vault backup: 2024-12-01 23:50:59
This commit is contained in:
boris
@@ -0,0 +1 @@
|
||||
,boris,boris-ThinkPad-T480,01.11.2024 14:15,file:///home/boris/.config/libreoffice/4;
|
||||
Binary file not shown.
Binary file not shown.
21
Penetration Testing/Assessment/Stage 1 - RoE.md
Normal file
21
Penetration Testing/Assessment/Stage 1 - RoE.md
Normal file
@@ -0,0 +1,21 @@
|
||||
- “Scope” - describe what you intend to do and what you are aiming to find
|
||||
- “Permission to test” - outline why you believe this is a legal and ethical thing for you to
|
||||
do in this assignment (or describe if you have to do it in a particular way in order to make
|
||||
sure you stay legal and ethical even if this will limit the amount of information that you
|
||||
are able to find
|
||||
|
||||
|
||||
|
||||
| Action No | Scope: Summary of Intention | Permission to Test: Outline of Legal and Ethical Justification | Allow/Reject |
|
||||
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
|
||||
| 1 | I would use WHOIS / Recon-NG to find website registrar identities and the ASN of the company. This would provide me with a list of identities, and their emails, that may have access to infrastructure, or elevated permissions. | I believe this is legal as WHOIS is a public database of registrar information. No information found through WHOIS is sensitive, and has been published by the company, rather than found - no ethical issues with WHOIS | |
|
||||
| 2 | I would use dig or nslookup to find IPs of webservers and mailservers, TXT records, CNAME recs, etordc. This would provide vital information about the company's infrastructure and layout of their webserver. | I believe this is legal as dig / nslookup does not access the server, but rather uses public DNS information from ex. Cloudflare. Since this information is registered voluntarily by the company, and anybody can find it from simply loading the webpage or through a DNS request, I see no ethical issues with the use of dig / nslookup. | |
|
||||
| 3 | I would use Google Dorking to find any pages that may contain useful information. Finding information like meeting minutes, mailing lists, etc. could contain sensitive information - I should exercise caution with information found. This likely will find a lot of information I could use to further the investigation. | I believe this is legal, as all information found through Google Dorking is provided through a public index of information on a search engine for anybody to find; there is no contact with the company therefore no Computer Misuse. If sensitive data is found, as long as PII is protected and stored anonymised and encrypted, there should be no ethical issues with information found. | |
|
||||
| 4 | I would use theHarvester to find email addresses of employees or users. theHarvester could also find IP addresses owned or rented by the company not found when using dig / nslookup. | I believe this is legal since the information gathered from theHarvester is gathered from interacting with public search engine indexes. No information gathered from theHarvester is sensitive, since it is information used in the public domain - therefore should be ethical. | |
|
||||
| 5 | I would use BGPView and HE's BGP Toolkit to verify IP addresses are within the scope of the company's ASN, found in the WHOIS lookup. This would provide me with the address range rented or owned by the company, potentially revealing useful information about clients | I believe this is legal, since ASNs are announced in the public space, along with address ranges. There is no interaction with the company or it's servers. No sensitive information is revealed directly from knowing address ranges or AS number, which should make this ethical. | |
|
||||
| 6 | I would use Shodan to obtain insight into IPs within scope. This could give detailed results regarding connected devices that may be public-facing, however this may be unlikely. | I believe this is legal, since Shodan is a crawler and can only find devices that have been (intentional or not) configured to be public-facing, since Shodan is exclusively a tool to find devices using an obscurity model for their security. I see no ethical issues by using Shodan outside of mishandling of PII if sensitive information is found by using it. | |
|
||||
| 7 | I *could* use Intelx / Phonebook.cz and HaveIBeenPwnd to find breaches employees have been involved in. This could provide information on login details, or even just provide information on employees that otherwise would be unknown. For example, in these leaks, information like a person's car, home address, accounts registered with their email, and much more can be found. | I believe this is legal, since the sources are public information, regardless of how they are obtained by the breacher since they are on clearweb and indexed publicly. The only legal issue related to obtaining this data is redistribution, and as long as PII is protected, there is no law that limits possession of data found in breaches. However, it's usage heavily effects the ethicality of obtaining this data; it's usage in most ways when unauthorised is at worst illegal, and at best immoral. Realistically in this scope it is best used as a tool to gain information on employees, rather than obtain credentials or sensitive personal information. | |
|
||||
| 8 | I would use robots.txt to find pages the company may not want indexed, not being found by Google Dorking. This may provide information on where to start looking, but may also not be useful. | I believe this is legal, as the robots.txt file has been chosen to be given to the user from the webserver. It is not hidden or even accidentally advertised. Since the company has voluntarily made the file public, there are no ethical issues regarding using this information. | |
|
||||
| 9 | I would use the Google Hacking Database to find any potential exploits in services used on the webserver. This could provide information on potential entrypoints that could be found in later stages. | I believe this is legal, as GHDB is a collection of known exploits and vulnerabilities, no interaction is made directly or indirectly with the company, only knowledge of their services is required, which is public information. I believe this is ethical as these exploits are public knowledge, and any vulnerabilities found should be protected against by the company. | |
|
||||
| 10 | I could use social media pages after information about employees have been found. This could be turn out with invaluable knowledge about employee habits, aiding the social engineering aspect | I believe this is legal, as there are no laws protecting people from searching others on social media - it is all voluntarily published publicly forever. I believe this is ethical, as no sensitive information should be published anywhere on social media, all information should be inconsequential individually, more used to build upon other methods included in RoE. | |
|
||||
| 11 | | | |
|
||||
Reference in New Issue
Block a user