Before jumping into the various tools to map out and probe the network, security, and systems in place, it is a good practice to review the current documentation that you may receive as a part of the stakeholder meeting. Along with that, you will want to interview various teams within the organization to get some background information on what the topology is like, prior to you having to discover it yourself. It definitely makes the job of the penetration tester easier if you have some sort of layout already defined, as opposed to spending days probing and mapping to just get to that point.

Here is a list of teams I tend to talk with. The teams you choose will ultimately depend on the organization and what is in scope for the penetration test:

• Network Team: Interview the network team to get a better understanding of the current network topology...

Now that we have discussed why the information gathering phase is so important, let's jump into some of the tools to gain various types of information. The first thing you may notice very quickly is that there are a lot of tools and methods to gain increased intelligence from the environment. The second thing is that there is a lot of overlap of these tools and their respective function and outputs. This is a good thing, as with experience, every penetration tester will come to learn the tools they like to use the most, the ones they find the most beneficial, and the ones they want to avoid.

The following tools are the ones that I have used in my lab environment and in the real world to discover more information about what exactly is on the network I am running the penetration test on.

When a domain gets registered, there is some specific contact information that must be entered. You can elect to have this information publicly shown or pay a fee to have it hidden so that others can't see this personal information. This includes items such as name, physical address, email address, and telephone number. Besides the contact information, there is other relevant information there such as domain registration dates and assigned nameservers. Information can be useful.

Using whois against the company's domain allows us to see some of the pertinent information such as who maintains the DNS records and their contact information. Using the registration dates lets you know when the domain may expire, and you could use this information to potentially register it yourself when it expires, if the company forgets. This has...

dnsmap is a fantastic tool to find subdomains within the domain you are looking for. It's a great way to see whether other sites are publicly available (internally and/or externally) that may or may not be known. This allows you to potentially find and exploit a subdomain that may not be controlled or administered correctly. You can provide your own word list to look up against the subdomains, or you can use the built-in one. Some organizations offload some subdomains to third parties, so you need to be cautious how you use this information. The scope of work may only cover the company you are hired for; and therefore, you may not be looked upon so kindly by the other organization if you are trying to actively exploit it. This should be worked out in the stakeholders meeting, but sometimes things do slip through the floor. The following is a screenshot...

Being able to see which version of BIND a DNS server is running will give you some potentially great information. A lot of DNS servers out there are designed to not give up that information or reveal some generic information about its setup. But there are still a lot of BIND instances running out there that may reveal the exact version of BIND they are running. Using the version you glean from the following command, you can cross-reference that version against any known exploits, and if there are some, you now have a potential way in.

In the following example, I was able to grab the BIND server information from a publicly available DNS server. I have changed the name to protect the innocent:

root@pi-kali:~# host -c chaos -t txt version.bind DNS1.XXXX.NET
Using domain server:
Name: DNS1.XXXX.NET
Address: XXX.XXX.XXX.XXX#53
Aliases:
version.bind descriptive...

Nmap is arguably one of the greatest penetration-testing tools out there. It is a network mapping utility that generates network packets for anything you are looking to put on the wire. That is what makes it such a great tool. You can generate a packet of your choice and then see how both the network and systems respond to it. But with this power comes some complexity. Nmap does have a little bit of a learning curve. I will go through some examples that I use in my lab for testing. Check out the main page of Nmap as there are tons of options available to you.

Let's look at some examples:

  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80

Here, we can also refer to the main page at https://nmap.org/book/man.html for more options and examples.

Now, let's try some real-world examples:

1. We typically...

DNS recursion isn't typically an issue, but if you allow outside hosts to use your internal DNS servers for recursion, you are setting yourself up for potential attacks. DNS amplification attacks can be leveraged using these types of setup, where hackers will use these DNS servers to send spoofed requests to them, and they will respond back to the original host and, if there are a large number of these, a DDOS situation.

To check for DNS recursion, we can use Nmap with the NSE engine. The command is straightforward, as we will do a UDP scan on port 53 and turn on the recursive script with the command nmap -sU -p53 -script=dns-recursion HOST.

In this example, the DNS server is correctly set up as they do not allow DNS recursion:

root@pi-kali:~# nmap -sU -p53 --script=dns-recursion NS.XXX.NET
Starting Nmap 7.40 ( https://nmap.org ) at 2017...

