Mapping your target
Once you have your platform in good working order, you will need to know as much as possible about your target. In this chapter we look at "passive" ways to find information about the target. The target might be a company, a organization or a government. Where do you start your attack? This first step is gaining as much as possible information about the target - without them knowing that you are focussing your sniper scope on them. All these methods involve tools, web sites and programs that are used by the normal law abiding netizen.
Websites, MX records…DNS!
For the purpose of this document, let us assume that we want to attack CitiBank. (no hard feelings CitiBank). We begin by looking at the very obvious - www.citibank.com. You would be amazed by the amount one can learn from an official webpage. From the website we learn that Citibank has presence in many countries. Checking that Citibank have offices in Belgium we check the address of www.citibank.be and the Malaysian office www.citibank.com.my. The IP addresses are different - which means that each country' Citibank website is hosted inside the specific country. The website lists all the countries that Citibank operate in. We take the HTML source code, and try to find the websites in each country. Having a look around leaves us with 8 distinct countries. Maybe XXX.citybank.XXX is registered in the other countries? Doing a simple "host www.citibank.XXX" (scripted with all country codes and with .com and .co sub extensions of course) reveals that following sites:
www.citibank.as
www.citibank.at
www.citibank.be
www.citibank.ca
www.citibank.cc
www.citibank.ch
www.citibank.cl
www.citibank.co.at
www.citibank.co.cc
www.citibank.co.cx
www.citibank.co.dk
www.citibank.co.id
www.citibank.co.in
www.citibank.co.io
www.citibank.co.jp
www.citibank.co.ke
www.citibank.co.kr
www.citibank.co.nz
www.citibank.co.pl
www.citibank.co.pt
www.citibank.co.th
www.citibank.co.tv
www.citibank.co.tw
www.citibank.co.uk
www.citibank.co.vi
www.citibank.co.ws
www.citibank.com
www.citibank.com.ar
www.citibank.com.au
www.citibank.com.bh
www.citibank.com.bi
www.citibank.com.br
- 10 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
www.citibank.com.bs
www.citibank.com.co
www.citibank.com.ec
www.citibank.com.gt
www.citibank.com.gu
www.citibank.com.hk
www.citibank.com.ky
www.citibank.com.mo
www.citibank.com.mx
www.citibank.com.my
www.citibank.com.ph
www.citibank.com.pk
www.citibank.com.pl
www.citibank.com.pr
www.citibank.com.py
www.citibank.com.sg
www.citibank.com.tj
www.citibank.com.tr
www.citibank.com.tw
www.citibank.com.ws
www.citibank.cx
www.citibank.cz
www.citibank.de
www.citibank.es
www.citibank.fr
www.citibank.gr
www.citibank.hu
www.citibank.ie
www.citibank.io
www.citibank.it
www.citibank.lu
www.citibank.mc
www.citibank.mw
www.citibank.nl
www.citibank.nu
www.citibank.pl
www.citibank.ro
www.citibank.ru
www.citibank.tv
www.citibank.ws
www.citicorp.com
So much for websites - it is clear that many of these domains are used by cybersquatters - www.citibank.nu for example. We'll filter those. Also, most of above mentioned sites are simply aliases for www.citibank.com. These days most websites are hosted offsite. Mail exchangers are most of the time more closely coupled with the real network. Looking at the MX records for the domains (host -t mx citibank.XX) gives one a better idea of the IP numbers involved. Trying to do a zone transfer would also help a lot (host -l citibank.XXX). After some scripting it becomes clear which domains belongs to the real Citibank - all of these domain's MX records are pointing to the MX record for www.citibank.com, and their websites point to the official .com site. The theory that the MX records for the different branches are closer to the "satellite" network does not apply for Citibank it seems: (these are all MX records).
citibank.at is a nickname for www.citibank.com
citibank.ca is a nickname for www.citibank.com
citibank.ch is a nickname for www.citibank.com
citibank.cl is a nickname for www.citibank.com
citibank.co.at is a nickname for www.citibank.com
citibank.co.kr is a nickname for www.citibank.com
citibank.co.nz is a nickname for www.citibank.com
citibank.co.vi is a nickname for www.citibank.com
citibank.com.br is a nickname for www.citibank.com
citibank.com.bs is a nickname for www.citibank.com
citibank.com.ec is a nickname for www.citibank.com
citibank.com.gt is a nickname for www.citibank.com
citibank.com.gu is a nickname for www.citibank.com
citibank.com.ky is a nickname for www.citibank.com
citibank.com.mo is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.pk is a nickname for www.citibank.com
citibank.com.pl is a nickname for www.citibank.com
citibank.com.pr is a nickname for www.citibank.com
citibank.com.py is a nickname for www.citibank.com
citibank.com.sg is a nickname for www.citibank.com
citibank.com.tr is a nickname for www.citibank.com
citibank.cz is a nickname for www.citibank.com
citibank.gr is a nickname for www.citibank.com
citibank.hu is a nickname for www.citibank.com
citibank.ie is a nickname for www.citibank.com
citibank.it is a nickname for www.citibank.com
citibank.lu is a nickname for www.citibank.com
citibank.mc is a nickname for www.citibank.com
citibank.mw is a nickname for www.citibank.com
citibank.nl is a nickname for www.citibank.com
citibank.pl is a nickname for www.citibank.com
citibank.ro is a nickname for www.citibank.com
- 11 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
What about the rest of the countries - are all of them cybersquatter related, or have our friends at Citibank slipped up somewhere? Let's remove above-mentioned countries from our list, and have a look those than remain. Close inspection of all the rest of the domains shows that cyber squatters (in all sizes and forms) have taken the following domains:
citibank.as
citibank.cc
citibank.co.cx
citibank.co.dk
citibank.co.ke
citibank.co.pl
citibank.co.pt
citibank.co.tv
citibank.co.ws
citibank.com.bh
citibank.com.bi
