Finding attackable targets
Once you’ve completed the steps above, you need to schedule some time to closely review all the reconnaissance and information you’ve gathered. In most cases, even light reconnaissance should produce a mountain of data. Once the reconnaissance step is completed, you should have a solid understanding of your target including the organization, structure and even technologies deployed inside the company.
While conducting the review process, it’s a good idea to create a single list that can be used as a central repository for recording IP addresses. You should also keep separate lists that are dedicated to e-mail addresses, hostnames and URLs.
Unfortunately, most of the data you collected won’t be directly attackable. During the process of reviewing your findings, be sure to transform any relevant, non-IP-based information, into an IP address. Using Google and the host command you should be able to extract additional IPs that relate to your target. Add these to the IP list.
After we’ve thoroughly reviewed the collected reconnaissance and transformed the data into attackable targets, we should have a list of IPs that either belong to, serve or are related to the target. As always, it’s important to remember your authorized scope because not all the IPs we collect will be within that range. As a result, the final step in reconnaissance is to review the IP list you just created and either contact the company to determine if you can increase the scope of the pen test or remove the IP address from your list.
At this point, you’ll be left with a list of IP addresses that you’re authorized to attack. Don’t discard or underestimate all the nonattackable information you’ve gathered.