The more information that's known about a target, the more penetration testers are prepared to simulate real-world cyberattacks with a higher rate of success of compromising the organization's assets. While passive information gathering techniques are very cool and awesome, we need to dig even deeper to gather specific information about the target, though this is not always made publicly available.

Active information gathering can be used to provide very useful results during the reconnaissance phase of a penetration test. With this active approach, the penetration tester makes direct contact with the actual target to gather specific details that Open Source Intelligence (OSINT) is unable to provide. Using active information gathering techniques, the penetration tester can create a very detailed profile of the target, gathering information such as the type of operating system, architecture, web applications, and even running...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux 2021.2: https://www.kali.org/get-kali/
• Metasploitable 2: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• OWASP Broken Web Applications: https://sourceforge.net/projects/owaspbwa/files/
• S3Scanner: https://github.com/sa7mon/S3Scanner

Active information gathering uses a direct approach to engage the target; it involves making an actual connection between your attacker machine and the target network and systems. By performing active information gathering, you can gather specific and detailed data such as live hosts, running services and application versions, network file shares, and user account information.

Before launching any type of network-based attack, it's important to determine whether there are live systems on the network and that your target is online as well. Imagine launching an attack toward a specific system, only to realize the target is offline. Hence, it doesn't make sense to target an offline device as it would be unresponsive and risk detection.

Tip

Performing active information gathering does pose a risk of being detected.

Systems administrators and even cybersecurity professionals implement various techniques and security controls to...

The concept of Google hacking, sometimes referred to as Google dorking, is not the process of hacking into Google's network infrastructure or systems, but rather using advanced search parameters within the Google search engine to filter specific results. Many organizations don't always pay close attention to which systems and resources they are exposing on the internet. Google is a very powerful search engine that crawls/indexes everything on the internet and filters most malicious websites. Since Google indexes everything, the search engine can automatically discover the hidden online directories, resources, and login portals of many organizations.

Important Note

Using Google hacking techniques is not illegal but there's a very fine line that you shouldn't cross; otherwise, you'll be in legal trouble. We can use Google hacking techniques to discover hidden and sensitive locations on the internet, but if you use such...

The DNS is an application layer protocol that allows a system such as a computer to resolve a hostname to an IP address. While there are so many devices on a network, especially on the internet, remembering the IP address of each web server is quite challenging. Using DNS, a system administrator can configure each device with both an IP address and a hostname. Using a hostname is a lot easier to remember, such as www.packtpub.com or www.google.com. However, do you know the IP addresses of the servers that are hosting those websites for Packt and Google? You probably don't, and that's OK because around the world on the internet, there is a hierarchy of special servers that contain the records of public hostnames and their IP addresses. These are known as DNS servers.

A DNS server is like a traditional telephone directory, with a list of people and their telephone numbers. On a DNS server, you can find records of the hostnames of people, as...

Every day, search engines such as Bing, Google, and Yahoo frequently learn and index new and existing websites to improve their search results. If you search for a company's website, you are likely to discover the main domain name, such as example.com. A lot of organizations create subdomains for various reasons, but as an aspiring penetration tester, discovering all the possible subdomains of a target organization can lead to sensitive locations and resources, such as login portals and sensitive corporate directories, which may contain confidential files and resources.

Working with DNSmap

DNSmap works a bit differently from the tools we looked at in the previous sections. DNSmap attempts to enumerate the subdomains of an organization's domain name by querying a built-in wordlist on Kali Linux. Once a subdomain has been found, DNSmap will also attempt to resolve the IP address automatically.

To get started using DNSmap, please use the following...

After discovering the subdomains of a target domain, it's important to check each one to determine which subdomain leads to a login portal or a sensitive directory of the organization. However, there may be a lot of subdomains to check manually, and this process can be very time-consuming. As an aspiring penetration tester, you can be strategic and use a tool such as EyeWitness, which allows you to automate the process of checking each subdomain within a file and taking a screenshot of them.