P0f is a great little utility to help identify or passively fingerprint another system based on network connections that are being observed by p0f. Each operating system handles things a little differently and has slight differences in the network stack. Because of this, p0f can usually determine the host machine's operating system. This is useful as you can note the operating system for all the hosts for future exploit testing.

P0f is pretty straightforward to use. It can be run against live traffic coming from or to the host you are on, or you can also feed in a network capture to determine operating systems. Here is the output of the command-line arguments to help determine your method of use:

If you wish to run tests against hosts on the network, you can run p0f by specifying the correct interface and any filters in place to limit what...

Firewalk is an active reconnaissance network scanner that will help determine what Layer 4 protocols our router or firewall will pass or deny. This is a great tool for finding a way through an environment by leveraging a bad or missing ACL within one of your network devices. Firewalk leverages ICMP error messages and TTL expirations to let us know whether a port is open or not, very similar to traceroute. If a port is opened or allowed, the packet destined for that port will typically be silently dropped by the security device. But, if the port is closed, the TTL of the packet will expire at the next hop and issue an ICMP_TIME_EXCEEDED error message.

Firewalk is a two-phase command. The first phase is called the hop ramping phase. Its sole job is to find the correct hop count to the target gateway so that is has the right TTL (hop count +...

Network-based firewalls are not the only type of firewall you may discover along the way. Web Application Firewalls, or WAFs, are very commonly used to protect web-based applications. If you are unfamiliar with an environment, detecting a WAF can help lay out the web application infrastructure. To help us figure out this bit of information, we are going to utilize a tool called WAFW00F. WAFW00F can help you determine whether there is that extra layer of security prior to the web servers.

WAFW00F can detect the presence of a lot of different WAF types. By running the wafw00f command with the -l flag, you can see list of currently defined WAFs. Here is the current list from my lab. If one of these is not detected, don't fret; the wafw00f command will still inform you that a generic WAF has been detected:

Profense
NetContinuum
Incapsula WAF...

DotDotPwn is a slick multi-protocol fuzzer to discover traversal directory vulnerabilities within web servers. Fuzzing is the testing technique of looking for poor coding or security loopholes in software applications such as web servers or even operating systems. Because of this, DotDotPwn makes a good reconnaissance tool for finding various issues within the web server stack that you can later exploit.

Getting the most information about the environment now makes the exploitation phase much easier. We will note everything we can find and then exploit it at the appropriate time. Do not rush through the reconnaissance phase, as it will just lessen the overall quality of the penetration test. The more we can find now, the more we can exploit later.

First thing to know about dotdotpwn is that it supports many different protocols or modules. We will...

Netdiscover is a great tool for finding potential IP addresses on the network for further examination. It accomplishes this by sending out ARP messages for the given network you specify. By running this tool, you can discover any live hosts on any type of network, wired or wireless. It also attempts to discover the vendor by the MAC address, which can be very helpful in finding vulnerabilities to exploit.

Next is a screenshot with netdiscover tool running in my lab:

This is a tcpdump command of ARP requests that are being sent out by the netdiscover tool to discover these live IP addresses:

The tcpdump shows how netdiscover does an ARP request for all the hosts in the network range and in this case 192.168.33.0/24. Based on the replies, you can see what is alive currently on the network.

Now that we have just finished using a bunch of information gathering tools to map out, probe, and discover the infrastructure we are working with, let us take that information and enumerate it into a logical and more structured documentation. We can then merge this information with the data we obtained from both the stakeholders meeting and the team interviews to create a solid documentation pack that will almost always guarantee us success in the upcoming phases of the penetration test. This information that we created will be included within the finalized penetration report not only to help present our findings, but also to verify what the organization currently has documented. Many times I have presented documents that were either more detailed than what the organization currently had, were newer than what they had, or just more complete. The more...

In this chapter, we talked about the importance of information gathering and how it can make or break how successful the penetration test will be. Gathering as much information as possible prior to starting the exploitation phases save you time and effort as you will know what to attack and how to attack it, rather than wasting cycles trying to exploit things that will not work.

We went over a couple of tools in my toolbox for gathering some information. Each tool compliments each other and is powerful in what it can discover. These tools included whois, dnsmap, Nmap, p0f, Firewalk, DotDotPwn and Netdiscover. This is by no means an exhaustive list of tools but some of the more popular and effective ones that I use.

When going through these tools, I showed some examples on how I use them, but I also noted all the command-line arguments that are available. This way you can...