citibank.com.tj
citibank.com.ws
citibank.cx
citibank.io
citibank.nu
citibank.tv
How about the rest? We find the following hosts and services belonging to Citibank (most of this is done with scripting, manual labor, and cross checking):
www.citibank.be has address 195.75.113.39
citibank.be name server ns.citicorp.com
citibank.be name server ns2.citicorp.com
citibank.co.id mail is handled (pri=20) by egate.citicorp.com
citibank.co.in has address 203.197.24.163
www.citibank.co.jp has address 210.128.74.161
citibank.co.jp name server NS2.citidirect.citibank.co.jp
citibank.co.th mail is handled (pri=20) by egate.citibank.com
citibank.com.ar mail is handled (pri=20) by mailer2.prima.com.ar
www.citibank.com.au has address 203.35.150.146
citibank.com.au name server ns.citibank.com
citibank.com.au name server ns2.citibank.com
www.citibank.com.co has address 63.95.145.165
citibank.com.co name server CEDAR1.CITIBANK.COM
citibank.com.co name server CEDAR2.CITIBANK.COM
webp.citibank.com.sg has address 192.193.70.5
citibank.com.mx mail is handled (pri=10) by green.citibank.com.mx
citibank.com.ph mail is handled (pri=20) by egate.citicorp.com
citibank.com.tw name server dns.citibank.com.tw
dns.citibank.com.tw has address 203.66.185.3
www.citibank.com.tw has address 203.66.185.1
citibank.com.tw name server home1.citidirect.citibank.com.tw
citibank.ru has address 194.135.176.81
www.citibank.de has address 195.75.113.49
www.citibank.de has address 195.145.1.166
www.citibank.com has address 192.193.195.132
and the obvious official .com sites and MX records. But the real prize is German Citibank. In the checking scripts we also check if a DNS zone transfer was possible. In all of the domains tested a ZT was denied. All but Germany:
ehbtest.Citibank.DE has address 195.75.113.25
ehbweb.Citibank.DE has address 195.75.113.49
inter.Citibank.DE has address 193.96.156.103
localhost.Citibank.DE has address 127.0.0.1
www.Citibank.DE has address 195.145.1.166
www.Citibank.DE has address 195.75.113.49
ehbdns.Citibank.DE has address 195.145.1.166
public.Citibank.DE has address 193.96.156.104
- 12 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
From all of the above we can now begin to compile a list of IP numbers belonging to Citibank all over the world. We take the list, sort it, and remove any duplicates if there are any. The end result is:
148.242.127.200
192.193.195.132
192.193.195.194
192.193.195.195
192.193.195.210
192.193.196.210
192.193.70.5
192.193.77.166
193.96.156.103
193.96.156.104
194.135.176.81
195.145.1.166
195.75.113.10
195.75.113.11
195.75.113.25
195.75.113.39
195.75.113.49
200.42.0.133
203.197.24.163
203.35.150.146
203.66.185.1
203.66.185.20
203.66.185.3
210.128.74.161
63.95.145.165
Once we have these IP numbers we can go much further. We could see the netblocks these IP numbers belongs to - this might give us more IP numbers. Later these IP numbers could be fed to port scanners or the likes. Another technique is to do "reverse resolve scanning". Here one reverse resolves the subnet to see if there are other interesting DNS entries.
RIPE, ARIN, APNIC and friends
The WHOIS queries (via RIPE, ARIN,APNIC) show some interesting information. (By doing a query on "*citibank*", we find many more blocks that was not revealed in the host finding exercise!)
Citicorp Global Information Network (NETBLK-CITICORP-C)
Netblock: 192.193.0.0 - 192.193.255.0
inetnum: 195.145.1.144 - 195.145.1.255
netname: DA-CITIBANK
descr: Citibank Privatkunden AG, Germany
inetnum: 195.75.113.0 - 195.75.113.255
netname: DE-CITIBANK-NET
descr: Network of Citibank Privatkunden AG
inetnum 203.197.24.160 - 203.197.24.191
netname CITIBANKMUMBAI
i
descr Leased - CITIBANK MumbaOther blocks discovered with RIPE search:
inetnum: 193.32.128.0 - 193.32.159.255
netname: CITI-EMBA
descr: Citibank N.A.
inetnum: 194.41.64.0 - 194.41.95.255
netname: CITIBANK
descr: CITIBANK (SWITZERLAND)
inetnum: 194.50.218.0 - 194.50.218.255
netname: CITILAN
descr: CITIBANK PRAGUE
inetnum: 62.184.117.0 - 62.184.117.255
netname: GB-CITIBANKSAVINGS-NET
descr: Network of Citibank Savings
inetnum: 195.183.49.128 - 195.183.49.143
netname: GB-CITIBANKSAVINGS-NET2
descr: Network of Citibank Savings
inetnum: 194.69.69.160 - 194.69.69.167
netname: CITIBANK-ISP
descr: TRAX network
inetnum: 195.235.80.200 - 195.235.80.207
netname: CITIBANK
descr: VPN public addresses
inetnum: 194.108.183.32 - 194.108.183.47
netname: CITIBANK-CZ
descr: Citibank, a. s.
inetnum: 62.200.100.0 - 62.200.100.31
netname: DE-CITIBANK-NET4
descr: Network of Citibank Privatk unden ag
- 13 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
inetnum: 213.25.206.44 - 213.25.206.47
netname: CITIBANK
descr: Citibank Poland
inetnum: 213.61.189.96 - 213.61.189.127
netname: DE-COLT-CITIBANK
descr: Citibank AG
inetnum: 62.157.214.240 - 62.157.214.247
netname: DTS-NET
descr: DTS für Citibank Privatkunden
inetnum: 62.225.11.144 - 62.225.11.151
netname: CITIBANKAG-FRANKFURT-NET
descr: Citibank AG
The following blocks were discovered with ARIN search:
63.236.56.224 - 63.236.56.255
CITIBANK (NETBLK-QWEST-JSV-ECITI-PVT)
261 Madison Avenue 3rd Floor
New York, ny 10016
USA
208.58.129.224 - 208.58.129.239
CITIBANK (NETBLK-EROLS-CUST-5136)
666 5TH AVENUE 3RD FLOOR
NEWYORK, NY 10103
USA
199.228.157.0 - 199.228.159.0
CITIBANK
RUESSELSHEIM, DE
205.147.21.161 - 205.147.21.168
CitiBank (NETBLK-SLIMCAT)
12731 W. Jefferson
Los Angeles, CA 90066
USA
200.42.11.80 - 200.42.11.87
Citibank (NETBLK-PRIMA-BLK-177)
Prilidiano Pueyrredon 2989
Villa Adelina, Buenos Aires B1607ABC
AR
196.28.49.0 - 196.28.49.31
Citibank (NETBLK-PRTC-196-28-49-0)
Ave. Las Cumbres
Guaynabo, PR
US
208.44.107.32 - 208.44.107.63
Citibank (NETBLK-QWEST-208-44-107-32)
6700 Citicorp Drive
Tampa, FL 33619
US
216.233.22.128 - 216.233.22.135
Citibank (NETBLK-RNCI-52044)
909 3rd Ave (15th floor)
New York, NY 10022-4731
USA
208.46.142.160 - 208.46.142.175
Citibank (NETBLK-QWEST-208-46-142-160)
Vision Drive
Enfield, CT 06082
US
63.80.165.128 - 63.80.165.159
Citibank (NETBLK-UU-63-80-165-128)
