Penetration Testing 101
An Introduction to Cyber Security Methodologies
This is a new series of articles that will cover the complete penetration testing methodology based largely on case studies of previous hacks. These articles will cover initial reconnaissance, picking an attack vector, gaining a foothold, maintaining presence, lateral movement, and finally going after the prize.
One of the main case studies these articles will borrow from is the APT1 report published by Mandiant in 2013. Though the report focuses on a nation-state conducting a long-term hack against an opposing government and industry, the methodology is very similar to standard penetration tests. The main differences in methodology between penetration testing and nation-state hacking is resources and intent. These articles are not a how-to on hacking a network but more of a broad overview of the concepts with some tool demonstrations to solidify thoughts and ideas. With that, let’s get on to the first step: Open Source Intelligence.
In all penetration tests, one must always assess the battlefield. A penetration tester must know the internet footprint of the network they are dealing with. In order to do that, you need to start with the basics. Before sending even one packet at the target network, the first thing to accomplish is gathering Open Source Intelligence or OSINT for short. OSINT is comprised of two different but distinct parts; Technical OSINT and Human OSINT. Technical OSINT focuses on the technical details of the target network/organization, what IP spaces they own, their registrar, domain records, devices attached, errant servers on random ports, etc. Whereas Human OSINT is the details and relationships that are connected with the network or organization and how to leverage that information. This article will discuss the aspects of Technical OSINT, where to find various information and why it is critical information.
For the purposes of this article, we are going to use the domain of nmap.org. Nmap.org is the main page for the scanning tool, nmap. The nmap tool itself will be covered more extensively later on in this series of articles.
Before sending a packet at the target network, we need to find what addresses it owns and where our packets might go if we send them at a domain. This also relates to receiving packets and traffic. Before APT1 sent their spear fishing emails, they canvased the internet to find all the Technical OSINT they could about the target they were going after. They knew IP information in advance when someone opened a malicious email attachment. If a penetration tester sent a spear fishing email out with a malicious attachment and then received a callback from an IP space they were not expecting, that would be a serious cause for concern and potentially a legal liability as it might be outside the scope of the penetration test.
As penetration testers, we can find basic information about the domain itself using a site called Robtex.com. Following this link, we can see that it provides everything from the IP addresses it owns, previous IP addresses, reverse DNS lookup, registrar information, web hosting information, whois, etc. It even shows if that IP address is home to other websites. One thing to think about is that if an IP address attached to your target is also shared with an organization that isn’t your target, it could cause a problem with trying to enter the network through technical means. All of this information is good at building a profile on the target.
Next week we’ll go into more details on Technical OSINT and the tools pentesters use to gather technical information.
Hisomeru is a contributing player in the infosec community. In Hisomeru’s more than 15 years of experience, Hisormeru has managed IT security teams, developed custom tools and performed penetration tests. Cyber security is Hisomeru’s passion and Hisomeru has taught many individuals cutting edge penetration testing techniques. Hisomeru’s twitter is: https://twitter.com/Hisomeru