Wednesday, July 11, 2012

Introduction to Penetration Testing – Part 2 – The Discovery Phase – Passive Reconnaissance

by Si Biles ( @si_biles ), consultant for Thinking Security

PenTest, like forensics, is almost as much an art as it is a science – you can only be taught so far, technical techniques and tools are all very well, but you really need a mind that can think sideways and approach a task from as many angles as possible. The ex-LE forensicators have this skill in spades – the data that is potentially available during an investigation includes interviews, statements, crime scene photos and all matter of collected evidence – in the commercial world there is less available, but still I’m confident that you’ll all have your sources. PenTest is much the same, the more that we can know about a potential target before we even fire up NMap1, the further we will get.

The title of this segment is “Passive Reconnaissance” – that’s not to say that you don’t have to do anything during this phase and that it all comes to you – it’s about obtaining information which is already in the public domain – not necessarily deliberately – and is related to the target.2

There isn’t really anything, at this stage, that we aren’t interested in – collect all the information you can – we can whittle it down to pertinent facts as we go along3.

Right then – where to start ? Well, let’s start to build a picture of our target. Let’s have a look at their domain:

si$ whois google.co.uk
Domain name:
google.co.uk
Registrant:
Google Inc.
Registrant type:
Unknown
Registrant's address:
1600 Amphitheatre Parkway
Mountain View
CA
94043
United States
Registrar:
Markmonitor Inc. t/a Markmonitor [Tag = MARKMONITOR]
URL: http://www.markmonitor.com
Relevant dates:
Registered on: 14-Feb-1999
Expiry date: 14-Feb-2013
Last updated: 10-Feb-2011
Registration status:
Registered until expiry date.
Name servers:
ns1.google.com
ns2.google.com
ns3.google.com
ns4.google.com
WHOIS lookup made at 23:20:53 03-Jul-2012
--

Ok, so we have a home address for our company – this example isn’t the most detailed, but you can often glean names, e-mail addresses and phone numbers from a whois lookup. It’s good if you can get an e-mail address – these will start to give you an idea of what the common format is that is used within the company – e.g. first initial last name (sbiles) or first name.last name (simon.biles) or if there is a complicator (simon.biles100) [incidentally these are all real addresses at various organisations I've worked at]. Remember this, it will come in useful later.

If we have a look at the website of our target itself, it is most likely that there will be good information there too – names, addresses, phone-numbers and e-mails are all good. Also, look out for support contact details, FTP site details and logins for example, social networking links etc. All of this is grist to the mill – potential routes of later attack, sources for social engineering, logins to systems that will get you past the first line of defence. Take a note of product names as well, these are often used as “guest” login details for FTP sites too – “producttrial” as both the username and password for example – for sales staff to use with customers. If you are planning a social engineering phase, it can be beneficial  to take copies of web-pages ( faking a login page ), logos ( faking business cards and documents ) and other official looking documents and marketing material – I personally dislike performing social engineering, it’s often the easiest way to get into somewhere – if you are going to do it, make sure that you agree with your client in advance that there will be no repercussions for any member of staff that you succeed in manipulating, and that anonymity will be preserved – it could be an unlucky ring of the phone that costs someone their job otherwise.

Where next ? Google. Google is your friend – it is one of the most amazing tools available, not only having a huge index of things that are current, but also cached copies of things that might not be so current. Googling well is a skill, not unlike that of writing search queries for Forensic searches – just Google is a lot faster than EnCase or FTK over a much bigger data set...

Read more

No comments: