In this chapter, we will cover the following topics:
In this chapter, you will learn the skills necessary to gather information about your target environment. We will spend time trying to identify as much information as possible. The more information we can gather will provide us with more potential vectors for possible penetration in the environment as well as make those penetration attempts more successful. We will gather domain names, IP subnets, hosts, routing information, as well as other useful information. You will also learn how to keep track of this data, so we can refer to it in the future as we progress through our penetration testing environment.
We will explore the application KeepNote and how you can use it to capture the information we discover during our testing.
It will be very important for you to record all the information in detail, as this information will be useful in later chapters, as well as for the reports that you need to create for your customer. Kali actually provides some useful purpose-built tools for recording your information. Don't reinvent the wheel; if you have already used a note taking tool like Microsoft OneNote or EverNote, just stick to it. However, if you don't do this, Kali does provide a cross-platform, note-taking application called KeepNote that you can use if you don't have a preference. But always remember that, as a penetration tester, you are gathering information that can be used to do great harm to a customer, so remember security...
We will be using the maltego community edition (Maltego CE) for several more recipes. This chapter will take us through the initial setup of Maltego. Maltego is a tool designed for data mining and discovery. It will place the information in a knowledge graph that you can continue to build and pivot from to help discover and gather information. This information can then be leveraged to expand our attack surface.
Let's ensure the following pre-requisites:
In this recipe we will use Maltego CE to gather Internet Domain information. If we are mainly working an external, internet based, penetration test. This information will provide of plenty of valuable information regarding the public aspects of there network. This tool will start with a domain name and pivot out to several different aspects of publicly available domain information.
Let's ensure the following prerequisites:
We will now use Maltego to obtain the external host, the IP address, and some netblock information.
We want to continue from where we left off with the last section, so, if you are coming back to the book after a while, open your saved Maltego graph from the Gathering domain information recipe.
In this recipe we will use Maltego CE to gather a company's public IP information:
We will now use Maltego to obtain external routing information. External routing information can provide us with valuable information such as who their internet service providers are and how their traffic flows.
We want to continue from where we left off with the last section, so, if you are coming back to the book after a while, open your saved Maltego graph from the Gathering public IP information recipe.
We will use Maltego CE to gather BGP autonomous system information:
We will use zenmap to provide a graphical representation of our network. Zenmap is a graphical front end to nmap. Zenmap does have some advantages over nmap, especially when it comes to providing certain graphical outputs. We are going to use it to provide a visual look at our target network. By obtaining information about how the internal network is layed out we can use this information to spread attacks beyond just the local subnet.
Let's ensure the following prerequisites:
We next want to discover whether the target is using any cloud-based services. Based on the IP addresses we have found we can see if there are multiple different domain and host information associated with an individual IP Address which would indicate some form of cloud based service.
Cloud services come in several different forms and offerings. Cloud services originally started the as a service trend with Software as a Service (SaaS), such as Office 365 and Exchange 365 and a Platform as a Service (PaaS) like AWS and Azure. Today, many organizations rely on cloud-based systems. Sometimes, these systems are controlled, managed, and monitored as part of the data center infrastructure. At other times, this use is regarded as Shadow IT. Shadow IT refers to the services that are brought up outside the corporate IT environment and control....
There are various methods we can use to scan for hosts on internal or external networks. We will explore some of these in detail. We will use nmap for several examples in this section. TCP port scans are default within nmap as most of our well-known servers running using TCP. However, from a penetration standpoint, there are some very useful UDP ports that might be open that could provide us with attack vectors such as SNMP.
Let's ensure the following prerequisites:
We will continue to use some advanced functions of nmap to provide us with additional information about a particular host.
Let's ensure the following prerequisites:
We will now provide more targeted nmap scans against particular hosts to obtain further information about the ports and protocols that are open:
We will use wafw00f to identify whether there is a web application firewall between us and our target website.
Many organizations will use a Web Application Firewall (WAF) to protect websites from web-specific attack. Understanding that a security device sits between you and your target is extremely important. You will need to obfuscate and avoid detection. You will have to be more targeted and use special techniques to penetrate the website even with the WAF in place.
Let's ensure the following prerequisites:
We can use hosts that we identified through nmap as having open SNMP ports or services running, to try and gather more information.
The Simple Network Management Protocol (SNMP) is a protocol used to provide status and configuration for various devices including servers, workstations, network appliances, IoT devices, and other hosts. This protocol provides both a read-only and read-write functionality. Quite often, devices have been deployed with read-only available by default. Network administrators will often enable read-write access for management purposes. The default passwords for SNMP on many devices is public for a read-only access and private for a read-write access. There are three types of SNMPs. While version 1 has been mostly deprecated, version 2 is still quite common, and version 3 is gaining in use due to it's better...
© 2017 Packt Publishing Limited All Rights Reserved
