Professional Documents
Culture Documents
Danny Ghazal 10/8/20 NTS330 Mike Vasquez Recon
Danny Ghazal 10/8/20 NTS330 Mike Vasquez Recon
Danny Ghazal 10/8/20 NTS330 Mike Vasquez Recon
10/8/20
NTS330
Mike Vasquez
Recon
Step 1:
What is the name of the organization you chose? What do they do?
I chose Tesla, Tesla sells fully electric cars and has a space program as well.
What web server are they using (Apache, IIS, etc.)? What version is it?
There isn’t enough information to confidently state weather they are or they aren’t the
curl command only gave very limited information
The front end of the website is made with java script I went on the tesla website and
used inspect element to check what the file extensions were. I’m assuming they are
probably using a different language for the backend I tried looking for it but couldn’t find
anything.
Does it appear they are hosting any other services from their network ranges? (Do Not
Scan network segments)
Yes it does appear that they have other services there are tons of different network
segments listed on ip-netblocks.whoisxmlapi.com
Using search engines I was able to find some information out about the IP blocks that
tesla owns. I tried finding other information about network infrastructure but couldn’t
get much without performing scans.
Step 2:
Identify key employees. Get names, positions, salary, phone #, and e-mail addresses.
Additional:
noc@teslamotors.com
whoisrequest@markmonitor.com
admin@dnstinations.com
abusecomplaints@markmonitor.com
Phone Numbers:
1-(800)-745-9229
1-(415)-531-9336
44-(20)-3206-2220
1-(415)-531-9335
1-(208)-389-5770
1-(208)-389-5740
Additional Domains:
Events.tesla.com
Ir.tesla.com
mfa.tesla.com
Apac-sso.tesla.com
Secureguest.tesla.com
Auth.tesla.com
Beta-partners.tesla.com
Cicerone.tesla.com
Email.tesla.com
Email1.tesla.com
emails.tesla.com
epcapi.tesla.com
Elon Musk if apart of SpaceX, the boring company, and solar city
They all have a Linkd In I couldn’t find any other professional social media sites these
people are linked to
No
I used google dorking to try and find passwords, PDF’s, and docx files
Does your target company have any associations with other companies? E.g.partners
Enumerate your targets Domain Name. Document all additional IP addresses that you
have discovered. (Add them to your current list)
https://ipinfo.io/AS394161
Use theharvester, available in your Kali Linux virtual machine, to search your company's
domain, e-mail, social media, etc....
I used theHarvester to scan tesla.com domain and didn’t receive any results
help:
https://github.com/laramies/theHarvester
http://www.edge-security.com/theharvester.php
Create a visual map of your selected target's discovered systems. Identify network
address ranges, possible target systems and their purpose, routers, switches, etc...... Is
this their DMZ?
https://ip-netblocks.whoisxmlapi.com/lookup-report/Jd95pO72pB
I used Maltego to get a layout of the webdomains infrastructure this also provided
emails, alternate domains, social medias, and IP blocks.
Step 3
Using Recon-NG perform a full recon on your target company. Document your results.
Did you find any additional useful or interesting info.
I ran the hackertarget module within recon-ng and was unable to find any new
information that wasn’t available within maltego
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide
Use at least the following modules. You will need to get API keys...
Showdan
recon/domains-hosts/shodan_hostname
https://developer.shodan.io/
Bing
https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx
help
https://bitbucket.org/LaNMaSteR53/recon-ng
http://securenetworkmanagement.com/recon-ng-tutorial-part-1/
http://securenetworkmanagement.com/recon-ng-tutorial-part-2/
http://securenetworkmanagement.com/recon-ng-tutorial-part-3/
You need to research information that would be helpful for the social engineering
phase of your penetration test.
Badges?
Vehicle passes?
Web Cams?
Digital dumpster diving.