Professional Documents
Culture Documents
1|Page
Introduction
Taco Lemur Security Team was tasked with mapping PETCO’s network using Recon-NG, gain
more information necessary to social engineer, and perform wireless reconnaissance on the
University of Advancing Technology. The information required for the social engineering was
geared towards understanding the location it would occur to best fit in and seem less suspicious.
Overview
Recon-NG was used and the results were as expected based on all of previous research. It was
interesting to discover the limited security of a PETCO store. The wireless reconnaissance
proved to be insightful as well as the WEP cracking being a success.
Recon-NG Results
GHDB (Google Hacking Database) Module
The below options from GHDB were selected but were unable to be parsed by Google because
captchas were producing an error within the module.
2|Page
Google_site_web Module
Metacrawler Module
Netcraft Module
3|Page
Pgp_Search Module
This module resulted in 5 Petco email accounts belonging to employees we weren’t aware or
weren’t tracking last week.
The five email accounts are…
a) Joel Williams – joelw@petco.com (E-commerce Operations – Petco)
b) Dion Chee – dionc@petco.com (Senior Systems Architect – Petco)
c) Vinoth Shunmugavelu – 239839@petco.com (Siebel CRM Architect – Petco)
d) Paul Curry – paulcu@petco.com (Unknown Title)
e) Dustin Schueneman – dustins@petco.com (SQL Server Database Administrator – Petco)
Reverse_resolve Module
Conducting a reverse lookup on entire netblocks proved to be successful in finding further Petco
hosts.
Below you can see resolve32.petco.com being resolved from 209.203.77.32. This host name
doesn’t give much explanation. Banner grabbing and Netcraft don’t produce any results to
indicate this hostname is being used.
The below host names found via reverse lookup were also not on our previous list. Regardless,
smtp1.petco.com, smtp2.petco.com, smtpgate.petco.com, securewebdelivery.petco.com, and
dnr.petco.com didn’t provide any valuable intel through banner grabbing or Netcraft search.
However, knowing those host names exist can prove to be useful in a compromise or exfiltration
attempt.
4|Page
Xxsed Module
This module queries xssed.com to identify if the given site is vulnerable to cross site scripting,
but it didn’t result in any vulnerabilities.
5|Page
PETCO Store Surveillance
PETCO’s Corporate Headquarters is located in San Diego, California, so instead, we performed
surveillance on one of their local stores. We discovered that there are no security guards, no
cameras, and the back door to inventory was fully open and unsupervised. No vehicle passes are
necessary and since there are no cameras, dumpster diving is possible. Employees wear name
cards instead of badges. The uniform appears to be very causal with their name tag and an apron.
PETCO had three access points on the ceiling that utilized WPA2-PSK.
7|Page
8|Page
WEP Crack
WEP Key – 0B:4E:D3:F6:7C:C5:40:FE:98:36:BA:A6:52
It’s important to note that the cracking of WEP was very simple. Fortunately, there are tools out
there to help you with the process of cracking such as aircrack-ng.
Tools/Websites Used
Recon-NG
Kismet
aircrack-ng
9|Page