1 Vision Dr.
Enfield, CT 06082
US
192.209.110.0 - 192.209.110.255
Citibank - Washington DC (NET-QUOTRON-LAN47)
1001 Pennsylvania Avenue
Washington, DC 20004
198.73.228.0 - 198.73.239.0
Citibank Canada - Various Subnets
192.132.9.0 - 192.132.9.255
Citibank NA (NET-CITI-UK-EIS)
Lewisham House
15 Molesworth St.
London
SE13 7EX
United Kingdom
192.209.111.0 - 192.209.111.0
Citibank NA (NET-CITIBANKPARK)
399 Park Ave.
NYC, NY 10043
216.233.56.184 - 216.233.56.191
Citibank/Dan White (NETBLK-RNCI-52043)
600 Columbus Ave
New York, NY 10024-1400
USA
216.233.123.104 - 216.233.123.111
Citibank/Frank Kovacs (NETBLK-RNCI-DSLACI68828)
2 Vreeland Ct
East Brunswick, NJ 08816-3886
USA
216.233.97.64 - 216.233.97.71
Citibank/Orobona (NETBLK-RNCI-DSLACI56122)
4 Eastern Pkwy
Farmingdale, NY 11735
US
216.233.56.176 - 216.233.56.183
Citibank/Sztabnik AND Residence (NETBLK-RNCI-5516954206)
3547 Carrollton Ave
Wantagh, NY 11793-2929
USA
208.138.110.0 - 208.138.110.255
CITICORP (NETBLK-CW-208-138-110)
399 Park Ave. 6th Floor
New York, NY 10043
US
208.132.249.0 - 208.132.249.31
CITICORP VENTURE CAPITAL (NETBLK-CW-208-132-249-0)
399 PARK AVENUE
NEW YORK, NY 10043
US
159.17.0.0 - 159.17.255.255
Citicorp (NET-CITICORP-COM)
55 Water St.
44 Floor, Zone 7
New York, NY 10043
192.209.120.0 - 192.209.120.255
Citicorp (NET-CITICORPNY)
153 E. 53rd St. 5th Fl.
NYC, NY 10022
169.160.0.0 - 169.195.0.0
Citicorp (NET-CITICORP-B-BLK)
1900 Campus Commons Drive
Reston, VA 22091
208.231.68.0 - 208.231.68.255
Citicorp (NETBLK-UU-208-231-68)
909 3rd Avenue
New York City, NY 10022
US
63.67.86.0 - 63.67.86.255
Citicorp (NETBLK-UU-63-67-86)
- 14 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
2 Penn's Way
New Castle, DE 19720
US
63.71.124.192 - 63.71.124.255
Citicorp (NETBLK-UU-63-71-124-192)
1 Vision Drive
Enfield, CT 06082
US
63.72.243.0 - 63.72.243.255
Citicorp (NETBLK-UU-63-72-243)
1751 Pinnacle Drive
McLean, VA 22102
US
192.246.55.0 - 192.246.55.255
Citicorp Crossmar (NET-CITINET)
4 Sylvan Way
Parsippany, NJ 07054
63.74.88.64 - 63.74.88.79
Citicorp (NETBLK-UU-63-74-88-64)
6700 Citicorp Drive
Tampa, FL 33617
US
192.148.191.0 - 192.148.191.255
Citicorp Global Distibutions Systems (NET-CITIGDS)
1400 Treat Blvd.
Walnut Creek, CA 94596
163.35.0.0 - 163.39.255.255
Citicorp Global Information Network (NETBLK-CITICORP-B)
1 Court Square, 40th Floor
Long Island City, NY 11120
161.75.0.0 - 161.75.255.255
Citicorp Japan (NET-CITICORP-JP)
Citicorp Center Tokyo
2-3-14 Higashi-Shinagawa
Shinagawa-ku, Tokyo 140
Japan
192.48.247.0 - 192.48.247.255
Citicorp North American Investment Bank (NET-CCNAIBFIR)
55 Water Street, 44th Floor
New York, NY 10043
The following was discovered with APNIC:
(note! APNIC does not allow you to scan for words!!)
inetnum 203.66.184.0-203.66.184.255
netname CT-NET
descr Citibank Taiwan
inetnum 203.66.185.0 - 203.66.185.255
netname CT-NET
63.95.145.165
The IP numbers that does not fall in above mentioned blocks seems to be on ISP-like netblocks (The Russian block is marked as Space Research though). ISP-blocks are blocks of a network that the customer lease, but that is not specifically assigned to Citibank (in terms of AS numbers or netblocks).
We see that there are different size blocks - some are just a few IPs and others a single class C and some several class Cs. Let us break the list of blocks down in two categories - Class C or sub class C on the one side, and Class C+ on the other. We are left with a table that looks like this:
Class C or sub Class C:
192.132.9.0-192.132.9.255
192.148.191.0-192.148.191.255
192.209.110.0-192.209.110.255
192.209.111.0-192.209.111.0
192.209.120.0-192.209.120.255
192.246.55.0-192.246.55.255
192.48.247.0-192.48.247.255
194.108.183.32-194.108.183.47
194.50.218.0-194.50.218.255
194.69.69.160-194.69.69.167
195.183.49.128-195.183.49.143
195.235.80.200-195.235.80.207
196.28.49.0-196.28.49.31
200.42.11.80-200.42.11.87
203.66.184.0-203.66.184.255
203.66.185.0-203.66.185.255
205.147.21.161-205.147.21.168
208.132.249.0-208.132.249.31
208.138.110.0-208.138.110.255
208.231.68.0-208.231.68.255
208.44.107.32-208.44.107.63
208.46.142.160-208.46.142.175
208.58.129.224-208.58.129.239
213.25.206.44-213.25.206.47
213.61.189.96-213.61.189.127
216.233.123.104-216.233.123.111
216.233.22.128-216.233.22.135
216.233.56.176-216.233.56.183
216.233.56.184-216.233.56.191
216.233.97.64-216.233.97.71
62.157.214.240-62.157.214.247
62.184.117.0-62.184.117.255
62.200.100.0-62.200.100.31
62.225.11.144-62.225.11.151
63.236.56.224-63.236.56.255
63.67.86.0-63.67.86.255
63.71.124.192-63.71.124.255
63.72.243.0-63.72.243.255
63.74.88.64-63.74.88.79
63.80.165.128-63.80.165.159
Class C +:
199.228.157.0-199.228.159.0
198.73.228.0-198.73.239.0
194.41.64.0-194.41.95.255
193.32.128.0-193.32.159.255
159.17.0.0-159.17.255.255
161.75.0.0-161.75.255.255
163.35.0.0-163.39.255.255
169.160.0.0-169.195.0.0
192.193.0.0-193.192.255.255
- 15 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
Routed or not?
