Scribd
Upload
51 views54 pages

Penetration Testing Basics

Uploaded by

hungnd24fpt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views54 pages

Penetration Testing Basics

Uploaded by

hungnd24fpt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

Information Gathering

Contents
 What is information gathering

 Passive information gathering

 Active information gathering


1. What is information gathering
1. What is information gathering
 Information gathering is the first step in conducting a penetration test and is

arguably the most important.


 Information gathering is the process of collecting the information from

different places about individual company, organization, Server, IP address or


person.
Information Gathering
 Types of information gathering

 Passive information gathering

 Active information gathering


2. Passive Information Gathering
2. Passive Information Gathering
 Passive information gathering focuses on collecting information archived

on systems not located in our client’s network.

 We try to gather as much information about our target network and

systems without connecting to them directly.


Information Searches
 Locate the target Web presence

 Gather search engine results regarding the target

 Look for Web groups containing employee and/or company comments

 Examine the personal Web sites of employees

 Search archival sites for additional information

 Look for job postings submitted by the target

 Query the domain registrar

 Domain name system (DNS) information


Results
• The penetration tester will have a wealth of information regarding the

target without ever visiting the target’s network.

• All passive information is gathered from third-party sources that have

collected information about our target, or have legal requirements to retain


this data.
Tools
 Netcraft (http://www.netcraft.com)
Tools
 Whois Lookups (root@kali:~# whois bulbsecurity.com)
Tools
 DNS Reconnaissance: Domain Name System(DNS) DNS is used to

translate domain names into IP addresses and vice versa.

 Record in DNS:

 A: Address

 CNAME: Canonical Name

 MX: Mail Exchange


CNAME cấu hình bí danh, nghĩa là 1 ip có thể gắn vào nhiều tên.
1 IP có thể gắn nhiều CNAME
server.movie.edu. IN CNAME terminator.movie.edu.
A Ánh xạ tên miền vào địa chỉ IP.
Vd: terminator.movie.edu. IN A 192.168.11.100
MX Dùng để chuyển mail trên internet
t3h.com IN MX 0 mail.t3h.com.
DNS Reconnaissance

#nslookup –type=ns example.com 8.8.8.8


DNS Reconnaissance
#!/bin/sh

for HOSTNAME in `cat DomainNames.txt`

do

echo "Getting name servers for [$HOSTNAME]"

nslookup -type=ns $HOSTNAME 8.8.8.8

done
DNS Reconnaissance
 Domain Information Groper (Dig)
#dig example.com
Dig
 # dig +qr www.example.com any
Dig
Shortening the output

#dig +nocmd +noall +answer example.com

example.com. 44481 IN A 192.168.1.10


Tool
Maltego: Paterva’s Maltego is a data-mining tool designed to visualize open
source intelligence gathering.

 #maltego
Tools
 Searching for Email Addresses
Tool
 http://earth.google.com

 https://www.shodan.io/
Extracting metadata from photos
#exiftool t/images/FotoStation.jpg

# exiftool t/images/FlashPix.ppt

Title
Subject
Author
Comments
Software
Company
Manager
Hyperlinks
Current User
3. Active Information Gathering
Active Information Gathering
 We interact directly to our targets. Active information gathering will find

results similar to what we already found using passive measures

 The advantage to include passive gathering in a penetration test is two

fold:
 Identify historical information

 Confirm findings with active methods.


Tools
 E-mail Accounts

 DNS Interrogation

 Network Scanning
DNS Interrogation
Listing the bind version

#dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall


+answer
Network Scanning
 Network scanning refers to to set of procedures for identifying hosts, ports

and services in a network.


Network Scanning
 Objectives of network scanning

To discover alive host, IP address and open ports of alive hosts

To discover operating systems and system architechture

To discover services running on hosts


OSI Layers
TCP Protocol
nmap
nmap -{type(s)} -{opt(s)} {target}
Nmap - types
Nmap - options
Nmap - options
nmap:
SYN Scan (-sS): A SYN scan is a TCP scan that does not finish the TCP
handshake.

 Nmap sends the SYN and waits for the SYN-ACK if the port is open but

never sends the ACK to complete the connection.

 If the SYN packet receives no SYN-ACK response, the port is not

available; either it’s closed or the connection is being filtered.


nmap - TCP Syn Scan (-sS)
Nmap - TCP Connect Scan (-sT):
 Make full connections
Nmap – UDP Scan (-sU)
 Nmap sends a UDP packet to a port. Depending on the port, the packet sent is

protocol specific.

 If it receives a response, the port is considered open.

 If the port is closed, Nmap will receive an ICMP Port Unreachable message.

 If Nmap receives no response whatsoever, then either the port is open and the

program listening does not respond to Nmap’s query, or the traffic is being
filtered
nmap
Check for live systems
ICMP Scanning

 #nmap –sn 192.168.153.0/24

 #nmap –sn 192.168.153.2

 Options:

-sn: Ping scan


Ping Sweep Tools
Check for open ports
 Netcat

 Nmap
Nmap
# nmap -sS 192.168.20.10-12

nmap -sS 192.168.20.10-12 -oA booknmap


Nmap
Nmap - UDP Scans
 In a UDP scan (-sU), Nmap sends a UDP packet to a port. Depending on the

port, the packet sent is protocol specific.

 If it receives a response, the port is considered open.

 If the port is closed, Nmap will receive an ICMP Port Unreachable message.

 If Nmap receives no response whatsoever, then either the port is open and the

program listening does not respond to Nmap’s query, or the traffic is being
filtered.
nmap
#nmap -sS -sV 192.168.20.11

-sV: Probe open ports to determine service/version infoom


Nmap –UDP scan
 nmap -sU 192.168.20.10-12

 nmap -sS -p 3232 192.168.20.10


Website Information gathering

You might also like