To get started using EyeWitness, please use the following instructions:

1. On Kali Linux, open the Terminal area and use the following command to create an offline copy of Witness:

   kali@kali:~$ git clone https://github.com/FortyNorthSecurity/EyeWitness

2. Next, use the following commands to install EyeWitness on your Kali Linux system:

   kali@kali:~$ cd EyeWitness/Python/setup 
   kali@kali:~/EyeWitness/Python/setup$ sudo ./setup.sh

3. Next use the cd...

As an upcoming ethical hacker and penetration tester, you must understand how to leverage the power of various scanning techniques and tools to efficiently discover the host systems on your target network. Many organizations focus on securing their perimeter network and sometimes do not apply equal focus on securing their internal network. Quite often, you will discover that over 90% of a cyberattack or threat usually originates from the inside network. Due to this, many organizations think the attacker will launch their attack from the internet, which will then be blocked by their network-based firewall.

The following diagram shows a simplified overview of a typical deployment of a firewall:

Figure 5.31 – Network-based firewall

As shown in the preceding snippet, the network-based firewall will filter traffic between networks such as the internal corporate network and the internet. However, threat actors are continuously...

During the scanning phase, you discover host systems and identify any open service ports on an organization's network. In this section, you will learn how to use Metasploit to enumerate common network services.

Scanning using Metasploit

Metasploit is an exploitation development framework that allows cybersecurity professionals to exploit security vulnerabilities. Metasploit can also create custom payloads using the MSFVenon module, establish Command and Control (C2) operations, and perform post-exploitation techniques.

To started scanning using Metasploit, please use the following instructions:

1. On Kali Linux, open the Terminal area and use the following commands to start the Metasploit framework:

   kali@kali:~$ sudo msfconsole

2. Next, let's use the search command to filter for a list of port scanner modules within Metasploit:

   msf6 > search portscan

   As shown in the following screenshot, Metasploit provided a list of modules...

Enumeration allows both ethical hackers and penetration testers to gather specific information from their target systems, such as user accounts, system information, network connections, running processes, and more. Using the information that's been collected from enumeration allows a penetration tester to perform techniques to compromise the target.

As many organizations are using cloud-based email solutions such as Office 365 and Google Workspace for their employees, they are also synchronizing their Active Directory user database with the email services of their preferred cloud-based email provider. This means that an employee's login username is the same as the username portion of their email address.

To gain a better understanding of this, let's take a look at the following global login page for Office 365 users:

Figure 5.55 – Office 365 login page

As shown in...

Over the past few years, cloud computing has become one of the fastest-growing trends in the IT industry. Cloud computing allows companies to migrate and utilize computing resources within a cloud provider's data center. Cloud computing providers have a pay-as-you-go model, which means that you only pay for the resources you use. Some cloud providers allow pay-per-minute schemes, while others use a pay-per-hour structure.

There are some very well-known cloud providers within the industry:

• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud

A common service that cloud providers usually offer to customers is a storage facility. The AWS storage facility is known as Simple Storage Service (S3). Whenever a customer enables the S3 service, a bucket is created. A bucket is a storage unit within the AWS platform where the customer can add or remove files. In Microsoft Azure, the file storage facility is known as Azure Files...

Having completed this chapter, you have gained some very awesome skills as an aspiring ethical hacker and penetration tester. You have learned how to use various strategies with popular tools to perform active reconnaissance on a target. You also learned how to perform DNS enumeration, discover subdomains, profile multiple websites using automation, discover live systems on a network, and enumerate services and data leaks in the cloud.

I hope this chapter has been informative for you and is helpful in your journey as an aspiring penetration tester, learning how to simulate real-world cyberattacks to discover security vulnerabilities and perform exploitation using Kali Linux. In the next chapter, Chapter 6, Performing Vulnerability Assessments, we will focus on how to use various vulnerability scanners to perform a security assessment of hosts on an organization's network.

To learn more about what was covered in this chapter, take a look at the following resources:

• Why is DNSSEC important?: https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
• DNS Zone Transfer Protocol: https://datatracker.ietf.org/doc/html/rfc5936
• Nmap reference guide: https://nmap.org/book/man.html
• Information gathering with Metasploit: https://www.offensive-security.com/metasploit-unleashed/information-gathering/
• Amazon S3 user guide: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html
• Amazon S3 Security: https://aws.amazon.com/s3/security/