You don’t go directly to the web site. You start by reviewing the publicly available information. You decide upon a goal.
The Passive Information Gathering whitepaper by Gunter Ollmann, Professional Services Director at Next Generation Security Software, Ltd., is good orientation. There may be useful information already leaked. It may not be reliable information, but there’s a good chance you can save yourself a lot of time without touching the web site.
Retain the information for future reference.
- Robtex Internet toolkit collects information about the domain
- showsiteinfo, siteshakedown, spyonweb and push2check reveal additional public information about the domain
Collect and document information about the company’s Internet presence. This would include:
- Internet Service Registration – The global registration and maintenance of IP address information
- Domain Name System – Local and global registration and maintenance of host naming
- Search Engines – The specialist retrieval of distributed material relating to an organization or their employees
- Email Systems – The information contained within each email delivery process
- Naming Conventions – The way an organization encodes or categorizes the services their online hosts provide and the email address conventions (which often reflect userid conventions).
- Website Analysis – The information intentionally and unintentionally made public, that may pose a risk to security
Retain the information for future reference.
- Source sifting (website review) SamSpade Google Hacking Database
- Googlehacking, Googledorks (such as those found through PenTestIT), Google Advanced Search Operators
- Search engines Google Google Groups AltaVista DogPile MSN
- Securities and Exchange Commission (SEC) Edgar database
- Business information sites
- News groups, USENET Searching
- What’s that site running? netcraft.com
- web-sniffer.net View HTTP Request and Response Header
- Big Brother Network and System Monitor
- WHOIS Enumeration (Find the registry, then the registrar, then the registrant)
- DNS Enumeration
Forward nslookup nslookup hostname Reverse nslookup nslookup ip_address Zone Transfer (should not be permitted) #nslookup
>ls -d target_domain
- Network Reconnaissance
UNIX Traceroute (UDP) traceroute hostname/ip UNIX Traceroute (ICMP) traceroute -I hostname/ip Windows Tracert (ICMP) tracert hostname / ip Windows Trout or NeoTrace (ICMP) Trout or NeoTrace (GUI) UNIX tcptraceroute (TCP) (see man page)
What have others found? See Un1c0rn.
Does NTP report the hosts which have queried NTP? It could be used for further network enumeration.
– Border Gateway Protocol (BGP) Queries
– About BGP:12
AS numbers are used to identify the autonomous systems that a route has already passed through, which prevents routing advertisement loops; and to determine the origin of routes. Folks often use AS-PATHs in their route selection policy to, for example, use a particular transit provider that is known to have good connectivity to AOL; or not use someone who may have poor connectivity to them.
A good way to understand things in the real world is to use Looking Glasses by ISPs. For example, go to lg.he.net or lg.level3.net and do a bgp query with another providers IP as the argument. you will see how the possible paths to the specific IP, and you will see the AS numbers (networks) it has to go thru inorder to reach that IP.
—www.arin.net (find target’s AS number)
—neptune.dti.ad.jp (query BGP via web)
2. Scanning & enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
nmap (the most utilized penetration testing tool)
Metasploit framework Metasploit: A Penetration Tester’s Guide
Armitage – A GUI for Metasploit
Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.
SinFP3 is an operating system fingerprinting tool
Pushpin will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address. Example Usage:
python ./pushpin.py -c 42.3534688,-71.0611556 –all
For latitude and longitude, see http://itouchmap.com/latlong.html
netcat: an asynchronous port scanner (a load balancer can shape traffic and slow down scans; that is, has IPS functions)
For more specialized penetration testing tools, see http://wiki.remote-exploit.org/backtrack/wiki/Category
BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments.
And also consider this version of the steps for penetration testing with 10 (instead of 5) steps:
Find open directories with Google by searching for ” Name Last modified Size Description”: