In this, the second installment of a six-part penetration testing tutorial for consultants and value-added resellers (VARs), I discuss reconnaissance, footprinting, scanning and
enumerating -- the information gathering processes a tester employs to begin a penetration test.
As a penetration tester, you should use the same processes a hacker uses to examine a network. Penetration (or external assessment) testing usually starts with three pre-test phases: footprinting, scanning and enumerating. These pre-test phases are very important and can make the difference between a successful penetration test that provides a complete picture of the customer's exposure or one that doesn't.
Together, the three pre-test phases are called reconnaissance. This process seeks to gather as much information about the target network as possible, following these seven steps:
- Gather initial information
- Determine the network range
- Identify active machines
- Discover open ports and access points
- Fingerprint the operating system
- Uncover services on ports
- Map the network
Keep in mind the penetration test process is more organic than these steps would indicate. These pre-test phases entail the process of discovery, and although the process is commonly executed in this order, a good tester knows how to improvise and head in a different direction, depending upon the information found.
Footprinting is the active blueprinting of the security profile of an organization. It involves gathering information about your customer's network to create a unique profile of the organization's networks and systems. It's an important way for an attacker to gain information about an organization passively, that is, without the organization's knowledge.
Footprinting employs the first two steps of reconnaissance, gathering the initial target information and determining the network range of the target. Common tools/resources used in the footprinting phase are:
- Sam Spade
We'll explore these and other tools in the next installment of this series.
Footprinting may also require manual research, such as studying the company's Web page for useful information, for example:
- Company contact names, phone numbers and email addresses
- Company locations and branches
- Other companies with which the target company partners or deals
- News, such as mergers or acquisitions
- Links to other company-related sites
- Company privacy policies, which may help identify the types of security mechanisms in place
Other resources that may have information about the target company are:
- The SEC's EDGAR database if the company is publicly traded
- Job boards, either internal to the company or external sites
- Disgruntled employee blogs and Web sites
- Trade press
You can also get more active with footprinting. For example, you can call the organization's help desk, and by employing social engineering techniques, get them to reveal privileged information.
The next four information-gathering steps -- identifying active machines, discovering
Although you're still in info-gathering mode, scanning is more active than footprinting, and here the you'll begin to get a more detailed picture of your target (customer).
Some common tools used in the scanning phase are:
- Visual Route
Again, I'll get into more detail about these tools in part three.
The last step mentioned, mapping the network, is the result of the scanning phase and leads us to the enumeration phase. As the final pre-test phase, the goal of enumeration is to paint a fairly complete picture of the target.
In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares using active connections to systems and directed queries.
The type of information sought by testers during the enumeration phase can be users and groups, network resources and shares, and applications.
The techniques used for enumeration include:
- Obtaining Active Directory information and identifying vulnerable user accounts
- Discovering NetBIOS name enumeration with NBTscan
- Using snmputil for SNMP enumeration
- Employing Windows DNS queries
- Establishing null sessions and connections
Remember that during a penetration test, you'll need to document every step and finding, not only for the final report, but also to alert the organization immediately to serious vulnerabilities that may exist.
About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. As an expert for SearchSecurityChannel.com, Russell welcomes your questions on pen testing and information security threats.
This was first published in July 2007