As a penetration tester, you should use the same processes a hacker uses to examine a network. Penetration (or...
external assessment) testing usually starts with three pre-test phases: footprinting, scanning and enumeration. These pre-test phases, referred to collectively as penetration testing reconnaissance, are very important and can make the difference between a successful penetration test that provides a complete picture of the customer's exposure or one that doesn't.
Together, the three reconnaissance pentest activities seek to gather as much information about the target network as possible, following these seven steps:
- Gather initial information
- Determine the network range
- Identify active machines
- Discover open ports and access points
- Fingerprint the operating system
- Uncover services on ports
- Map the network
Keep in mind the penetration testing reconnaissance process is more organic than these steps would indicate. These pre-test phases entail the process of discovery, and although the process is commonly executed in this order, a good tester knows how to improvise and head in a different direction, depending upon the information found.
Phase 1: Footprinting
Footprinting is the active blueprinting of the security profile of an organization. It involves gathering information about your customer's network to create a unique profile of the organization's networks and systems. It's an important way for an attacker to gain information about an organization passively, that is, without the organization's knowledge.
Footprinting employs the first two steps of reconnaissance, gathering the initial target information and determining the network range of the target. Common tools/resources used in the footprinting phase are:
We'll explore these and other tools in the next installment of this series.
Footprinting may also require manual research, such as studying the company's web page for useful information, for example:
- Company contact names, phone numbers and email addresses
- Company locations and branches
- Other companies with which the target company partners or deals
- News, such as mergers or acquisitions
- Links to other company-related sites
- Company privacy policies, which may help identify the types of security mechanisms in place
Other resources that may have information about the target company are:
- The SEC's EDGAR database if the company is publicly traded
- Job boards, either internal to the company or external sites
- Disgruntled employee blogs and Web sites
- Trade press
You can also get more active with footprinting. For example, you can call the organization's help desk, and by employing social engineering techniques, get them to reveal privileged information.
Phase 2: Scanning
The next four information-gathering steps -- identifying active machines, discovering ports and access points, fingerprinting the operating system, and uncovering services on ports -- are considered part of the scanning phase of penetration testing reconnaissance. Your goal here is to discover open ports and applications by performing external or internal network scanning, pinging machines, determining network ranges and port scanning individual systems.
Although you're still in info-gathering mode, scanning is more active than footprinting, and here the you'll begin to get a more detailed picture of your target (customer).
Some common tools used in the scanning phase are:
Phase 3: Enumeration
The last step mentioned, mapping the network, is the result of the scanning phase and leads us to the enumeration phase of penetration testing reconnaissance. As the final pre-test phase, the goal of enumeration is to paint a fairly complete picture of the target.
In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares using active connections to systems and directed queries.
The type of information sought by testers during the enumeration phase can be users and groups, network resources and shares, and applications.
The techniques used for enumeration include:
- Obtaining Active Directory information and identifying vulnerable user accounts
- Discovering NetBIOS name enumeration with NBTscan
- Using snmputil for SNMP enumeration
- Employing Windows DNS queries
- Establishing null sessions and connections
Remember that during a penetration test, you'll need to document every step and finding, not only for the final report, but also to alert the organization immediately to serious vulnerabilities that may exist.