Local Tech Repair: Penetration Test Information Gathering

Tuesday, September 15, 2015

Penetration Test Information Gathering

After taking many classes on Advanced penetration testings i find that many of these classes are very basic when it comes to their subjects. So here are some resources to better round off your penetration testing in more depth than just the basics that most of these "Advanced" classes go through.

So we will be starting with information gathering/recon/competitive intelligence all these topics have the same type of concept and are all legal or very gray area to do. At this stage we are not in anyway attacking your target. This is where you will be spending majority of your time. 

A good standard to go off of is the pentest standards that can be found here. The goal of information gathering is to learn everything you can about your target before starting any kind of attack at all.

before we start gathering any information we will want to define our scope of what we are testing and looking at. at this we will want to check out what ip ranges we are looking at and what is actually in our scope. we want to be checking for things like content delivery networks, load balancers, IPSs, and really anything we can get our hands on. enumerating the domain to check for sub domains, pages, job descriptions, and employee comments will all help us get information on the network, technologies, versions, attack targets, etc.

some tools are commonly used are google, bing (particularly ip:ipaddress),  dnstools.com, passiverecon, halberd, and more. Depending on what item your looking for you will have different tools for it.  Probably one of the largest tools for connections between information is the tool maltego. This will help gather and connect all the information your gathering together an build relationships between them.  The developers of Maltego have a list of 6 tutorials to get you going here.  I would highly suggest learning maltego and learning it well especially if you have any Social engineering you have to do (hint you always do).

Key thing is keeping a central location that your team or just you can put the information together. Dradis is a large corroborative 

after gathering some targets and what not you can start mapping the actual systems you find that are in scope. things like nmap are commonly used. some key things is always exporting data so that it can be imported into your database system. the -oA appended to the end of your nmap scan will give you the 3 major formats to be imported into places like Metasploit and other. This will help you with services and targets that you have known good vulnerabilities for and greatly speedup the vulnerability assessment. Some things to learn are the different type of stealth scans and advantages and disadvantages to each. some IDS systems will have signatures for nmap scans but most likely these are going to be lost in the ether specially done from the out side because nmap scans are so common its hard to tell its you vs others. But with that said its still good to know the things and a good article of learning about the art of port scanning is here. Another nice thing about nmap is that you can script out these scans. so you do it once and you can have them set up working for other engagements which can be found here.  Another port scanner that is not nmap would be Metasploit. Metasploit has its own auxiliary modules for scanning. A list of the different scanners and modules in Metasploit can be found here. for example auxiliary/scanner/discovery/arp_sweep will allow you to do an arp sweep to discover computers.

after discovery you move to threat modeling and determining what vulnerabilities may be on the services and hosts we discovered.  Since most of this probably passes from legal line to gray area only do this on services you own as you may bring down something during a scan.  some popular tools for this are Nessus, openvas, Nexpose, Nikto, and many more found here.
If your using nessus then I would highly suggest using it with in Metasploit so that you can easily import the results straight into the Metasploit Database and be able to quickly find vulnerabilities based off those scans that you can quickly test if they are actually vulnerable. 

bing.com - ability to use ip: to check for shared hosting
google.com - ability to use Google Dorks to check common problems
passiverecon - general recon plugin to speed up recon
halberd - detecting load balancing
dnstools - whois, ip ranges, detect shared hosting, etc.
tracert the ability to ping and traceroute from different contents and not from your ip
wafwoof - helps detect what application firewall
nmap gold standard for network scanning
metasploit - gold standard for exploit launching
recon-ng -more information can be found here
Nessus, very common vulnerability scanner
openvas, - free open source vulnerability scanner you should be aware of
Nexpose, same creators of metasploit but for vulnerability scanning.
Nikto - web vulnerability scanner.

This is s a quick overview of information gathering that you will get in most of these "Advanced" classes. Though this is the basics that you will need to know to actually do your job as a pentester.

Let me knwo what tricks/tips/ and tools you prefer for information gathering during a pentest.

PS: search youtube for examples on how to use each an you will find loads of resources.