Ape-Testing, LLC

Passive Reconnaissance of Petco P.3

2.11.2018

This Report was Prepared By:

Taco Lemur Security
Nicolas Bautista
Jaime Ibarra
Alyssa Evans
nicbauti@uat.edu
jaiibarr@uat.edu
alyevans@uat.edu
Table of Contents
Introduction ..................................................................................................................................... 2
Overview ......................................................................................................................................... 2
Recon-NG Results .......................................................................................................................... 2
PETCO Store Surveillance ............................................................................................................. 6
University Wireless Reconnaissance .............................................................................................. 6
University Wireless Reconnaissance Images.................................................................................. 7
WEP Crack...................................................................................................................................... 9
Tools/Websites Used ...................................................................................................................... 9

1|Page
Introduction
Taco Lemur Security Team was tasked with mapping PETCO’s network using Recon-NG, gain
more information necessary to social engineer, and perform wireless reconnaissance on the
University of Advancing Technology. The information required for the social engineering was
geared towards understanding the location it would occur to best fit in and seem less suspicious.

Overview
Recon-NG was used and the results were as expected based on all of previous research. It was
interesting to discover the limited security of a PETCO store. The wireless reconnaissance
proved to be insightful as well as the WEP cracking being a success.

Recon-NG Results
GHDB (Google Hacking Database) Module
The below options from GHDB were selected but were unable to be parsed by Google because
captchas were producing an error within the module.

2|Page
Google_site_web Module

Metacrawler Module

Netcraft Module

3|Page
Pgp_Search Module
This module resulted in 5 Petco email accounts belonging to employees we weren’t aware or
weren’t tracking last week.
The five email accounts are…
a) Joel Williams – joelw@petco.com (E-commerce Operations – Petco)
b) Dion Chee – dionc@petco.com (Senior Systems Architect – Petco)
c) Vinoth Shunmugavelu – 239839@petco.com (Siebel CRM Architect – Petco)
d) Paul Curry – paulcu@petco.com (Unknown Title)
e) Dustin Schueneman – dustins@petco.com (SQL Server Database Administrator – Petco)

Reverse_resolve Module
Conducting a reverse lookup on entire netblocks proved to be successful in finding further Petco
hosts.
Below you can see resolve32.petco.com being resolved from 209.203.77.32. This host name
doesn’t give much explanation. Banner grabbing and Netcraft don’t produce any results to
indicate this hostname is being used.

The below host names found via reverse lookup were also not on our previous list. Regardless,
smtp1.petco.com, smtp2.petco.com, smtpgate.petco.com, securewebdelivery.petco.com, and
dnr.petco.com didn’t provide any valuable intel through banner grabbing or Netcraft search.
However, knowing those host names exist can prove to be useful in a compromise or exfiltration
attempt.

4|Page
Xxsed Module
This module queries xssed.com to identify if the given site is vulnerable to cross site scripting,
but it didn’t result in any vulnerabilities.

5|Page
PETCO Store Surveillance
PETCO’s Corporate Headquarters is located in San Diego, California, so instead, we performed
surveillance on one of their local stores. We discovered that there are no security guards, no
cameras, and the back door to inventory was fully open and unsupervised. No vehicle passes are
necessary and since there are no cameras, dumpster diving is possible. Employees wear name
cards instead of badges. The uniform appears to be very causal with their name tag and an apron.
PETCO had three access points on the ceiling that utilized WPA2-PSK.

University Wireless Reconnaissance

Relevant SSIDs
A. “DELL S500WI INTERACT” (Open)
B. “Scytale” (Open)
C. “heighliner” (WPA2)
D. (Hidden SSIDs)
Scytale IP Range
A. 172.17.0.0 /22
a. Broadcast: 172.17.3.255
b. First IP: 172.17.0.1
c. Last IP: 172.17.3.254
d. Gateway: 172.17.0.1
There are a total of 6 access points available at the UAT. The location of the access points are
scattered throughout the campus and the Founders Hall (dorms). There is a lot of interference
from student WiFi networks displayed in the images below. It is possible that some of the hidden
SSIDs are also a part of the University. We were unable to identify the IP address range of the
heighliner network because of its WPA2 encryption. UAT mainly using ArubaNet access and
some Cisco access points.
The university’s Scytale WiFi is wide open and does not use any security whatsoever. However,
UAT does have an encrypted SSID named “heighliner” that is supposed to be solely for
professors/instructors. The “heighliner” SSID uses WPA2 (WPA+PSK WPA+AES-CCM). This
encryption would be better replaced with WPA2 enterprise where a username and a unique
password to every user is required instead of a static password.
Wardriving is a term used for anyone who drives around scanning for wireless access points. The
right method is to pair a GPS device to the capturing tool such as Kismet so that each access
point is tied to a specific GPS coordinate. This allows the wardriver to visually map out where all
the access points were located by the system. This is important for when you’re scanning a large
area. You don’t want to be stopping every 10 seconds to write down which access points showed
up where.
There are many tools to detect the presence of wireless networks such as the built in applications
in our android phones and laptops. However, Kismet and Netstumbler are the two most common
6|Page
tools used by penetration testers. Kismet is known for being more effective and less intrusive.
Netstumbler beacons out for access points while Kismet does not. Kismet just sits back and
listens to everything it can hear.
When doing wireless recon on UAT, we were able to see Kismet pick up all the BSSID’s of
almost every access point just by listening in. It might be tougher to extract BSSID information
from other tools such as the applications built in to mobile phones.
Every WiFi has at least one SSID but there may be multiple access points associated with that
SSID, the only way to differentiate between them is through the use of BSSID’s. A BSSID is
essentially that access points MAC address. This can be valuable information because you’ll
most likely be able to discover the manufacturer of that access point. Knowing the manufacturer
makes life simpler when trying to find vulnerabilities.
An FMS attack is a wireless attack that is used to extract a key from an RC4 encrypted stream.
FMS stands for Fluhrer, Mantin and Shamir.

University Wireless Reconnaissance Images

7|Page
8|Page
WEP Crack
WEP Key – 0B:4E:D3:F6:7C:C5:40:FE:98:36:BA:A6:52

It’s important to note that the cracking of WEP was very simple. Fortunately, there are tools out
there to help you with the process of cracking such as aircrack-ng.

Tools/Websites Used
 Recon-NG
 Kismet
 aircrack-ng

9|Page