Given the sheer size of the Class C + netblocks, it would take forever to do a reverse scan or traceroute to all the blocks. The European and some of the American blocks seems very straight forward - most of them are only parts of a subnet. Why not find out which networks in the larger netblocks are routed on the Internet? How do we do this? Only the core routers on the Internet know which networks are routed. We can get access to these routers - very easily, and totally legally. Such a router is route1.saix.net. We simply telnet to this giant of a Cisco router, do a show ip route | include [start of large netblock] and capture the output. This core router contains over 40 000 routes. Having done this for the larger netblocks, we find the following:
199.228.157.0-199.228.159.0 None
198.73.228.0-198.73.239.0 None
194.41.64.0-194.41.95.255 None
193.32.128.0-193.32.159.255
193.32.161.0/24
193.32.254.0/24
193.32.208.0/23
193.32.192.0/20
193.32.176.0/20
159.17.0.0-159.17.255.255 None
161.75.0.0-161.75.255.255 None
163.35.0.0-163.39.255.255 None
169.160.0.0-169.195.0.0 None 192.193.0.0-192.193.255.255
192.193.183.0/24
192.193.192.0/24
192.193.73.0/24
192.193.182.0/24
192.193.208.0/24
192.193.193.0/24
192.193.74.0/24
192.193.194.0/24
192.193.211.0/24
192.193.75.0/24
192.193.180.0/24
192.193.210.0/24
192.193.195.0/24
192.193.196.0/24
192.193.77.0/24
192.193.201.0/24
192.193.172.0/24
192.193.188.0/24
192.193.187.0/24
192.193.186.0/24
192.193.70.0/24
192.193.184.0/24
192.193.71.0/24
Traceroute & world domination
The blocks not marked with a "none" are routed on the Internet today. Where are these plus the smaller blocks routed? Since a complete class C network is routed to the same place, we can traceroute to a arbitrary IP within the block. We proceed to do so, tracerouting to the next available IP in the block (e.g. for netblock 62.157.214.240 we would trace to 62.157.214.241) in each netblock. Looking at the last confirmed hop in the traceroute should tell us more about the location of the block. Most of the European blocks are clearly defined - but what about the larger blocks such as the 192.193.0.0 block and the 193.32.0.0 block? The information gained is very interesting:
62.157.214.240-62.157.214.247 Germany
62.184.117.0/24 Not routed
62.200.100.0-62.200.100.31 Germany
62.225.11.144-62.225.11.151 Germany
63.236.56.224-63.236.56.255 USA
63.67.86.0/24 USA
63.71.124.192-63.71.124.255 USA
63.72.243.0/24 USA
63.74.88.64-63.74.88.79 USA
63.80.165.128-63.80.165.159 USA
192.132.9.0/24 Not routed
192.148.191.0/24 Not routed
192.193.172.0/24 USA
192.193.180.0/24 USA
192.193.182.0/24 USA
192.193.183.0/24 USA
192.193.184.0/24 USA
192.193.186.0/24 USA
192.193.187.0/24 USA
192.193.188.0/24 USA
192.193.192.0/24 USA
192.193.193.0/24 USA
- 16 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
192.193.194.0/24 USA
192.193.195.0/24 USA
192.193.196.0/24 USA
192.193.201.0/24 USA
192.193.208/24 USA
192.193.210.0/24 USA
192.193.211.0/24 USA
192.193.70.0/24 Singapore
192.193.71.0/24 USA
192.193.73.0/24 Singapore
192.193.74.0/24 Philippines
192.193.75.0/24 Singapore
192.193.77.0/24 Japan
192.209.110.0/24 Not routed
192.209.111.0/24 Not routed
192.209.120.0/24 Not routed
192.246.55.0/24 Not routed
192.48.247.0/24 Not routed
193.32.128.0/24 Not routed
193.32.161.0/24 UK
193.32.176.0/20 UK
193.32.192.0/20 UK
193.32.208.0/23 UK
193.32.254.0/23 UK
194.108.183.32-194.108.183.47 Czech Republic
194.50.218.0/24 Not routed
194.69.69.160-194.69.69.167 Not routed
195.183.49.128-195.183.49.143 Not routed
195.235.80.200-195.235.80.207 UK
195.75.113.0/24 Germany
196.28.49.0-196.28.49.31 USA
200.42.11.80-200.42.11.87 Argentina
203.197.24.0/24 India
203.66.184.0/24 Taiwan
203.66.185.0/24 Taiwan
205.147.21.161-205.147.21.168 USA
208.132.249.0-208.132.249.31 USA
208.138.110.0/24 USA
208.231.68.0/24 USA
208.44.107.32-208.44.107.63 USA
208.46.142.160-208.46.142.175 USA
208.58.129.224-208.58.129.239 USA
213.25.206.44-213.25.206.47 Poland
213.61.189.96-213.61.189.127 Germany
216.233.123.104-216.233.123.111 USA
216.233.22.128-216.233.22.135 USA
216.233.56.176-216.233.56.183 USA
216.233.56.184-216.233.56.191 USA
216.233.97.64-216.233.97.71 USA
It is interesting to note that none of the 192.193 IP blocks are routed to Europe. Citibank has thus registered unique individual blocks for Europe based branches, and are routing some of its 192.193 class B class Cs to Asia. It seems that many of the Citibank websites are running on "ISP blocks". If the idea is to get to the core of Citibank these sites might not be worthwhile to attack, as we are not sure that there is any connection with back-ends (sure, we cannot be sure that the Citibank registered blocks are more interesting, but at least we know that Citibank is responsible for those blocks).
Taking all mentioned information into account, we can start to build a map of Citibank around the globe. This exercise is left for the reader :)).
