boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2f42f90f7e3505ce973ba46cb16b028acad9f27d
G4G0-2/Penetration Testing/Week 5/Lecture 5 - Reconnaisance.md
George Wilkinson 8bc99d0497 vault backup: 2025-01-30 09:27:31
2025-01-30 09:27:31 +00:00

107 lines
3.6 KiB
Markdown
Executable File
Raw Blame History

# Intelligence Gathering
- More information gathered, more vectors of attack may be able to use
- Better knowledge of target, more likely to succeed
- Better target company knows what is common knowledge, better it can prepare.
## Open-source Intelligence (OSINT)
- Gathers information from publicly available sources and analyses it, producing intelligence
- May not be up to date, accurate or complete.
- Could be deliberately manipulated to provide false intelligence.
- Many companies may fail to take into account public information, and how it could be gathered, organised and made searchable
- Physical (locations / relationships)
- Logical (business partners, job openings, meeting minutes, professional licenses)
- Org chart (important people)
- Electronic (document metadata, marketing information)
- Infrastructure (email addresses, technologies used)
- Many employees fail to realise information published on the public domain about themselves.
- Social Media
- GDPR gives right to ask to remove.
# Limits
- Gathering information to identify entry points
- physical, electronic, human...
- and try to map out internal structure
- physical, network, organisational
- and external dependencies
- outsourcing, financial
- It does not involve trying to test or use entry points
- "potential vulnerability" more interesting
- cyclic lifecycle, we can do more recon later
# Levels
- Level 1
- Automated tools to gather information
- Generally a simple list of what exists
- Level 2
- Combination of tools and manual searching / analysis
- Good understanding of physical locations, business relationships, organisation charts, naming policies, etc.
- Level 3
- Heavy use of manual techniques
- Deep understanding of business and how it operates
- Highly strategic and planned, time consuming
# Considerations in Commercial Pentest
- Keep to RoE
- Avoid legal issues and avoid scope creep
- Avoid being sidetracked by interesting sideroads
- Have a Goal
- What is relevant to the target you have been engaged to attack
- Have a deadline
- Make sure time allocated to use intelligence
# Passive vs Active Reconnaissance
## Passive
- Collecting data using publicly available information without direct contact with target
- Open web resources, public company information
- How they operate, how large they are, contact info, etc.
## Active
- Direct interaction with target by any means to gather information
- Port scanning, vulnerability scanning, etc
- Illegal without permission.
## Semi-Passive
- Collecting data with methods that appear like normal internet traffic and behaviour.
- Looking at metadata in published documents and files. Not actively seeking hidden content.
# Semester 1 Assignment
- Choose company
- Should be small, but not too small
- Likely IT business
- Passive recon using OSINT sources
- Include some semi-passive recon
- Write report, outlining what has been found and why company should be aware.
- Look for:
- Corporate
- Personal
- Technical information
- http://www.pentest-standard.org/index.php/Intelligence_Gathering
## How to Obtain Information
- Google Dorking, search for information to see who else has it, and what else they have.
- Information Gathering tools built into Kali
- Google for OSINT sources.
- Google Hacking Database (GHDB)
- Maltego
- DMitry
- Dnmap
- Ike-scan (Discover IPsec VPNs)
- P0f (Passive traffic fingerprinting)
### Note on Packet Sniffing
- Some tools rely on network inspection between you and target
- "Active Packet Sniffing" means specific things cause traffic to flow to you
- "Passive Packet Sniffing" means you inspect the traffic that happens to come past sniffer.
-
Reference in New Issue View Git Blame Copy Permalink