Danny Ghazal

10/8/20
NTS330
Mike Vasquez
Recon

Step 1:

What is the name of the organization you chose? What do they do?

I chose Tesla, Tesla sells fully electric cars and has a space program as well.

What operating systems do they use on their web server? Why?

Tesla uses a BigIP web server.

Curl -s -I tesla.com | grep Server

What web server are they using (Apache, IIS, etc.)? What version is it?

Apache is the web server but the version isn’t specified

Does it appear they are hosting their own web server?

There isn’t enough information to confidently state weather they are or they aren’t the
curl command only gave very limited information

What programming languages are used on the site?

The front end of the website is made with java script I went on the tesla website and
used inspect element to check what the file extensions were. I’m assuming they are
probably using a different language for the backend I tried looking for it but couldn’t find
anything.

What are the networks in use by the organization? List Ranges?

Whois -h whois.apnic.net Tesla

https://ip-netblocks.whoisxmlapi.com/lookup-report/Jd95pO72pB

Does it appear they are hosting any other services from their network ranges? (Do Not
Scan network segments)

Yes it does appear that they have other services there are tons of different network
segments listed on ip-netblocks.whoisxmlapi.com

What type of information did you turn up using search engines?

Using search engines I was able to find some information out about the IP blocks that
tesla owns. I tried finding other information about network infrastructure but couldn’t
get much without performing scans.

Step 2:

Identify key employees. Get names, positions, salary, phone #, and e-mail addresses.

Mike Anderson/ mikeanderson@tesla.com

Yoni Ramon/ yoni@tesla.com

Gagan Sachdev/ gsachdev@tesla.com

Siddhartha Maddi/ simaddi@tesla.com

Haim Grosman/ hgrosman@tesla.com

Elon Musk/ elon@tesla.com

James Glenn/ jglenn@tesla.com

Axel Faltin/ afaltin@tesla.com

David Wuertele/ dwuertele@tesla.com

Justin James/ jjames@tesla.com

Sam Vilain/ svilain@tesla.com

Additional:

noc@teslamotors.com

whoisrequest@markmonitor.com

admin@dnstinations.com

abusecomplaints@markmonitor.com

Phone Numbers:

1-(800)-745-9229

1-(415)-531-9336

44-(20)-3206-2220

1-(415)-531-9335

1-(208)-389-5770

1-(208)-389-5740

Additional Domains:

Events.tesla.com

Ir.tesla.com

mfa.tesla.com

Apac-sso.tesla.com

Secureguest.tesla.com

Auth.tesla.com

Beta-partners.tesla.com
Cicerone.tesla.com

Email.tesla.com

Email1.tesla.com

emails.tesla.com

epcapi.tesla.com

Do they participate in any professional organizations?

Elon Musk if apart of SpaceX, the boring company, and solar city

Do they participate in any professional social media sites?

They all have a Linkd In I couldn’t find any other professional social media sites these
people are linked to

Is anyone looking for a job?

No

Can you locate interesting corporate documentation, passwords, etc...?

I used google dorking to try and find passwords, PDF’s, and docx files

The commands used were allintitle:password inurl:tesla filetype:log/pdf/docx after:2019

Each search I tried came up with no results

Does your target company have any associations with other companies? E.g.partners

● AGC Automotive: windshields.

● Brembo: brakes.
● Fisher Dynamics: power seats.
● Inteva Products: instrument panel.
● Modine Manufacturing Co.: battery chiller.
 ● Sika: acoustic dampers.
● Stabilus: liftgate gas spring.
● ZF Lenksysteme: power steering mechanism.

Tesla also has a partnership with LG because they produce batteries

Enumerate your targets Domain Name. Document all additional IP addresses that you
have discovered. (Add them to your current list)

https://ipinfo.io/AS394161

Netblock Description Num IPs

199.120.48.0/24 Tesla Motors, Inc. 256

199.120.49.0/24 Tesla Motors, Inc. 256

199.120.50.0/24 Tesla Motors, Inc. 256

199.120.51.0/24 Tesla Motors, Inc. 256

199.66.10.0/24 Tesla, Inc. 256

199.66.11.0/24 Tesla, Inc. 256

199.66.9.0/24 Tesla, Inc. 256

205.234.11.0/24 Tesla 256

209.133.79.0/24 Tesla, Inc. 256

213.19.141.0/24 CUSTOMER-LAN 256

213.244.145.0/24 CUSTOMER LAN 256

 62.67.197.0/24 Customer LAN 256

8.21.14.0/24 Level 3 Parent, LLC 256

8.45.124.0/24 Level 3 Parent, LLC 256

Use theharvester, available in your Kali Linux virtual machine, to search your company's
domain, e-mail, social media, etc....

save the email address into a text file.

save the hosts into a text file.

I used theHarvester to scan tesla.com domain and didn’t receive any results

help:

https://github.com/laramies/theHarvester

(Links to an external site.)

http://www.edge-security.com/theharvester.php

(Links to an external site.)

Create a visual map of your selected target's discovered systems. Identify network
address ranges, possible target systems and their purpose, routers, switches, etc...... Is
this their DMZ?

https://ip-netblocks.whoisxmlapi.com/lookup-report/Jd95pO72pB
I used Maltego to get a layout of the webdomains infrastructure this also provided
emails, alternate domains, social medias, and IP blocks.

Document your advanced Google search strings and their results.

Step 3

Using Recon-NG perform a full recon on your target company. Document your results.
Did you find any additional useful or interesting info.

I ran the hackertarget module within recon-ng and was unable to find any new
information that wasn’t available within maltego

https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide

(Links to an external site.)

Use at least the following modules. You will need to get API keys...

Showdan

recon/domains-hosts/shodan_hostname
https://developer.shodan.io/

(Links to an external site.)

Bing

https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx

(Links to an external site.)

help

https://bitbucket.org/LaNMaSteR53/recon-ng

(Links to an external site.)

http://securenetworkmanagement.com/recon-ng-tutorial-part-1/

(Links to an external site.)

http://securenetworkmanagement.com/recon-ng-tutorial-part-2/

(Links to an external site.)

http://securenetworkmanagement.com/recon-ng-tutorial-part-3/

(Links to an external site.)

You need to research information that would be helpful for the social engineering
phase of your penetration test.

Physical layout of the company.

Security doors, guards, cameras, etc.....

Badges?

Vehicle passes?

Web Cams?
Digital dumpster diving.

How does the typical employee dress? Dress code?

At the end of your paper answer the following questions:

1. Is there anything that you found particularly useful or juicy during your
second phase of your information gathering exercise?
2. What tools and web sites did you use during this lab exercise?