To Be Continued…………
Once you have your platform in good working order, you will need to know as much as possible about your target. In this chapter we look at "passive" ways to find information about the target. The target might be a company, a organization or a government. Where do you start your attack? This first step is gaining as much as possible information about the target - without them knowing that you are focussing your sniper scope on them. All these methods involve tools, web sites and programs that are used by the normal law abiding netizen.
Websites, MX records…DNS!
For the purpose of this document, let us assume that we want to attack CitiBank. (no hard feelings CitiBank). We begin by looking at the very obvious - www.citibank.com. You would be amazed by the amount one can learn from an official webpage. From the website we learn that Citibank has presence in many countries. Checking that Citibank have offices in Belgium we check the address of www.citibank.be and the Malaysian office www.citibank.com.my. The IP addresses are different - which means that each country' Citibank website is hosted inside the specific country. The website lists all the countries that Citibank operate in. We take the HTML source code, and try to find the websites in each country. Having a look around leaves us with 8 distinct countries. Maybe XXX.citybank.XXX is registered in the other countries? Doing a simple "host www.citibank.XXX" (scripted with all country codes and with .com and .co sub extensions of course) reveals that following sites:
www.citibank.as
www.citibank.at
www.citibank.be
www.citibank.ca
www.citibank.cc
www.citibank.ch
www.citibank.cl
www.citibank.co.at
www.citibank.co.cc
www.citibank.co.cx
www.citibank.co.dk
www.citibank.co.id
www.citibank.co.in
www.citibank.co.io
www.citibank.co.jp
www.citibank.co.ke
www.citibank.co.kr
www.citibank.co.nz
www.citibank.co.pl
www.citibank.co.pt
www.citibank.co.th
www.citibank.co.tv
www.citibank.co.tw
www.citibank.co.uk
www.citibank.co.vi
www.citibank.co.ws
www.citibank.com
www.citibank.com.ar
www.citibank.com.au
www.citibank.com.bh
www.citibank.com.bi
www.citibank.com.br
- 10 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
www.citibank.com.bs
www.citibank.com.co
www.citibank.com.ec
www.citibank.com.gt
www.citibank.com.gu
www.citibank.com.hk
www.citibank.com.ky
www.citibank.com.mo
www.citibank.com.mx
www.citibank.com.my
www.citibank.com.ph
www.citibank.com.pk
www.citibank.com.pl
www.citibank.com.pr
www.citibank.com.py
www.citibank.com.sg
www.citibank.com.tj
www.citibank.com.tr
www.citibank.com.tw
www.citibank.com.ws
www.citibank.cx
www.citibank.cz
www.citibank.de
www.citibank.es
www.citibank.fr
www.citibank.gr
www.citibank.hu
www.citibank.ie
www.citibank.io
www.citibank.it
www.citibank.lu
www.citibank.mc
www.citibank.mw
www.citibank.nl
www.citibank.nu
www.citibank.pl
www.citibank.ro
www.citibank.ru
www.citibank.tv
www.citibank.ws
www.citicorp.com
So much for websites - it is clear that many of these domains are used by cybersquatters - www.citibank.nu for example. We'll filter those. Also, most of above mentioned sites are simply aliases for www.citibank.com. These days most websites are hosted offsite. Mail exchangers are most of the time more closely coupled with the real network. Looking at the MX records for the domains (host -t mx citibank.XX) gives one a better idea of the IP numbers involved. Trying to do a zone transfer would also help a lot (host -l citibank.XXX). After some scripting it becomes clear which domains belongs to the real Citibank - all of these domain's MX records are pointing to the MX record for www.citibank.com, and their websites point to the official .com site. The theory that the MX records for the different branches are closer to the "satellite" network does not apply for Citibank it seems: (these are all MX records).
citibank.at is a nickname for www.citibank.com
citibank.ca is a nickname for www.citibank.com
citibank.ch is a nickname for www.citibank.com
citibank.cl is a nickname for www.citibank.com
citibank.co.at is a nickname for www.citibank.com
citibank.co.kr is a nickname for www.citibank.com
citibank.co.nz is a nickname for www.citibank.com
citibank.co.vi is a nickname for www.citibank.com
citibank.com.br is a nickname for www.citibank.com
citibank.com.bs is a nickname for www.citibank.com
citibank.com.ec is a nickname for www.citibank.com
citibank.com.gt is a nickname for www.citibank.com
citibank.com.gu is a nickname for www.citibank.com
citibank.com.ky is a nickname for www.citibank.com
citibank.com.mo is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.pk is a nickname for www.citibank.com
citibank.com.pl is a nickname for www.citibank.com
citibank.com.pr is a nickname for www.citibank.com
citibank.com.py is a nickname for www.citibank.com
citibank.com.sg is a nickname for www.citibank.com
citibank.com.tr is a nickname for www.citibank.com
citibank.cz is a nickname for www.citibank.com
citibank.gr is a nickname for www.citibank.com
citibank.hu is a nickname for www.citibank.com
citibank.ie is a nickname for www.citibank.com
citibank.it is a nickname for www.citibank.com
citibank.lu is a nickname for www.citibank.com
citibank.mc is a nickname for www.citibank.com
citibank.mw is a nickname for www.citibank.com
citibank.nl is a nickname for www.citibank.com
citibank.pl is a nickname for www.citibank.com
citibank.ro is a nickname for www.citibank.com
- 11 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
What about the rest of the countries - are all of them cybersquatter related, or have our friends at Citibank slipped up somewhere? Let's remove above-mentioned countries from our list, and have a look those than remain. Close inspection of all the rest of the domains shows that cyber squatters (in all sizes and forms) have taken the following domains:
citibank.as
citibank.cc
citibank.co.cx
citibank.co.dk
citibank.co.ke
citibank.co.pl
citibank.co.pt
citibank.co.tv
citibank.co.ws
citibank.com.bh
citibank.com.bi
