module 3 of ethical hacker series
- Active / passive intelligence
– Passive [indistinguishable from ordinary public traffic]
– Google search [Patent applications, W hos the CEO? recent acquisitions all details you can find out about company you are wanting to pentest, general google searches and browsing the general companies website, careers? who they looking for? Gives you an indication on what systems they are using i.e. job vacancy for a checkpoint firewall admin. ]
-Viewing message boards, i.e. cpug and other forums related to technical issues. experts-exchange.com, some people naively post entire config files and sensitive information. Still all Passive recon as opposed to active where you are likely to get caught.
Active [Network scan, social engineering(passive/active respectively), vulnerabilities scan, ping sweep, spear phishing, phishing(more general/ spam broadcast) maybe you become in contact with a CEO’s assistant who are interested in kick boxing, they have a kickboxing club website membership, weak security and they use same password for that account and work.]
Reconnainaissance
Purpose: Narrow down to specific targets + techniques
– avoid broad-scan , script kiddie methods. A good concept to understand is the upside down pyramid starting at the large base honing down the pyramid which the large base is RECON, spending time on this makes sense. Attacking straight at the point will most likely fail.
– Identify brands to target vulns
– Wifi signlas SSID’s, signal boosters, war driving
– Identifying what systems you can find which technologies, which ports (network equipment)
-What OS? Patch Level? when rebooted? i.e. when did the patch come out? as it may of needed a reboot to applyt patch if you know the server hasnt been rebooted for a while it may not have the patch on it.
Routerpasswords.com [shows all major manufacturer devices default passwords]
More on Passive Recon
- Public records, published by law most of time
- Copy rights, patents
- Corp filings
- Social media, Facebook,Linkedin,Twitter,News pages, most people post first, think second…
- Trademark and patent government websites, details of new technology coming out.
- lots and lots of reading
- Edgar database more USA related. for UK looking into public published information on UK businesses.
- Be creative about how you get information when contracted to a pentest
- ICANN Internet Corporation for Assigned Names and Numbers, RIR’s(Regional Internet Registries), start with an IP address from a company and see how much information you can gather. whois.domaintools.com,
- Netcraft, Document grinding (directory browsing, company documents dumpster diving (google hacking))
- job sites, search sites, interviews (certain skills sets can identify what tech they have), go for an interview to probe them, i.e. social engineering.
- view web page source (you may see information that is sensitive, another form of document grinding) may show directories
- mirror sites – httrack,wget,sam spade,archive.org (essentially copy down a websites code to your local file system to look if anything crops up when you load it locally or practice things against it)
- traceroute -T (using the -T will use TCP and might return further information also use -U UDP)
- DNS [nslookup, set query=ns http://www.google.com changing the TTL on a DNS server set type=mx http://www.google.com]
- zone transfer [Not security efficient, on windows server ls -d http://www.google.com windows 2003 and above this is no longer aloud.]
- set type=hinfo, http://www.google.com
- robots.txt [crawling a webpage for example to disallow crawling against directories http://www.testwebsite.com/robots.txt%5D the output of this will show you all directories of this webpage that they “dissallow”
- OS fingerprint via telnet (Banner grabbing) web pages advertising what OS they use for compatability with browsers, telnet to a page on tcp 80 hit enter TWICE.
- Purpose
- Recon Tools
fwknowledge.wordpress.com
FW Knowledge 
Leave a comment