Lesson 3 : Footprinting and Gathering Intelligence
Bitbucket
Allows inline comments, a secured workflow, and free to small teams, fee based for larger groups.
Extending Your Reach
An organization's primary website for public consumption is not the only website that might help you gather background information about the organization. In addition to testing the main site, the team may be tasked to examine the target's partners, consultants, and contractors' sites.
While searching the social media profiles of a target organization, the team reads a series of Facebook posts by a network administrator. The employee is dissatisfied with their colleagues and complains that they have a lax attitude toward securing and monitoring the network. How could the team use this information?
Answers will vary. The team can focus on finding the weaknesses that may exist due to the negligent employees.
When searching for basic information on a target, such as the details on the leadership of an organization, what is one option you can use?
Answers will vary. To find some basic information on a target, the team can try the "about us" page of a company website.
Personally Identifiable Information (PII)
Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).
Security Vulns found in repositories
Developers that post have put private files into their repositories that are then copied into the public storage area. The files can then be searched. Code can include information such as hostnames, IP addresses, database servers, and service configurations, which can be used to craft an attack. Code can include the names and information on employees, which can be used in a spear phishing attack or credential theft. Code can be modified, which can lead to an infrastructure attack or shut down systems or applications. Developers post screenshots or comments that can contain useful intelligence. Developers add specific information in their code, such as usernames and passwords, as shown in the following code block: tls_config insecure_skip_verify: true basic_auth: username: bluedog password: orangetigerkittens scheme: https tls_config:
When searching 515support.com's webpage, the team checks the robots.txt file. To make sure the web crawlers don't index the wp-admin directory, what should be added to the file?
Disallow: /wp-admin/
GitHub
Enables teams to work together, regardless of their location, is free to basic users, and reasonable costs for teams and enterprise users.
subject alternative name (SAN)
Field in a digital certificate allowing a host to be identifed by multiple host names/subdomains.
Stapling
In the standard approach to determine the validity of a certificate, the burden rests on the client, who must check with the OCSP server to confirm the validity of the certificate. Stapling the certificate reverses this burden, so the web server must validate the certificate, as shown in the graphic: With certificate stapling, when a client begins a web server transaction, the following process occurs: The web server goes to the OCSP server to check the validity of the certificate The web server then sends the validated certificate to the client.
Metagoofil
Information gathering/harvesting tool for extracting metadata from public documents; uses Python scripting to locate metadata within different document types such as df, doc, xls, ppt, odp, ods, docx, xlsx, and pptx
SourceForge
Is free to everyone, and features discussion forums and issue tracking
Your team is tasked with preparing a social engineering attack on the target. One of the team members suggests they research commonalities between the target and a sister organization. What tool do you feel would be a good choice to aggregate and graph this type of information?
Maltego is the best choice for this exercise, as when searching, the results of query are placed in graphs and then links are established between each node. This will enable the team to analyze how the target and the sister organization are connected.
CloudForge
Offers bug and issue tracking, discussion forums, and document management. You can get a free trial for 30 days, after which there is a nominal fee.
open-source intelligence (OSINT)
Publicly available information plus the tools used to aggregate and search it.
Digital certificates used in SSL/TLS communications are another public resource that can aid in the PenTest process. What are two resources can the team use to discover more information on the company?
The team can search for information on the targets certificate information using an online SSL checker along with the Certificate Transparency (CT) framework.
You have heard that there might possibly be a leadership change in the target's infrastructure. You are fairly sure that there was a press release in the past week about the change, but there is no longer a trace of the story. What can you try to locate this information?
The team could start with searching cached pages, and then try a search using the Wayback Machine.
Your team is tasked with gathering metadata from various documents, to locate any sensitive information, such as Excel spreadsheets containing salary data on the employees. What tools can they use?
The team could use either Metagoofil or FOCA to gather metadata from various documents.
Your team is tasked in evaluating the source code for 515web.net. They know that they are using a source-code repository. How should you proceed?
The team should check source-code repository sites such as GitHub, Bitbucket, CloudForge, and SourceForge. Once there, they should examine the code to see if the developers had added sensitive information in their code, such as usernames and passwords, or other information that can be used to frame an attack.
Once the team has gathered the intel on the target, you'll want to determine the best plan of attack when preparing the attack phase of the PenTest. List some of the guidelines that will help your team be better prepared.
Use gathered technology information to identify potential vulnerabilities and consider ways to weaponize them in future phases. Focus on findings that are actionable and relevant. Determine how public IP addresses map to resources like web servers that you can later target. Leverage information from third-party sites to learn more about an organization and its people and consider ways the information can be used in a social engineering test. Document your findings for future reference.
forced browsing
Used to identify unlinked URLs or IPs from a website to gain access to unprotected resources.
Certificate Details
Vulnerability scanners can gather and validate certificate information to see if there are any issues. Knowing what certificates are in use, and if they are expired or otherwise problematic, can be useful to a penetration tester. Discovering out-of-date certificates often point to other administrative or support issues that can be exploited; SAN
Using DNS is common during the footprinting and reconnaissance phase of the PenTest. What protocol can be used to search for organizational information?
When an entity registers a domain name, the registrant will need to provide information, such as organizational and key contact details. The team can use the whois protocol to search for these details.
The team leader has tasked your group to test the targets physical security. The target has a main building, loading docks, a parking garage, and a warehouse. Which OSINT could provide the team with valuable intel?
When planning a physical PenTest, the team can use Shodan to attempt to locate the feed of a security camera outside the target's facilities. If successful, the team can get a better picture of the premises and any possible defenses that are in place.
FOCA
a Graphical User Interface (GUI) OSINT tool used to discover metadata that may be hidden within documents, typically those downloaded from the web. Some of the useful metadata FOCA can extract includes user and people names, software and OS version information, printer information, plaintext passwords, and more. Note that, unlike theHarvester, Recon-ng, and Maltego, FOCA is a Windows-only tool. In addition, it also requires a running SQL server to store its data in a database.
robots.txt File
a simple yet essential file that tells the bots where to search, and more importantly, where NOT to search
web cache viewer
allows you to search for older versions of websites which is a snapshot of the raw HTML and some of the page contents; https://web.archive.org/
Maltego
an OSINT tool that can gather a wide variety of information on public resources and then provide a visual on the shared features among all sources; has a full GUI to help users visualize the gathered information; features an extensive library of "transforms," which automate the querying of public sources of data; then compares the data with other sets of information to provide commonalities among the sources.
theHarvester
an intuitive tool that can search a company's visible threat landscape. The tool gathers information on the following: Subdomain names Employee names Email addresses PGP key entries Open ports and service banners relatively simple to use and can automate the information gathering tasks by using multiple methods that include: Google and Bing to gather information from public data sources. Comodo's certificate search engine to obtain certificate information. Social media sites like Twitter and LinkedIn. Banner grabbing functionality using Shodan. When using you will enter the target domain and the data source
image search
another avenue the team can use when scouting the target to see if there is any actionable intel; Some of the sites that offer reverse image search are as follows: TinEye Google Yandex Bing
whois query
can provide a lot about the target organization and how its domain is configured. The team can then use this information to take more targeted actions against the domain's contacts, as well as the underlying architecture of the domain
Website enumeration
done during the footprinting and reconnaissance stage to discover potential attack vectors and vulnerabilities on a web server. The team will need to determine how the target hosts the site, which can be either self-hosted, or cloud-based; involves discovering resources that are in use as well as the underlying technology used to host the server; look for vulnerabilities so they can use the following attacks: cross site scripting (XSS), SQL Injection (SQLi), and caching server attacks
Nslookup
is a command-line tool used in either a Windows or Linux operating system (OS) that can be used to query a domain and specify various record types.
Dig
is a utility widely used on a Linux OS that can perform reverse lookups to match an IP address to a domain name.
Nameserver (NS) record
lists the authoritative DNS server for a particular domain.
google hacking
process uses the Google search engine to identify potential security weaknesses in publicly available sources, such as an organization's website
Service (SRV) record
provides host and port information on services such as voice over IP (VoIP) and instant messaging (IM).
Text (TXT) record
provides information about a resource such as a server or network in human readable form.
Mail Exchange (MX) record
provides the mail server that accepts email messages for a particular domain.
Certificate Transparency (CT) framework
re logs of public certificate authorities (CAs) that are published for anyone to access
Shodan
search engine designed to locate and index IoT devices that are connected to the Internet.; indexes the connection by grabbing service banners sent by a device to a client over a specific port. can be useful to the PenTest reconnaissance phase in several ways: If the team is planning on conducting a physical test, they can attempt to locate the feed of a security camera outside the target organization's office. If successful, the team can get a better picture of the premises and its defenses. If the target organization employs control systems for Heating Ventilation Air Conditioning (HVAC) or industrial equipment, the team may be able to control these remotely as part of the attack phase.
In order to do a more targeted search, the team is going to use Google Hacking. What advanced operators should the team enter in the search if they are looking for spreadsheets or documents with results that include the text "confidential" on 515support.com?
site: 515support.com confidential filetype:xls OR filetype:docx
Recon-ng
uses modules to customize the search. When searching, you can run a specific type of query and then set various options that are either required or optional. Some modules include: Whois query to identify points of contact PGP key search. Social media profile associations. File crawler. DNS record enumerator
