Actionable information is the key to success when performing a penetration test. The amount of public data that is available on the Internet is staggering, and sifting through it all to find useful information can be a daunting task. Luckily, there are tools available that assist in gathering and sorting through this wealth of knowledge. In this chapter, we will be reviewing some of these tools and focus on how to use the information to ensure your penetration tests are efficient, focused, and effective. Key topics covered include:
Throughout this chapter, we will use the domain names example.com
, example.org
, and example.net
, which are owned and maintained by IANA. Do not use these for practice purposes.
These domain names are used as a representation of a domain that you own and/or have permission to use as a target for your testing. Ideally, you would set up a segmented and controlled virtual lab with DNS servers that allows you to test all of these commands at your leisure. For this, refer to the Packt book Building Virtual Pentesting Labs for Advanced Penetration Testing.
Penetration testing is most effective when you have a good grasp of the environment being tested. Sometimes this information will be presented to you by the corporation that hired you; other times, you will need to go out and perform your reconnaissance to learn even the most trivial of items. In either case, make sure to have the scope clarified in the rules of engagement prior to conducting any work, including reconnaissance.
Many corporations are not aware of the types of data that can be found and used by attackers in the wild. A penetration tester will need to bring this information to light. You will be providing the business with real data that they can then act upon in accordance with their appetite for risk. The information that you will be able to find will vary from target to target, but will typically include items such as IP ranges, domain names, e-mail addresses, public financial data, organizational information, technologies used, job titles, phone numbers, and much more. Sometimes you may even be able to find confidential documents or private information that is readily available to the public via the Internet. It is possible to fully profile a corporation prior to sending a single packet to the organization's network.
The primary goal of the passive reconnaissance stage is to gather as much actionable data as possible while at the same time leaving few indicators that anyone has searched for the data.
The information gained will be used to recreate the types of systems that you expect to encounter while testing, provide the information necessary to perform effective social engineering attacks or physical breaches, and determine if there are external devices such as routers or switches that still use the default usernames and passwords. Odds are that in a highly secured environment things will not be quite that easy, but making assumptions is not recommended when performing penetration testing. Things that should be common sense are sometimes overlooked when dealing with complex network configurations that support thousands of users.
The types of reconnaissance we will be focused on include Open-Source Intelligence (OSINT) and footprinting. All of the sources we use will be freely available, but it is important to note that there are pay sites on the Internet that could be used as well:
This wealth of information is extremely useful when conducting a penetration test.
Reconnaissance is most effective when performed procedurally. There are three major stages that should be followed when performing your recon:
As an example of how this workflow is to be used, let's pretend we are working on a penetration test involving a fictional company. This company has publicly available information regarding its externally facing routers.
We demonstrated a simplified example of how this workflow can be used. In the real world, there will be many variables that will influence your decisions on which systems to target. The information you gather during the reconnaissance phase of your testing will be a determining factor in how successful and thorough your penetration test will be.