| Summary: |
As mentioned in the previous lecture, penetration testing follows a fixed methodology. In this course, we use the methodology defined in The Basics of Hacking and Penetration Testing by P. Engebretson [1], named the Zero-Entry Hacking Methodology. Others exist, but they all follow a similar structure.
The first phase of this methodology is called Reconnaissance and it involves identifying as much information as possible regarding the target system or network. This is also described as Information Gathering.
In general Reconnaissance is a non-intrusive systematic method employed by hackers, ethical and non-ethical, to accumulate data about a specific target network passively (without their knowledge), usually with the goal of finding ways to intrude into the environment. Reconnaissance involves footprinting the target company (i.e. establish a blueprint of the security profile of a target).
This is without a doubt the most important phase of a penetration test. It is thought that an attacker spends 90% of the time in profiling an organization and the remaining 10% in launching the attack.
Why is it necessary? It is crucial to systematically and methodically ensure that all pieces of information related to the target are identified. The tester must harvest information to execute a focused attack. Information include: domain name, network services & applications, system architecture, intrusion detection systems, specific IP addresses, phone numbers, contact addresses, & authentication mechanisms.
Gathering information means collecting as much knowledge about the targets network as possible before any scanning tasks take place. The effectiveness of the information gathering process has a direct relation to the successfulness of an attack.
The initial information is collected by compiling information from open sources, either through running utilities, or manually researching public information about the target (e.g., website, trade papers, Usenet, financial databases, or even from disgruntled employees).
Information gathering can be both passive and active. Passive information gathering is done by finding out details that are freely available over the Internet and by various other techniques without directly coming in contact with the organisation's servers.
Reviewing the targets and other informative websites are exceptions as the information gathering activities carried out by an attacker do not raise suspicion.
Calling the help desk and attempting to social engineer them out of privileged information is an example of active information gathering. Also, the next phase of the methodology, Scanning, is a type of active reconnaissance. This will be covered in the next chapter. Here, focus will be given to passive techniques. |
Loading previews...
