp.TeenTelecom.net (86.107.58.33)
2 1.86 ms 172.16.0.177
3 2.86 ms interlink-routers.use.TeenTelecom.net (172.16.0.165)
4 4.87 ms bb3-v505-cb.nxdt.TeenTelecom.net (193.138.193.69)
5 16.87 ms 81.183.0.117
6 33.87 ms ae1.br02.fra1.tfbnw.net (80.81.195.40)
7 31.88 ms ae2.bb01.fra2.tfbnw.net (31.13.27.207)
8 54.88 ms ae7.bb01.lhr2.tfbnw.net (74.119.76.11)
9 120.84 ms ae38.bb02.iad1.tfbnw.net (31.13.29.255)
10 202.84 ms ae11.bb02.prn1.tfbnw.net (204.15.20.90)
11 203.62 ms ae1.dr06.prn1.tfbnw.net (204.15.20.105)
12 182.62 ms ae10.dr06.prn1.tfbnw.net (173.252.64.31)
13 ... 15
16 195.60 ms mirror.facebook.net (173.252.71.156)

We can see the services that are running on the server and their versions. Furthermore, when trying to identify the remote operating system, nmap found that an F5 BIG-IP load balancer sits in front of the actual server.

From the traceroute output we can also see a number of IP addresses within different IP ranges than the ones previously identified. They also belong to Facebook, as confirmed by the Whois Lookup tool:

    • 31.13.24.0 – 31.13.31.255  (Facebook Ireland Ltd)
    • 74.119.76.0 – 74.119.79.255  (Facebook, Inc)
    • 204.15.20.0 – 204.15.23.255  (Facebook, Inc)

5. Conclusions 

In this post we showed how to do network fingerprinting and intelligence gathering using a set of online tools.

Footprinting the target network is essential for a successful penetration test as it offers an extended view of the target’s internet facing systems. We managed to obtain information about the network ranges owned by our target company, domain names, live hosts and running services.

After the network discovery phase, the penetration test must continue with vulnerability identification and exploitation but this is outside the scope of this post.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>