Penetration Testing with Kali Linux OffSec
|
|
scoping
before turning our focus to the main objective, Information Gathering . We will learn more about the other stages during the rest of the course. The scope of a penetration test engagement defines which IP ranges, hosts, and applications should be test subjects during the engagement, as compared to out-of-scope items that should not be tested. Once we have agreed with the client on the engagement’s scope and time frame, we can proceed to the second step, information gathering. During this step, we aim to collect as much data about the target as possible. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 112 To begin information gathering, we typically perform reconnaissance to retrieve details about the target organization’s infrastructure, assets, and personnel. This can be done either passively or actively. While the former technique aims to retrieve the target’s information with almost no direct interaction, the latter probes the infrastructure directly. Active information gathering reveals a bigger footprint, so it is often preferred to avoid exposure by gathering information passively. It’s important to note that information gathering (also known as enumeration) does not end after our initial reconnaissance. We’ll need to continue collecting data as the penetration test progresses, building our knowledge of the target’s attack surface as we discover new information by gaining a foothold or moving laterally. In this Module, we’ll first learn about passive reconnaissance, then explore how to actively interact with a target for enumeration purposes. 6.2 Passive Information Gathering This Learning Unit covers the following Learning Objectives: • Understand the two different Passive Information Gathering approaches • Learn about Open Source Intelligence (OSINT) • Understand Web Server and DNS passive information gathering Passive Information Gathering, also known as Open-source Intelligence (OSINT), 209 is the process of collecting openly-available information about a target, generally without any direct interaction with that target. Before we begin, we need examine the two different schools of thought about what constitutes “passive” in this context. In the strictest interpretation, we never communicate with the target directly. For example, we could rely on third parties for information, but we wouldn’t access any of the target’s systems or servers. Using this approach maintains a high level of secrecy about our actions and intentions, but can also be cumbersome and may limit our results. In a looser interpretation, we might interact with the target, but only as a normal internet user would. For example, if the target’s website allows us to register for an account, we could do that. However, we would not test the website for vulnerabilities during this phase. Both approaches can be useful, depending on the objectives of the test we are conducting. For this reason, we need to consider the scope and rules of engagement for our penetration test before deciding which to use. In this Module, we will adopt this latter, less rigid interpretation for our approach. There are a variety of resources and tools we can use to gather information, and the process is cyclical rather than linear. In other words, the “next step” of any stage of the process depends on what we find during the previous steps, creating “cycles” of processes. Since each tool or resource can generate any number of varied results, it can be hard to define a standardized process. The ultimate goal of passive information gathering is to obtain information that clarifies 209 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Open-source_intelligence Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 113 or expands an attack surface, 210 helps us conduct a successful phishing campaign, or supplements other penetration testing steps such as password guessing, which can ultimately lead to account compromise. Instead of demonstrating linked scenarios, we will simply cover various resources and tools, explain how they work, and arm you with the basic techniques required to build a passive information gathering campaign. Before we begin discussing resources and tools, let’s share a personal example of a penetration test that involved successful elements of a passive information gathering campaign. A Note From the Authors Several years ago, the team at OffSec was tasked with performing a penetration test for a small company. This company had virtually no internet presence and very few externally-exposed services, all of which proved to be secure. There was practically no attack surface to be found. After a focused passive information gathering campaign that leveraged various Google search operators, connected bits of information “piped” into other online tools, and a bit of creative and logical thinking, we found a forum post made by one of the target’s employees in a stamp- collecting forum: Hi! I'm looking for rare stamps from the 1950's - for sale or trade. Please contact me at david@company-address.com Cell: 999-999-9999 Listing 34 - A forum post as a lure We used this information to launch a semi-sophisticated client-side attack. We quickly registered a stamps-related domain name and designed a landing page that displayed various rare stamps from the 1950’s, which we found using Google Images. The domain name and design of the site definitely increased the perceived reliability of our stamp trading website. Next, we embedded some nasty client-side attack exploit code in the site’s web pages, and called “David” during the workday. During the call, we posed as a stamp collector that had inherited their Grandfather’s huge stamp collection. David was overjoyed to receive our call and visited the malicious website to review the “stamp collection” without hesitation. While browsing the site, the exploit code executed on his local machine and sent us a reverse shell. This is a good example of how some innocuous passively-gathered information, such as an employee engaging in personal business with his corporate email, can lead to a foothold during a penetration test. Sometimes the smallest details can be the most important. While “David” wasn’t following best practices, it was the company’s policy and lack of a security awareness program that set the stage for this breach. Because of this, we avoid casting blame on an individual in a written report. Our goal as penetration testers is to improve the security of our client’s resources, not to 210 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Attack_surface Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 114 target a single employee. Simply removing “David” wouldn’t have solved the problem. Let’s review some of the most popular tools and techniques that can help us conduct a successful information gathering campaign. We will use MegaCorp One, 211 a fictional company created by OffSec, as the subject of our campaign. 6.2.1 Whois Enumeration Whois 212 is a TCP service, tool, and type of database that can provide information about a domain name, such as the name server 213 and registrar . 214 This information is often public, since registrars charge a fee for private registration. We can gather basic information about a domain name by executing a standard forward search and passing the domain name, megacorpone.com , into whois, providing the IP address of our Ubuntu WHOIS server as an argument of the host (-h) parameter. kali@kali:~$ Yüklə Dostları ilə paylaş:
|