vault backup: 2024-10-17 23:28:49

Penetration Testing/Week 5/Lecture 5 - Reconnaisance.md

@@ -0,0 +1,107 @@
+# Intelligence Gathering
+- More information gathered, more vectors of attack may be able to use
+- Better knowledge of target, more likely to succeed
+- Better target company knows what is common knowledge, better it can prepare.
+
+## Open-source Intelligence (OSINT)
+
+- Gathers information from publicly available sources and analyses it, producing intelligence
+	- May not be up to date, accurate or complete.
+	- Could be deliberately manipulated to provide false intelligence.
+- Many companies may fail to take into account public information, and how it could be gathered, organised and made searchable
+	- Physical (locations / relationships)
+	- Logical (business partners, job openings, meeting minutes, professional licenses)
+	- Org chart (important people)
+	- Electronic (document metadata, marketing information)
+	- Infrastructure (email addresses, technologies used)
+- Many employees fail to realise information published on the public domain about themselves.
+	- Social Media
+	- GDPR gives right to ask to remove.
+
+# Limits
+
+- Gathering information to identify entry points
+	- physical, electronic, human...
+- and try to map out internal structure
+	- physical, network, organisational
+- and external dependencies
+	- outsourcing, financial
+- It does not involve trying to test or use entry points
+	- "potential vulnerability" more interesting
+	- cyclic lifecycle, we can do more recon later
+
+# Levels
+
+- Level 1
+	- Automated tools to gather information
+	- Generally a simple list of what exists
+- Level 2
+	- Combination of tools and manual searching / analysis
+	- Good understanding of physical locations, business relationships, organisation charts, naming policies, etc.
+- Level 3
+	- Heavy use of manual techniques
+	- Deep understanding of business and how it operates
+	- Highly strategic and planned, time consuming
+
+# Considerations in Commercial Pentest
+
+- Keep to RoE
+	- Avoid legal issues and avoid scope creep
+	- Avoid being sidetracked by interesting sideroads
+- Have a Goal
+	- What is relevant to the target you have been engaged to attack
+- Have a deadline
+	- Make sure time allocated to use intelligence
+
+# Passive vs Active Reconnaissance
+
+## Passive
+
+- Collecting data using publicly available information without direct contact with target
+	- Open web resources, public company information
+	- How they operate, how large they are, contact info, etc.
+
+## Active
+
+- Direct interaction with target by any means to gather information
+	- Port scanning, vulnerability scanning, etc
+	- Illegal without permission.
+
+## Semi-Passive
+
+- Collecting data with methods that appear like normal internet traffic and behaviour.
+	- Looking at metadata in published documents and files. Not actively seeking hidden content.
+
+# Semester 1 Assignment
+
+- Choose company
+	- Should be small, but not too small
+	- Likely IT business
+- Passive recon using OSINT sources
+- Include some semi-passive recon
+- Write report, outlining what has been found and why company should be aware.
+
+- Look for:
+	- Corporate
+	- Personal
+	- Technical information
+- http://www.pentest-standard.org/index.php/Intelligence_Gathering
+
+## How to Obtain Information
+
+- Google Dorking, search for information to see who else has it, and what else they have.
+- Information Gathering tools built into Kali
+- Google for OSINT sources.
+- Google Hacking Database (GHDB)
+- Maltego
+- DMitry
+- Dnmap
+- Ike-scan (Discover IPsec VPNs)
+- P0f (Passive traffic fingerprinting)
+
+### Note on Packet Sniffing
+
+- Some tools rely on network inspection between you and target
+- "Active Packet Sniffing" means specific things cause traffic to flow to you
+- "Passive Packet Sniffing" means you inspect the traffic that happens to come past sniffer.
+-