Advanced Penetration Testing for Highly:Secured Environments(Second Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Introducing reconnaissance

Penetration testing is most effective when you have a good grasp of the environment being tested. Sometimes this information will be presented to you by the corporation that hired you; other times, you will need to go out and perform your reconnaissance to learn even the most trivial of items. In either case, make sure to have the scope clarified in the rules of engagement prior to conducting any work, including reconnaissance.

Many corporations are not aware of the types of data that can be found and used by attackers in the wild. A penetration tester will need to bring this information to light. You will be providing the business with real data that they can then act upon in accordance with their appetite for risk. The information that you will be able to find will vary from target to target, but will typically include items such as IP ranges, domain names, e-mail addresses, public financial data, organizational information, technologies used, job titles, phone numbers, and much more. Sometimes you may even be able to find confidential documents or private information that is readily available to the public via the Internet. It is possible to fully profile a corporation prior to sending a single packet to the organization's network.

The primary goal of the passive reconnaissance stage is to gather as much actionable data as possible while at the same time leaving few indicators that anyone has searched for the data.

Tip

Passive reconnaissance avoids direct contact with the target network.

The information gained will be used to recreate the types of systems that you expect to encounter while testing, provide the information necessary to perform effective social engineering attacks or physical breaches, and determine if there are external devices such as routers or switches that still use the default usernames and passwords. Odds are that in a highly secured environment things will not be quite that easy, but making assumptions is not recommended when performing penetration testing. Things that should be common sense are sometimes overlooked when dealing with complex network configurations that support thousands of users.

The types of reconnaissance we will be focused on include Open-Source Intelligence (OSINT) and footprinting. All of the sources we use will be freely available, but it is important to note that there are pay sites on the Internet that could be used as well:

  • OSINT: This consists of gathering, processing, and analyzing publically available data and turning it into information that is actionable. Publicly available data sources include, but are not limited to, the following:
    • Public data from courthouses, tax forms, and so on
    • Search engines
    • Conferences
    • Academic sources
    • Blogs
    • Research reports
    • Metadata from pictures, executables, documents, and so on
  • Footprinting: This is used to non-intrusively enumerate the network environment. The results are used to locate possible vulnerabilities, and to provide information about the types of systems, software, and services that are running on the target network. The types of information that can be gained while performing nonintrusive footprinting include:
    • Name servers
    • IP ranges
    • Banners
    • Operating Systems
    • Determining if IDS/IPS is used
    • Technologies used
  • Publicly available documents.
  • Network device types.

This wealth of information is extremely useful when conducting a penetration test.

Reconnaissance workflow

Reconnaissance is most effective when performed procedurally. There are three major stages that should be followed when performing your recon:

As an example of how this workflow is to be used, let's pretend we are working on a penetration test involving a fictional company. This company has publicly available information regarding its externally facing routers.

  • Phase 1: We were able to validate that the IP ranges that we were given during the initial planning stage actually belong to our client.
  • Phase 2: Sifting through the data, we find that several routers are configured in a default state, and logon credentials have never been changed. We verify the information is accurate and move on to the next phase.
  • Phase 3: Based on the validated information gathered, we determine our best method of gaining a toe-hold on the network is to compromise the external routers and work our way in from there.

We demonstrated a simplified example of how this workflow can be used. In the real world, there will be many variables that will influence your decisions on which systems to target. The information you gather during the reconnaissance phase of your testing will be a determining factor in how successful and thorough your penetration test will be.

上一章目录下一章