Information Gathering in Penetration Testing

Questions and Answers

What is the main goal of the information-gathering phase in penetration testing?

To attack the systems immediately

To learn as much as possible about clients (correct)

To install security patches

To test the firewall configuration

Open source intelligence (OSINT) is gathered from legal sources only.

True

What tool can be used to perform WHOIS lookups?

whois

What does DNS stand for?

Domain Name System

The command 'nslookup' is used for querying ____.

DNS

Which command can be used to perform a zone transfer?

host

What email service was identified for bulbsecurity.com?

Google Mail

Google hacking is limited to the Google search engine.

False

TheHarvester is a tool used to search for ____.

email addresses

Which of the following is an example of sensitive information that could be found through Google hacking?

All of the above

Study Notes

Information Gathering in Penetration Testing

• The information-gathering phase aims to collect extensive details about clients before any attacks begin.
• Areas of focus include online behavior of employees, system configurations, software versions, and system exposure.
• Understanding the target system helps transition to threat modeling and vulnerability verification.

Open Source Intelligence Gathering (OSINT)

• OSINT involves collecting publicly available information to aid penetration testing efforts.
• Sources include social media, public records, and online job postings, which can reveal infrastructure details.
• Distinguishing between useful and irrelevant information can be challenging; for instance, personal interests may connect to security credentials.

Key Tools and Techniques

• Netcraft: Provides publicly available data about web servers' uptime and software configurations.

  • Example: Analysis of bulbsecurity.com revealed it runs on Linux and Apache.

• Whois Lookups: Useful for retrieving domain registration information including registrant and technical contact details.

  • Private registrations can obscure personal data but still indicate the registrar and associated servers.

• DNS Reconnaissance: Involves tools like Nslookup to translate domain names into IP addresses and gather mail server information.

  • Example of Nslookup for bulbsecurity.com shows DNS resolution to its IP address and mail servers.

• Zone Transfers: Allow replication of all DNS records between name servers.

  • Many servers are insecurely configured, leading to potential data exposure. Example: A zone transfer on zoneedit.com revealed multiple DNS entries aiding in vulnerability assessments.

Finding Email Addresses

• Identifying corporate email addresses can reveal possible access points for attacks.
• theHarvester: A tool that automates email address collection from various search engines.
  • The tool returns potential emails and hosts related to the specified domain.

Google Hacking

• Involves using search engines to find sensitive data indexed on web pages, not limited to Google.
• Techniques can expose personal data, application vulnerabilities, and confidential company information.
• Notable incidents include major data leaks from organizations due to sensitive information being indexed publicly.

Preventing Search Engine Hacking

• Implement measures such as web application firewalls to prevent search engines from indexing sensitive information.
• Regularly monitor search engine results for accidental data exposure using tools like GooScan.
• Utilize pattern recognition to detect and block attempts to access sensitive non-public information.

Description

Learn about the information-gathering phase of penetration testing, including obtaining information from online sources and identifying system vulnerabilities.