citibank.com.tj
citibank.com.ws
citibank.cx
citibank.io
citibank.nu
citibank.tv
How about the rest? We find the following hosts and services belonging to Citibank (most of this is done with scripting, manual labor, and cross checking):
www.citibank.be has address 195.75.113.39
citibank.be name server ns.citicorp.com
citibank.be name server ns2.citicorp.com
citibank.co.id mail is handled (pri=20) by egate.citicorp.com
citibank.co.in has address 203.197.24.163
www.citibank.co.jp has address 210.128.74.161
citibank.co.jp name server NS2.citidirect.citibank.co.jp
citibank.co.th mail is handled (pri=20) by egate.citibank.com
citibank.com.ar mail is handled (pri=20) by mailer2.prima.com.ar
www.citibank.com.au has address 203.35.150.146
citibank.com.au name server ns.citibank.com
citibank.com.au name server ns2.citibank.com
www.citibank.com.co has address 63.95.145.165
citibank.com.co name server CEDAR1.CITIBANK.COM
citibank.com.co name server CEDAR2.CITIBANK.COM
webp.citibank.com.sg has address 192.193.70.5
citibank.com.mx mail is handled (pri=10) by green.citibank.com.mx
citibank.com.ph mail is handled (pri=20) by egate.citicorp.com
citibank.com.tw name server dns.citibank.com.tw
dns.citibank.com.tw has address 203.66.185.3
www.citibank.com.tw has address 203.66.185.1
citibank.com.tw name server home1.citidirect.citibank.com.tw
citibank.ru has address 194.135.176.81
www.citibank.de has address 195.75.113.49
www.citibank.de has address 195.145.1.166
www.citibank.com has address 192.193.195.132
and the obvious official .com sites and MX records. But the real prize is German Citibank. In the checking scripts we also check if a DNS zone transfer was possible. In all of the domains tested a ZT was denied. All but Germany:
ehbtest.Citibank.DE has address 195.75.113.25
ehbweb.Citibank.DE has address 195.75.113.49
inter.Citibank.DE has address 193.96.156.103
localhost.Citibank.DE has address 127.0.0.1
www.Citibank.DE has address 195.145.1.166
www.Citibank.DE has address 195.75.113.49
ehbdns.Citibank.DE has address 195.145.1.166
public.Citibank.DE has address 193.96.156.104
- 12 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
From all of the above we can now begin to compile a list of IP numbers belonging to Citibank all over the world. We take the list, sort it, and remove any duplicates if there are any. The end result is:
148.242.127.200
192.193.195.132
192.193.195.194
192.193.195.195
192.193.195.210
192.193.196.210
192.193.70.5
192.193.77.166
193.96.156.103
193.96.156.104
194.135.176.81
195.145.1.166
195.75.113.10
195.75.113.11
195.75.113.25
195.75.113.39
195.75.113.49
200.42.0.133
203.197.24.163
203.35.150.146
203.66.185.1
203.66.185.20
203.66.185.3
210.128.74.161
63.95.145.165
Once we have these IP numbers we can go much further. We could see the netblocks these IP numbers belongs to - this might give us more IP numbers. Later these IP numbers could be fed to port scanners or the likes. Another technique is to do "reverse resolve scanning". Here one reverse resolves the subnet to see if there are other interesting DNS entries.
RIPE, ARIN, APNIC and friends
The WHOIS queries (via RIPE, ARIN,APNIC) show some interesting information. (By doing a query on "*citibank*", we find many more blocks that was not revealed in the host finding exercise!)
Citicorp Global Information Network (NETBLK-CITICORP-C)
Netblock: 192.193.0.0 - 192.193.255.0
inetnum: 195.145.1.144 - 195.145.1.255
netname: DA-CITIBANK
descr: Citibank Privatkunden AG, Germany
inetnum: 195.75.113.0 - 195.75.113.255
netname: DE-CITIBANK-NET
descr: Network of Citibank Privatkunden AG
inetnum 203.197.24.160 - 203.197.24.191
netname CITIBANKMUMBAI
i
descr Leased - CITIBANK MumbaOther blocks discovered with RIPE search:
inetnum: 193.32.128.0 - 193.32.159.255
netname: CITI-EMBA
descr: Citibank N.A.
inetnum: 194.41.64.0 - 194.41.95.255
netname: CITIBANK
descr: CITIBANK (SWITZERLAND)
inetnum: 194.50.218.0 - 194.50.218.255
netname: CITILAN
descr: CITIBANK PRAGUE
inetnum: 62.184.117.0 - 62.184.117.255
netname: GB-CITIBANKSAVINGS-NET
descr: Network of Citibank Savings
inetnum: 195.183.49.128 - 195.183.49.143
netname: GB-CITIBANKSAVINGS-NET2
descr: Network of Citibank Savings
inetnum: 194.69.69.160 - 194.69.69.167
netname: CITIBANK-ISP
descr: TRAX network
inetnum: 195.235.80.200 - 195.235.80.207
netname: CITIBANK
descr: VPN public addresses
inetnum: 194.108.183.32 - 194.108.183.47
netname: CITIBANK-CZ
descr: Citibank, a. s.
inetnum: 62.200.100.0 - 62.200.100.31
netname: DE-CITIBANK-NET4
descr: Network of Citibank Privatk unden ag
- 13 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
inetnum: 213.25.206.44 - 213.25.206.47
netname: CITIBANK
descr: Citibank Poland
inetnum: 213.61.189.96 - 213.61.189.127
netname: DE-COLT-CITIBANK
descr: Citibank AG
inetnum: 62.157.214.240 - 62.157.214.247
netname: DTS-NET
descr: DTS für Citibank Privatkunden
inetnum: 62.225.11.144 - 62.225.11.151
netname: CITIBANKAG-FRANKFURT-NET
descr: Citibank AG
The following blocks were discovered with ARIN search:
63.236.56.224 - 63.236.56.255
CITIBANK (NETBLK-QWEST-JSV-ECITI-PVT)
261 Madison Avenue 3rd Floor
New York, ny 10016
USA
208.58.129.224 - 208.58.129.239
CITIBANK (NETBLK-EROLS-CUST-5136)
666 5TH AVENUE 3RD FLOOR
NEWYORK, NY 10103
USA
199.228.157.0 - 199.228.159.0
CITIBANK
RUESSELSHEIM, DE
205.147.21.161 - 205.147.21.168
CitiBank (NETBLK-SLIMCAT)
12731 W. Jefferson
Los Angeles, CA 90066
USA
200.42.11.80 - 200.42.11.87
Citibank (NETBLK-PRIMA-BLK-177)
Prilidiano Pueyrredon 2989
Villa Adelina, Buenos Aires B1607ABC
AR
196.28.49.0 - 196.28.49.31
Citibank (NETBLK-PRTC-196-28-49-0)
Ave. Las Cumbres
Guaynabo, PR
US
208.44.107.32 - 208.44.107.63
Citibank (NETBLK-QWEST-208-44-107-32)
6700 Citicorp Drive
Tampa, FL 33619
US
216.233.22.128 - 216.233.22.135
Citibank (NETBLK-RNCI-52044)
909 3rd Ave (15th floor)
New York, NY 10022-4731
USA
208.46.142.160 - 208.46.142.175
Citibank (NETBLK-QWEST-208-46-142-160)
Vision Drive
Enfield, CT 06082
US
63.80.165.128 - 63.80.165.159
Citibank (NETBLK-UU-63-80-165-128)
