Information Gathering Phase(Phase-1): Penetration Test
Before beginning your penetration test and security auditing, remember that the best tool available is your own mind. Kali Linux is a suite of tools built to help gather information and exploit weaknesses, but the logical decision making and analysis is yours. Outside of the technical aspects of attacking, being calm and organized will help you more than anything. Further, always make sure you have direct permission or ownership of the sites involved in your penetration testing. Once you have limited your risk to undue outside influences, it is time to begin phase one of the penetration test. In order to be sufficiently thorough, illegal tools and actions must be considered as weapons the attackers may implement.
Tools For Phase One:- 1. Information Gathering Tool
Kali Linux has a wonderful set of tools for gathering data on your target. The end goal of phase one is to have a logical map of the target’s network, both of people and of machines. Any information discovered now may be key to a pivot later on, so thoroughness is your ally. Most tools in this stage are very quiet, so if time is not a critical factor in your attack, this is the best time to move slowly and dig deep. The more you sweat now, the less you’ll bleed later.
The first high level maps of an organization’s network will come from locating its DNS servers. Starting with a good foundation here will help you find the key footholds you’ll need later. DNSenum is a high level tool that is very often the first step in mapping your targets network. Using the format …
./dnsenum enum [TARGET DOMAIN NAME]
… we can begin enumeration of the higher level servers available to our target.
2. dmitry – The Network Rangefinder
Once your DNSenum information has come back, you will have a range of servers used by your target. The goal of the dmitry rangefinder is to find out which IP’s are used on those servers. This is done using a TCP traceroute command which can be threaded, and displayed graphically with dmitry commands.
The Nmap (Network Map) project is famous for its standalone application and open source code. The Nmap tool in Kali Linux is used to determine if a host is alive, active, and gives a bounty of other information in one quick scan. Nmap is an essential tool for quickly gathering specific details on any active machine.
“Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.”
Maltego is an excellent builtin tool from the development team at Paterva technologies. The design is unique and with a little time spent learning how to best play with it, Maltego quickly becomes an essential tool for any medium to large scale penetration test. The system is built to determine relationships between actors in an environment. This could be a name, a DNS server, an IP address, a WHOIS lookup, or any number of other bits of information. Maltego will do some rooting around and come up with a logical map that displays these relationships visibly. In invaluable tool for the critical penetration tester, these logical maps will shed light on a messy situation, or reaffirm suspected relationship links.
Once all your information gathered from DNSenum, dmitry, and Nmap has been poured over and filtered into Maltego, a clean and clear logical map of your target’s environment can be formed.
The Social Engineering Toolkit (SET) is designed to help the penetration tester work against the human elements of the target’s security environment. Working with a wide variety of tools, SET enables the attacker to exploit weaknesses in security training, as opposed to weaknesses in hardware or software.
Social Engineering takes on a different attack path at first glance, but information gained through social engineering attacks can quickly be turned into a serious advantage for the penetration testing team. SET can be accessed by opening terminal and entering. “setoolkit”. Experience working with java applets will be helpful when working with SET to plan attacks. Personally I find it most useful in the information gathering stages, although it can be
more invasive and louder depending on the level of security awareness in the target environment.