Penetration Testing: Information Gathering

Questions and Answers

What is the goal of the information-gathering phase in penetration testing?

• To learn about the clients (correct)
• To complete the penetration test
• To gather open source intelligence (correct)
• To actively attack client systems

What is OSINT?

Open Source Intelligence

What tool can be used to query for domain information?

Whois

The IP address of bulbsecurity.com is ______.

50.63.212.1

ADNS zone transfers are typically secure.

False (B)

What kind of information might be searched for using Google Hacking?

Sensitive information, such as passwords and error codes

Which of the following methods are used to gather information for penetration testing? (Select all that apply)

DNS reconnaissance (A), WHOIS lookups (B), Social engineering (D)

What does the tool theHarvester do?

It searches for email addresses on the Internet.

What are probable mail servers for bulbsecurity.com according to the nslookup?

ASPMX.L.GOOGLE.COM and related MX records

Flashcards are hidden until you start studying

Study Notes

Information Gathering in Penetration Testing

• The information-gathering phase aims to collect extensive details about clients before any attacks begin.
• Areas of focus include online behavior of employees, system configurations, software versions, and system exposure.
• Understanding the target system helps transition to threat modeling and vulnerability verification.

Open Source Intelligence Gathering (OSINT)

• OSINT involves collecting publicly available information to aid penetration testing efforts.
• Sources include social media, public records, and online job postings, which can reveal infrastructure details.
• Distinguishing between useful and irrelevant information can be challenging; for instance, personal interests may connect to security credentials.

Key Tools and Techniques

• Netcraft: Provides publicly available data about web servers' uptime and software configurations.

  • Example: Analysis of bulbsecurity.com revealed it runs on Linux and Apache.

• Whois Lookups: Useful for retrieving domain registration information including registrant and technical contact details.

  • Private registrations can obscure personal data but still indicate the registrar and associated servers.

• DNS Reconnaissance: Involves tools like Nslookup to translate domain names into IP addresses and gather mail server information.

  • Example of Nslookup for bulbsecurity.com shows DNS resolution to its IP address and mail servers.

• Zone Transfers: Allow replication of all DNS records between name servers.

  • Many servers are insecurely configured, leading to potential data exposure. Example: A zone transfer on zoneedit.com revealed multiple DNS entries aiding in vulnerability assessments.

Finding Email Addresses

• Identifying corporate email addresses can reveal possible access points for attacks.
• theHarvester: A tool that automates email address collection from various search engines.
  • The tool returns potential emails and hosts related to the specified domain.

Google Hacking

• Involves using search engines to find sensitive data indexed on web pages, not limited to Google.
• Techniques can expose personal data, application vulnerabilities, and confidential company information.
• Notable incidents include major data leaks from organizations due to sensitive information being indexed publicly.

Preventing Search Engine Hacking

• Implement measures such as web application firewalls to prevent search engines from indexing sensitive information.
• Regularly monitor search engine results for accidental data exposure using tools like GooScan.
• Utilize pattern recognition to detect and block attempts to access sensitive non-public information.