1 Vision Dr.
Enfield, CT 06082
US
192.209.110.0 - 192.209.110.255
Citibank - Washington DC (NET-QUOTRON-LAN47)
1001 Pennsylvania Avenue
Washington, DC 20004
198.73.228.0 - 198.73.239.0
Citibank Canada - Various Subnets
192.132.9.0 - 192.132.9.255
Citibank NA (NET-CITI-UK-EIS)
Lewisham House
15 Molesworth St.
London
SE13 7EX
United Kingdom
192.209.111.0 - 192.209.111.0
Citibank NA (NET-CITIBANKPARK)
399 Park Ave.
NYC, NY 10043
216.233.56.184 - 216.233.56.191
Citibank/Dan White (NETBLK-RNCI-52043)
600 Columbus Ave
New York, NY 10024-1400
USA
216.233.123.104 - 216.233.123.111
Citibank/Frank Kovacs (NETBLK-RNCI-DSLACI68828)
2 Vreeland Ct
East Brunswick, NJ 08816-3886
USA
216.233.97.64 - 216.233.97.71
Citibank/Orobona (NETBLK-RNCI-DSLACI56122)
4 Eastern Pkwy
Farmingdale, NY 11735
US
216.233.56.176 - 216.233.56.183
Citibank/Sztabnik AND Residence (NETBLK-RNCI-5516954206)
3547 Carrollton Ave
Wantagh, NY 11793-2929
USA
208.138.110.0 - 208.138.110.255
CITICORP (NETBLK-CW-208-138-110)
399 Park Ave. 6th Floor
New York, NY 10043
US
208.132.249.0 - 208.132.249.31
CITICORP VENTURE CAPITAL (NETBLK-CW-208-132-249-0)
399 PARK AVENUE
NEW YORK, NY 10043
US
159.17.0.0 - 159.17.255.255
Citicorp (NET-CITICORP-COM)
55 Water St.
44 Floor, Zone 7
New York, NY 10043
192.209.120.0 - 192.209.120.255
Citicorp (NET-CITICORPNY)
153 E. 53rd St. 5th Fl.
NYC, NY 10022
169.160.0.0 - 169.195.0.0
Citicorp (NET-CITICORP-B-BLK)
1900 Campus Commons Drive
Reston, VA 22091
208.231.68.0 - 208.231.68.255
Citicorp (NETBLK-UU-208-231-68)
909 3rd Avenue
New York City, NY 10022
US
63.67.86.0 - 63.67.86.255
Citicorp (NETBLK-UU-63-67-86)
- 14 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
2 Penn's Way
New Castle, DE 19720
US
63.71.124.192 - 63.71.124.255
Citicorp (NETBLK-UU-63-71-124-192)
1 Vision Drive
Enfield, CT 06082
US
63.72.243.0 - 63.72.243.255
Citicorp (NETBLK-UU-63-72-243)
1751 Pinnacle Drive
McLean, VA 22102
US
192.246.55.0 - 192.246.55.255
Citicorp Crossmar (NET-CITINET)
4 Sylvan Way
Parsippany, NJ 07054
63.74.88.64 - 63.74.88.79
Citicorp (NETBLK-UU-63-74-88-64)
6700 Citicorp Drive
Tampa, FL 33617
US
192.148.191.0 - 192.148.191.255
Citicorp Global Distibutions Systems (NET-CITIGDS)
1400 Treat Blvd.
Walnut Creek, CA 94596
163.35.0.0 - 163.39.255.255
Citicorp Global Information Network (NETBLK-CITICORP-B)
1 Court Square, 40th Floor
Long Island City, NY 11120
161.75.0.0 - 161.75.255.255
Citicorp Japan (NET-CITICORP-JP)
Citicorp Center Tokyo
2-3-14 Higashi-Shinagawa
Shinagawa-ku, Tokyo 140
Japan
192.48.247.0 - 192.48.247.255
Citicorp North American Investment Bank (NET-CCNAIBFIR)
55 Water Street, 44th Floor
New York, NY 10043
The following was discovered with APNIC:
(note! APNIC does not allow you to scan for words!!)
inetnum 203.66.184.0-203.66.184.255
netname CT-NET
descr Citibank Taiwan
inetnum 203.66.185.0 - 203.66.185.255
netname CT-NET
63.95.145.165
The IP numbers that does not fall in above mentioned blocks seems to be on ISP-like netblocks (The Russian block is marked as Space Research though). ISP-blocks are blocks of a network that the customer lease, but that is not specifically assigned to Citibank (in terms of AS numbers or netblocks).
We see that there are different size blocks - some are just a few IPs and others a single class C and some several class Cs. Let us break the list of blocks down in two categories - Class C or sub class C on the one side, and Class C+ on the other. We are left with a table that looks like this:
Class C or sub Class C:
192.132.9.0-192.132.9.255
192.148.191.0-192.148.191.255
192.209.110.0-192.209.110.255
192.209.111.0-192.209.111.0
192.209.120.0-192.209.120.255
192.246.55.0-192.246.55.255
192.48.247.0-192.48.247.255
194.108.183.32-194.108.183.47
194.50.218.0-194.50.218.255
194.69.69.160-194.69.69.167
195.183.49.128-195.183.49.143
195.235.80.200-195.235.80.207
196.28.49.0-196.28.49.31
200.42.11.80-200.42.11.87
203.66.184.0-203.66.184.255
203.66.185.0-203.66.185.255
205.147.21.161-205.147.21.168
208.132.249.0-208.132.249.31
208.138.110.0-208.138.110.255
208.231.68.0-208.231.68.255
208.44.107.32-208.44.107.63
208.46.142.160-208.46.142.175
208.58.129.224-208.58.129.239
213.25.206.44-213.25.206.47
213.61.189.96-213.61.189.127
216.233.123.104-216.233.123.111
216.233.22.128-216.233.22.135
216.233.56.176-216.233.56.183
216.233.56.184-216.233.56.191
216.233.97.64-216.233.97.71
62.157.214.240-62.157.214.247
62.184.117.0-62.184.117.255
62.200.100.0-62.200.100.31
62.225.11.144-62.225.11.151
63.236.56.224-63.236.56.255
63.67.86.0-63.67.86.255
63.71.124.192-63.71.124.255
63.72.243.0-63.72.243.255
63.74.88.64-63.74.88.79
63.80.165.128-63.80.165.159
Class C +:
199.228.157.0-199.228.159.0
198.73.228.0-198.73.239.0
194.41.64.0-194.41.95.255
193.32.128.0-193.32.159.255
159.17.0.0-159.17.255.255
161.75.0.0-161.75.255.255
163.35.0.0-163.39.255.255
169.160.0.0-169.195.0.0
192.193.0.0-193.192.255.255
- 15 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
Routed or not?
