PENETRATION TESTING???
PENETRATION TESTING???
Penetration Testing can be done in 4 stages:
- Information Gathering.
- Enumeration and vulnerability analysis.
- Exploitation.
- Post Exploitation.
Penetesting is like a Actual hacking. By The same step a hacker get passed for their success. I am going explain here about Basic Information Gathering which is first stage for a hacker/pentester.
Information Gathering:
Information Gather is the most important stage for penetration tester. Because Here We can map our target network & Information gathering is First stage for making successful attack. How we can gather information and what we look for? There are many thing to find out before actual attack and exploitation. The more information we have the more effective attack we can make. There various way to gather information against our target network:
Open Source Intelligence Gathering.
Network Discovery & DNS enumeration.
Email Discovery and Foot printing.
Etc.....
Open Source Intelligence Gathering: For Open Source Intelligence Gathering may need week or even month. Because here Penetration tester looks for all public information, for example what the target networks are looking for, Perhaps they need of any employee, Maybe somewhere posted about there Internal System publicly etc. Not only that but also we need to find their email, phone number, physical address, social network information, DNS information etc. Actually time is depending you are hacker or a penetration tester. For pentester have only a limit time so they need gather these information as soon as possible. If we got hired by any company for a short time testing then no, of course we will not spend a long time here. But If we are hacker then our just goal is Success and for success we need to gather the information for making a effective attack. Anyway, We may gather information from:-
From The website:
We can gather much valuable information from the Target website such as phone number, Email address, Employee name, Comments in HTML source code, Even Physical Address which is very important for Social Engineering attack etc. Not only that we can also make a good wrodlist for dictionary based attack later on. So best is use of weget or httrack for downloading the entire website for reviewing off-line using your browser. After downloading it Just start browsing with your mind, see the source codes etc and you will find many information.
Job Posting:
The target organization may looking for employees. So they may posted It on their local or third party website. Often Many Organization post about their internal network such as Database name etc in Job description. They also post about all responsibility, conditions , salary range etc which is very good for Mapping the company structure. We can understand that what our target in need of and Internal contact information which is not a good option for making a Social Engineering attack? True History: I was sent my Malicious word document file to the manager. And the idiot got hacked immediately. Can you guess why? Even I was able to attack their MS SQL 2003 when they said that they were need someone who is good in MS SQL too.
So we should usually search the organization name in montser, careerbuilder, workforce etc.
Forum:
Perhaps we want to post a problem on a forum to be solved. So why not our target ? So they also may post the internal problem to get answer. For a better understanding of the problem they should post details … right? So here we/hacker/pentester may take a advantage because they may post code, configuration details and other information .
Social Media: Great way to find more additional important information. These media can be used for a effective social engineering attack. Often I try to search Company name, Employee name on Facebook, Linkdin, Twitter, MySpace. Some of employee post their phone number, email address, Like/dislike etc.
Search Engine: Search engine is a important and a powerful tool for gathering information. We can gather lots of information using Powerful search engine call “Google”. We can search file which can be financial report or employee list, emails what can be used for Social Engineering, Links such as “index.php?id=44” for SQLi, Related company etc.
site:sysexploits.net ; Which will discover all pages from the targets.
Links:sysexploits.net; this will find for all links
inurl:info.php site:sysexploits.net ; finding a specific URL.
Inurl:phpinfo.php
site:sysexploits.net inurl:phpinfo.php
filetype:sql ; Try with any other file type such as pdf,txt,xls,doc etc.
site:sysexploits.net filetype:sql
intitl:login
There are some tools you can use for Automated Google searching such as wikto,sitedigger,metagoofi etc.
There are many dork. I will refer you to visit http://www.exploit-db.com/google-dorks/
Also you may interest to visit a nice search engine: http://searchdns.netcraft.com/
Network Discovery & DNS Enumeration:
Here we need to discover all IP, DNS, Sub-Domain etc. Sometime we may need to even brute force for the Subdomain. So basically we deal with host,whois,nslookup,dig etc. We can it from other third party website too. There are many many providing such a nice services freely. One of them is http://centralops.net/co/. Go to site and type your target IP or Domain name to be analysis. Centralops is capable to seek whois records, DNS records(Nslookup?), Trace routing, Service scanning in same time.
DNS(Domain Name System) can provide us valuable information. DNS translate domain into IP(32 bits) and The default port is 53. There are numerous tools can be used for DNS enumeration:
- nslookup
- dig
- fierce (which can be used for brute forcing and really a good tool)
- whois
- host (command) etc.
Little explanation of DNS records for getting started:
A= Links a Host name to an IP.
NS= Name Server (I.E, ns1.sysexploits.net)
MX= Mail server Records
CNAM= Used to thread many names to a Single IP.
Email Discovery:
Emails are useful for hackers/pentester for social engineering attack. Often we need to discover email address . Using Google(Google is the master!!!) we can search email . For example if we search like “site:sysexploits.net contact”, “@sysexploits.net”, “site:sysexploits.net contact” and using some powerful tools such as maltego. Using NC we can even enumerate SMTP for username too.
These method are very basic and explained here very shortly(Just to give idea about “What is it and how” and I did not explain to use some tools here(Really?) but Hang around and we will publish more useful tutorials/informations.
Any Feedback is always welcome & Thanks for Reading!!!