Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide: Learn to perform professional penetration testing for highly-secured environments with this intensive hands-on guide with this book and ebook.

Penetration testing is most effective when you have a good grasp on the environment being tested. Sometimes this information will be presented to you by the corporation that hired you, other times you will need to go out and perform your reconnaissance to learn even the most trivial of items. In either case, make sure to have the scope clarified in the rules of engagement prior to conducting any work, including reconnaissance.

Many corporations are not aware of the types of data that can be found and used by attackers in the wild. A penetration tester will need to bring this information to light. You will be providing the business with real data that they can then act upon in accordance to their risk appetite. The information that you will be able to find will vary from target to target, but will typically include items such as IP ranges, domain names, e-mail addresses, public financial data, organizational information, technologies used, job titles, phone numbers...

Domain Name System (DNS) can provide valuable data during the reconnaissance phase. If you do not already understand DNS, you may want to take some time to get a good grasp on the service and how it works. At a very basic level, DNS is used to translate domain names into IP addresses. Luckily for us, there are many tools available that are excellent at extracting the data that we need from nameservers. An example of the information you are able to gather includes:

There are other record types that can be collected from DNS tools as well; the records listed in the table are the most popular and often, the most useful.

When a person or corporate entity registers a domain name there is a lot of information that is gathered. Depending on the registration privacy settings, you can collect this information and use it to verify your IP space, find information about other sites owned by the same individual or corporation, or even phone numbers and addresses of key employees. This type of reconnaissance is considered passive as it does not directly contact client-owned assets to pull information.

We will need to locate the registrar that the domain has been registered with to obtain useful information. Here is a listing of the top registrars.

Search engines can produce an absolute overload of information if not used efficiently. Not only can you find information about the financials of your targets, but also information about key employees, usernames and passwords, confidential documents such as network diagrams, information indicating what types of software or hardware you use or have in place, and even if systems are in a default state. This information can be devastating in the wrong hands. As a penetration tester your focus should be to bring this type of information forth and show the clients how it can be used to gain access to the clients' most critical assets (and hopefully, you will tell them how to fix the problem as well!).

In this chapter, we have reviewed many specialized methods of gathering freely available information. Using this information we are able to create a larger picture of the networks we are targeting.

After performing the initial reconnaissance we should be able to determine if the network space provided to us by our clients is accurate. We should also be able to successfully determine which documents are searchable on the Internet and we are able to read the metadata associated with said documents. At this point of a penetration test we should be getting an idea of just how difficult or easy this job will be. One such indicator will be the results you gather from search engines such as Shodan. One last note, be very diligent in collecting the data you have found. Documentation is critical and will make your life as a penetration tester much easier in the long run.

In the next chapter, we will start to put the information we have gathered to use. You will have a chance to directly enumerate...