Actionable information is the key to success when performing a penetration test. The amount of public data that is available on the Internet is staggering, and sifting through it all to find useful information can be a daunting task. Luckily, there are tools available that assist in gathering and sorting through this wealth of knowledge. In this chapter, we will be reviewing some of these tools and focus on how to use the information to ensure your penetration tests are efficient, focused, and effective. Key topics covered include:
- What is reconnaissance and why do we need it?
- Reconnaissance types
- Using DNS to quickly identify potential targets
- Using search engines data
- Using metadata to your advantage
Tip
Throughout this chapter, we will use the domain names
example.com,example.org, andexample.net, which are owned and maintained by IANA. Do not use these for practice purposes.These domain names are used as a representation of a domain that you own and/or have permission to use as a target for your testing. Ideally, you would set up a segmented and controlled virtual lab with DNS servers that allows you to test all of these commands at your leisure. For this, refer to the Packt book Building Virtual Pentesting Labs for Advanced Penetration Testing.
Penetration testing is most effective when you have a good grasp of the environment being tested. Sometimes this information will be presented to you by the corporation that hired you; other times, you will need to go out and perform your reconnaissance to learn even the most trivial of items. In either case, make sure to have the scope clarified in the rules of engagement prior to conducting any work, including reconnaissance.
Many corporations are not aware of the types of data that can be found and used by attackers in the wild. A penetration tester will need to bring this information to light. You will be providing the business with real data that they can then act upon in accordance with their appetite for risk. The information that you will be able to find will vary from target to target, but will typically include items such as IP ranges, domain names, e-mail addresses, public financial data, organizational information, technologies used, job titles, phone numbers, and much more. Sometimes you may even be able to find confidential documents or private information that is readily available to the public via the Internet. It is possible to fully profile a corporation prior to sending a single packet to the organization's network.
The primary goal of the passive reconnaissance stage is to gather as much actionable data as possible while at the same time leaving few indicators that anyone has searched for the data.
The information gained will be used to recreate the types of systems that you expect to encounter while testing, provide the information necessary to perform effective social engineering attacks or physical breaches, and determine if there are external devices such as routers or switches that still use the default usernames and passwords. Odds are that in a highly secured environment things will not be quite that easy, but making assumptions is not recommended when performing penetration testing. Things that should be common sense are sometimes overlooked when dealing with complex network configurations that support thousands of users.
The types of reconnaissance we will be focused on include Open-Source Intelligence (OSINT) and footprinting. All of the sources we use will be freely available, but it is important to note that there are pay sites on the Internet that could be used as well:
- OSINT: This consists of gathering, processing, and analyzing publically available data and turning it into information that is actionable. Publicly available data sources include, but are not limited to, the following:
- Public data from courthouses, tax forms, and so on
- Search engines
- Conferences
- Academic sources
- Blogs
- Research reports
- Metadata from pictures, executables, documents, and so on
- Footprinting: This is used to non-intrusively enumerate the network environment. The results are used to locate possible vulnerabilities, and to provide information about the types of systems, software, and services that are running on the target network. The types of information that can be gained while performing nonintrusive footprinting include:
- Name servers
- IP ranges
- Banners
- Operating Systems
- Determining if IDS/IPS is used
- Technologies used
- Publicly available documents.
- Network device types.
This wealth of information is extremely useful when conducting a penetration test.
Reconnaissance is most effective when performed procedurally. There are three major stages that should be followed when performing your recon:
As an example of how this workflow is to be used, let's pretend we are working on a penetration test involving a fictional company. This company has publicly available information regarding its externally facing routers.
- Phase 1: We were able to validate that the IP ranges that we were given during the initial planning stage actually belong to our client.
- Phase 2: Sifting through the data, we find that several routers are configured in a default state, and logon credentials have never been changed. We verify the information is accurate and move on to the next phase.
- Phase 3: Based on the validated information gathered, we determine our best method of gaining a toe-hold on the network is to compromise the external routers and work our way in from there.
We demonstrated a simplified example of how this workflow can be used. In the real world, there will be many variables that will influence your decisions on which systems to target. The information you gather during the reconnaissance phase of your testing will be a determining factor in how successful and thorough your penetration test will be.