Given the sheer size of the Class C + netblocks, it would take forever to do a reverse scan or traceroute to all the blocks. The European and some of the American blocks seems very straight forward - most of them are only parts of a subnet. Why not find out which networks in the larger netblocks are routed on the Internet? How do we do this? Only the core routers on the Internet know which networks are routed. We can get access to these routers - very easily, and totally legally. Such a router is route1.saix.net. We simply telnet to this giant of a Cisco router, do a show ip route | include [start of large netblock] and capture the output. This core router contains over 40 000 routes. Having done this for the larger netblocks, we find the following:
199.228.157.0-199.228.159.0 None
198.73.228.0-198.73.239.0 None
194.41.64.0-194.41.95.255 None
193.32.128.0-193.32.159.255
193.32.161.0/24
193.32.254.0/24
193.32.208.0/23
193.32.192.0/20
193.32.176.0/20
159.17.0.0-159.17.255.255 None
161.75.0.0-161.75.255.255 None
163.35.0.0-163.39.255.255 None
169.160.0.0-169.195.0.0 None 192.193.0.0-192.193.255.255
192.193.183.0/24
192.193.192.0/24
192.193.73.0/24
192.193.182.0/24
192.193.208.0/24
192.193.193.0/24
192.193.74.0/24
192.193.194.0/24
192.193.211.0/24
192.193.75.0/24
192.193.180.0/24
192.193.210.0/24
192.193.195.0/24
192.193.196.0/24
192.193.77.0/24
192.193.201.0/24
192.193.172.0/24
192.193.188.0/24
192.193.187.0/24
192.193.186.0/24
192.193.70.0/24
192.193.184.0/24
192.193.71.0/24
Traceroute & world domination
The blocks not marked with a "none" are routed on the Internet today. Where are these plus the smaller blocks routed? Since a complete class C network is routed to the same place, we can traceroute to a arbitrary IP within the block. We proceed to do so, tracerouting to the next available IP in the block (e.g. for netblock 62.157.214.240 we would trace to 62.157.214.241) in each netblock. Looking at the last confirmed hop in the traceroute should tell us more about the location of the block. Most of the European blocks are clearly defined - but what about the larger blocks such as the 192.193.0.0 block and the 193.32.0.0 block? The information gained is very interesting:
62.157.214.240-62.157.214.247 Germany
62.184.117.0/24 Not routed
62.200.100.0-62.200.100.31 Germany
62.225.11.144-62.225.11.151 Germany
63.236.56.224-63.236.56.255 USA
63.67.86.0/24 USA
63.71.124.192-63.71.124.255 USA
63.72.243.0/24 USA
63.74.88.64-63.74.88.79 USA
63.80.165.128-63.80.165.159 USA
192.132.9.0/24 Not routed
192.148.191.0/24 Not routed
192.193.172.0/24 USA
192.193.180.0/24 USA
192.193.182.0/24 USA
192.193.183.0/24 USA
192.193.184.0/24 USA
192.193.186.0/24 USA
192.193.187.0/24 USA
192.193.188.0/24 USA
192.193.192.0/24 USA
192.193.193.0/24 USA
- 16 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
192.193.194.0/24 USA
192.193.195.0/24 USA
192.193.196.0/24 USA
192.193.201.0/24 USA
192.193.208/24 USA
192.193.210.0/24 USA
192.193.211.0/24 USA
192.193.70.0/24 Singapore
192.193.71.0/24 USA
192.193.73.0/24 Singapore
192.193.74.0/24 Philippines
192.193.75.0/24 Singapore
192.193.77.0/24 Japan
192.209.110.0/24 Not routed
192.209.111.0/24 Not routed
192.209.120.0/24 Not routed
192.246.55.0/24 Not routed
192.48.247.0/24 Not routed
193.32.128.0/24 Not routed
193.32.161.0/24 UK
193.32.176.0/20 UK
193.32.192.0/20 UK
193.32.208.0/23 UK
193.32.254.0/23 UK
194.108.183.32-194.108.183.47 Czech Republic
194.50.218.0/24 Not routed
194.69.69.160-194.69.69.167 Not routed
195.183.49.128-195.183.49.143 Not routed
195.235.80.200-195.235.80.207 UK
195.75.113.0/24 Germany
196.28.49.0-196.28.49.31 USA
200.42.11.80-200.42.11.87 Argentina
203.197.24.0/24 India
203.66.184.0/24 Taiwan
203.66.185.0/24 Taiwan
205.147.21.161-205.147.21.168 USA
208.132.249.0-208.132.249.31 USA
208.138.110.0/24 USA
208.231.68.0/24 USA
208.44.107.32-208.44.107.63 USA
208.46.142.160-208.46.142.175 USA
208.58.129.224-208.58.129.239 USA
213.25.206.44-213.25.206.47 Poland
213.61.189.96-213.61.189.127 Germany
216.233.123.104-216.233.123.111 USA
216.233.22.128-216.233.22.135 USA
216.233.56.176-216.233.56.183 USA
216.233.56.184-216.233.56.191 USA
216.233.97.64-216.233.97.71 USA
It is interesting to note that none of the 192.193 IP blocks are routed to Europe. Citibank has thus registered unique individual blocks for Europe based branches, and are routing some of its 192.193 class B class Cs to Asia. It seems that many of the Citibank websites are running on "ISP blocks". If the idea is to get to the core of Citibank these sites might not be worthwhile to attack, as we are not sure that there is any connection with back-ends (sure, we cannot be sure that the Citibank registered blocks are more interesting, but at least we know that Citibank is responsible for those blocks).
Taking all mentioned information into account, we can start to build a map of Citibank around the globe. This exercise is left for the reader :)).
To Be Continued…………
No comments:
Post a Comment