In most cases, people who attend hacking workshops or classes have a basic understanding of a few security tools. Typically, these students have used a port scanner to examine a system or maybe they’ve used Wireshark to examine network traffic. Some have even played around with exploit tools like Metasploit. Unfortunately, most beginners don’t understand how these tools fit into the grand scheme of a penetration test. As a result, their knowledge is incomplete. Following a methodology ensures that you’ve a plan and know what to do next.
To stress the importance of using and following a methodology, it’s often beneficial to describe a scenario that helps to demonstrate both the importance of this step and the value of following a complete methodology when conducting a penetration test.
Assume you’re an ethical penetration tester working for a security company. Your boss walks over and hands you a piece of paper. “I just got off the phone with the CEO of that company. He wants my best employee to Pen Test hist company - that’s you. Our Legal Department will be sending you an email confirming we’ve all of the proper authorizations and insurance”. You nod, accepting the job. He leaves. You flip over the paper, a single word is written on the paper, “Learning”. It’s a company which you’ve never heard of before, and no other information is written on the paper. What now?
The first step in every job is research. The more thoroughly you prepare for a task, the more likely you’re to succeed.
Reconnaissance, also known as information gathering, is arguably the most important of the four phases we’ll discuss. The more time you spend collecting information on your target, the more likely you’re to be successful in the later phases. Ironically, reconnaissance is also one of the most overlooked, underutilized and misunderstood steps in PT methodologies today.
This phase may be overlooked because newcomers are never formally introduced to the concept, its rewards or how the results of good information gathering can be vital in the later steps. This phase may be overlooked also because it’s the least “technical” phase. Oftentimes, people who are new to to hacking tend to view this phase as boring and unchallenging. Nothing could go further from the truth.
Although there are indeed very few good, automated tools that can be used to complete reconnaissance, once you understand the basics it’s like an entirely new way of looking at the world. A good information gatherer is made up of equal parts: hacker, social engineer and private investigator. Aside from the lack of tools, the absence of well-defined rules of engagement also distinguishes this phase from all others. This is in stark contrast to the remaining steps in our methodology. For example, when we discuss scanning in the later topics, there’s a specific order and a clear series of steps that need to be following to port scan a target.
Learning how to conduct reconnaissance is a valuable skill for anyone nowadays. For penetration testers and hackers, it’s invaluable. The penetration testing world is filled with great examples and stories of how good recon single-handedly allowed the tester to fully compromise a network or system.
Consider the following example: assume we’ve two different criminals who are planning to rob a bank. The first criminal buys a gun and runs into the first bank he finds yelling “HANDS UP! GIVE ME ALL YOUR MONEY”. It’s not hard to imagine that the scene would be complete chaos and even if the bungling burglar managed to get away, it probably would not take long for the police to find him, arrest him, and send him to prison. Contrast this to nearly every Hollywood movie in existence today where criminals spend months planning, scheming, organizing, and reviewing details before the heist. They spend time getting weapons anonymously, planning escape routes, and reviewing schematics of the building. They visit the bank to determine the position of the security cameras, make note of the guards, and determine when the bank has the most money or is the most vulnerable. Clearly, the second criminal has the better chance of getting away with the money.
It should be obvious that the difference between these two examples is preparation and homework. Hacking and penetration testing is the same—you cannot just get an IP address and start running Metasploit (well you can, but you are probably not going to be very effective).
Recall the example used to begin this chapter. You had been assigned to complete a penetration test but were given very little information to go on. As a matter of fact, you were given only the company name, one word. The million-dollar question for every aspiring hacker is, “How do I go from a single company name to owning the systems inside the network?” When we begin, we know virtually nothing about the organization; we do not know their website, physical address, or number of employees. We do not know their public IP addresses or internal IP schemes; we know nothing about the technology deployed, operating systems used, or defenses.
Step 1 begins by conducting a thorough search of public information. The great thing about this phase is that in most cases, we can gather a significant amount of data without ever sending a single packet to the target. Although it should be pointed out that some tools or techniques used in reconnaissance do in fact send information directly to the target, it is important to know the difference between which tools do and which tools do not touch the target. There are two main goals in this phase: first, we need to gather as much information as possible about the target; second, we need to sort through all the information gathered and create a list of attackable IP addresses.
In Chapter 1, it was pointed out that a major difference between black hat and white hat attackers is authorization. Step 1 provides us with a prime example of this. Both types of hackers conduct exhaustive reconnaissance on their targets. Unfortunately, malicious hackers are bound by neither scope nor authorization.
When ethical hackers conduct research, they are required to stay within the confines of the test. During the information gathering process, it is not unheard-of for a hacker to uncover a vulnerable system that is related to the target but not owned by the target. Even if the related target could provide access into the original organization, without prior authorization, a white hat hacker is not allowed to use or explore this option. For example, let us assume that you are doing a penetration test against a company and you determine that their web server (which contains customer records) is outsourced or managed by a third party. If you find a serious vulnerability on the customer’s website, but you have not been explicitly authorized to test and use the website, you must ignore it. The black hat attackers are bound by no such rules and will use any means possible to access the target systems. In most cases, because you were not authorized to test and examine these outside systems, you will not be able to provide a lot of detail; however, your final report must include as much information as possible about any systems that you believe put the organization at risk
To be successful at reconnaissance, you must have a strategy. Nearly all facets of information gathering leverage the power of the Internet. A typical strategy needs to include both active and passive reconnaissance.
Active reconnaissance includes interacting directly with the target. It is important to note that during this process, the target may record our IP address and log our activity.
Passive reconnaissance makes use of the vast amount of information available on the web. When we are conducting passive reconnaissance, we are not interacting directly with the target and as such, the target has no way of knowing, recording, or logging our activity.
As mentioned, the goal of reconnaissance is to collect as much information as possible on your target. At this point in the penetration test, no detail should be overlooked regardless of how innocuous it may seem. While you are gathering information, it is important to keep your data in a central location. Whenever possible, it is helpful to keep the information in electronic format. This allows for quick and accurate searches later on. Every hacker is a bit different and there are still several hackers who prefer to print out all the information they gather. Each piece of paper is carefully cataloged and stored in a folder. If you are going to use the traditional paper method, be sure to carefully organize your records. Paper-based information gathering binders on a single target can quickly grow to several hundred pages.
In most cases, the first activity is to locate the target’s website. In our example, we would use a search engine to look for “Learning”.