Using active reconnaissance techniques enables ethical hackers and penetration testers to use a more direct approach when engaging the target. For instance, many active reconnaissance techniques involve establishing a logical network connection between your attacker machines, such as Kali Linux, and the targeted systems over the network. With active reconnaissance, you can send specially crafted probes to collect specific details, for example, by doing the following:

• Determining how many live hosts are on a network
• Determining whether the targeted system is online
• Identifying open port numbers and running services
• Profiling the operating system on the targeted machine
• Identifying whether the targeted system has any network shares

Therefore, before launching any type of network-based attack, it’s important to determine whether there are live systems on the network and whether the target is online. Imagine...

What do you do after discovering additional sub-domains of a targeted organization on the internet? A common and obvious practice would be to visit each sub-domain to determine whether it leads to a vulnerable web application or system that can be exploited to gain a foothold in the targeted organization’s network.

However, manually visiting each sub-domain can be quite time-consuming if you need to visit 100+ sub-domains for a targeted organization. As an aspiring ethical hacker and penetration tester, using a tool such as EyeWitness enables you to automate the process of checking and capturing a screenshot of each sub-domain. EyeWitness also has the capability of analyzing the response headers from HTTP messages and identifying default credentials in known login pages on a web application.

To get started using EyeWitness, please use the following instructions:

1. Power on the Kali Linux virtual machine, open the Terminal...

As an aspiring ethical hacker and penetration tester, it’s essential to develop a solid foundation on understanding how to leverage active scanning techniques to efficiently discover and profile targeted systems on an organization’s network. Unlike passive reconnaissance, active reconnaissance focuses on sending special probes directly to a targeted system to retrieve specific information, which isn’t available from OSINT data source. In addition, active scanning helps us identify accurate information about the target, while some OSINT data sources may not have the latest version of the information.

Many organizations focus on securing their perimeter network and sometimes do not apply equal focus on securing their internal network (of the cyberattacks I’ve encountered in my career, 90% usually originate from inside the network). Due to this, many organizations think the attacker will launch their attack from the...

Whenever a packet is sent from one device to another, the source and destination IP addresses are included within the header of the packet. This is the default behavior of the TCP/IP networking model; all addressing information must be included within all packets before they are placed on the network. When performing a scan as an ethical hacker and a penetration tester, we try to remain undetected to determine whether the security team of the targeted organization has the capabilities of detecting the simulated cyberattack.

During a real cyberattack, if an organization is unable to detect suspicious activities and security incidents on their network and systems, the threat actor can simply achieve their objectives without obstructions. However, if an organization can detect suspicious activities as soon as they occur, the security team can take action quickly to contain and stop the threat while safeguarding their organization’s assets...

While scanning, you will notice that there are common network services running on the targeted systems. Collecting more information on these network services can help you further identify shared network resources such as shared directories, printers, and file shares on the system.

Sometimes, these network services are misconfigured and enable a threat actor to gain unauthorized access to sensitive data stored on servers and other systems within an organization. By performing enumeration on network services running a targeted system, we’ll be able to identify user accounts, network shares, and password policies, and profile the target’s operation system. Using the information collected during enumeration helps us to better understand which security vulnerabilities exist and how to improve our plan of attack on the target.

Over the next few subsections, you will learn how to enumerate common network services such as SMB, the Simple...

Over the past decade, cloud computing has become one of the fastest-growing trends in the IT industry. Cloud computing allows companies to migrate and utilize computing resources within a cloud provider’s data center. Cloud computing providers have a pay-as-you-go model, which means that you only pay for the resources you use. Some cloud providers allow pay-per-minute models, while others use a pay-per-hour structure.

The following are popular cloud computing service providers and the storage services provided by them:

• Amazon Web Services (AWS): The AWS storage facility is known as Simple Storage Service (S3). Whenever a customer enables the S3 service, a bucket is created. A bucket is a storage unit within the AWS platform where the customer can add or remove files.
• Microsoft Azure: In Microsoft Azure, the file storage facility is known as Azure Files.
• Google Cloud Platform: On Google Cloud, the storage facility...

In this chapter, you have gained hands-on skills as an aspiring ethical hacker and penetration tester to perform active scanning techniques to identify open ports, running services, and operating systems on targeted systems. In addition, you have learned how to use common evasion techniques during scanning to reduce your threat level. Furthermore, you have discovered how to enumerate common network services and leverage the information to improve a cyberattack.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you in your journey, allowing you to navigate the industry with confidence and make a significant impact. In the next chapter, Performing Vulnerability Assessments, you will learn how to set up and work with popular vulnerability management tools.

• Nmap reference guide – https://nmap.org/book/man.html
• Information gathering using Metasploit – https://www.offensive-security.com/metasploit-unleashed/information-gathering/

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet