Information Gathering
A critical step when attempting to test the security of a target company/system/network, is to gain a thorough understanding of what it is you plan to attack. While this may be handed to you in a neat little bundle if you're doing a white box test, there are a lot of situations where you may find yourself starting with little more then a web site or company name.
Note: If you are new to these concepts, then I recommend you TRY ALL of the concepts covered in this article. To be on the safe side, please try them in a lab that you have permission to run them.
With the amount of information available online, a lot of information can be generated about a target without even probing a target network (though that's definitely the next step). This includes searching publicly registered DNS names, searching forum postings, and even just googling for specific vulnerabilities. After we talk about some of the manual ways to do this, we'll look at tools to make this discovery even easier.
Okay, for step one, we have to identify the target. While your goal may be to get on the corporate network of Foo.inc, it's key to understand where all the entry points into the network are. To start to identify potential targets, enumerating their publicly exposed resources can be a good place to start. One way of doing this is to perform
DNS lookups of some of the commonly exposed DNS names. For example, launching a terminal window, and running:
nslookup www.bankofamerica.com
nslookup ftp.bankofamerica.com
nslookup mail.bankofamerica.com
nslookup webmail.bankofamerica.com
The results of this test can provide not only hosts/IP's that can be tested later on, but also may identify the block of public IP addresses assigned to an organization. If you see a gap in IP addresses (i.e. 199.15.XX.50, 199.15.XX.53) when discovering hosts, try perform a nslookup on the addresses between those IPs (i.e. nslookup 199.15.XX.51, etc.) Keep note of all of the results from this step (even the addresses that may or may not be assigned to the company) since we'll be using them later on when we do our scan.
Searching forums for postings by employees can sometimes yield useful information. For example, an internal administrator may discuss an issue they've had with a firewall, or a question about configuring a mail server.
Thanks to the power of google and other search engines, you can even perform searches for potential vulnerabilities, or to gather more information. Searches can be done for specific vulnerabilities, to identify server versions used, and more. One of the best resources for this is the Google Hacking Database (GHDB) which is currently found here: http://www.hackersforcharity.org/ghdb/.
One of the better apps for finding potential site vulnerabilities (or other holes) using indexed data is Foundstone's SiteDigger (http://www.foundstone.com/us/resources/proddesc/sitedigger.htm). It has search strings from both the GHDB and it's own definitions.
Okay, now we are starting to build a map of what we want to dig into a little deeper on the next step. But with all of the information out there these days, it would be nice if there was a quick way to pull a lot of it together from all of these different sources. There are a few tools out there that do just that. One application that does a great job at mining this data from various sources, and putting in a format that can be expanded and dug into deeper is Maltego. There is a free "community" edition that even with its restrictions still provides a lot of very useful information. Launching the tool, adding the site you want to find information on, and then having it run it's pre-defined transforms, you can get additional servers for the same domain, information on the site admins, related email addresses and phone numbers, and other data that has been associated with the detected data.
