Chapter 3 Information Gathering PDF

Summary

This document is an excerpt from a chapter on information gathering in a penetration testing guide. It introduces various approaches and tools for discovering information. It emphasizes distinguishing passive and active information gathering methods. Tools and techniques, such as website reconnaissance and OSINT gathering, are mentioned as aspects of a methodical approach to information gathering.

Full Transcript

EXAM OBJECTIVES »» Knowing the difference between passive and active information gathering »» Understanding open-sou...

EXAM OBJECTIVES »» Knowing the difference between passive and active information gathering »» Understanding open-source intelligence (OSINT) gathering »» Using DNS profiling »» Using Nmap for active scanning »» Being familiar with enumeration techniques Chapter 3 Information Gathering A fter planning and scoping the penetration testing engagement, you are ready to move on to the next phase: information gathering and vulnerabil- ity identification. This chapter focuses on information gathering and the tools you can use to discover information about the organization or company before you start a pentest. In the next chapter, we look at identifying vulnerabilities. Following are some examples of the types of information you are looking to collect about an organization during the information gathering phase: »» Email addresses and phone numbers of employees (to later use in social engineering attacks) »» Public IP addresses used by the organization »» The target systems that are up and running »» The open ports on those target systems »» The software used on the target systems »» Whether the software is running in the cloud or whether it is self-hosted (running on a local server on the network) CHAPTER 3 Information Gathering 69 Now that you understand the types of information we are looking to collect during the information gathering phase, let’s take a look at the tools we are going to use to capture that information. Looking at Information-Gathering Tools and Techniques It is important to take a methodological approach to information gathering and divide the task up into two parts: passive information gathering and active infor- mation gathering. Passive information gathering should come first. It involves col- lecting public information from the Internet about the company being assessed — without invoking any kind of communication with the target systems. Active information gathering involves polling the target systems to find out about the systems that are up and running, the ports that are open, and the software being used. This involves communicating with the systems and potentially being detected. For the PenTest+ certification exam, remember the difference between active and passive information gathering. Active information gathering involves engaging with the target environment, such as via scans, while passive information gath- ering involves using public Internet resources to discover information about the target without being detected. Passive information gathering/passive reconnaissance Passive information gathering involves using Internet resources to find out pub- licly available information about the company that could help you exploit the company’s systems and bypass security controls while performing the pentest. There are different techniques to passive information gathering: You could surf public Internet sites manually, query DNS, or use open-source intelligence (OSINT) gathering tools to automate the discovery of information. Most of these techniques are not technical in nature, but they do represent the mindset of a hacker, so you want to follow similar strategies when performing your pentest. Website reconnaissance The first technique to use when information gathering is to surf the company website for information about the company that could aid in an attack, such as software the company is using or email addresses and phone numbers of company employees that you could use in a social engineering attack. 70 PART 1 Planning and Information Gathering OPEN-SOURCE INTELLIGENCE (OSINT) GATHERING The term used for discovering information from public data sources available on the Internet is open-source intelligence (OSINT) gathering. Through OSINT gathering, you can collect information about a company from the company’s website, social media sites, DNS information, blogs, and so on. The goal of OSINT gathering is to gather information such as contact names, email addresses, DNS records, and other information that would aid in the penetration test. Look for web pages such as an About Us page and a Job Postings or Careers page that may exist on the site that could offer information such as names, phone numbers, and email addresses of employees or upper management. This is great information to use in a social engineering attack. In addition, a Job Postings or Careers page may list active jobs that could help you understand the technologies the company is using. For example, if the company is looking for an Exchange Server Messaging Administrator, then you know the company is most likely run- ning Exchange Server. For the PenTest+ certification exam, know that you can use tools such as the pop- ular wget in Linux or the BlackWidow utility for Windows to copy the contents of a website to a local folder on your system so that you can leisurely review the contents offline. The PenTest+ certification exam refers to the following methods for website reconnaissance: »» Crawling websites: Crawling a website is the phrase used to describe the process of using an automated tool that fetches each page in a website, analyzes the page, follows any links the page refers to, and then fetches those pages. »» Scraping websites: Scraping a website is the phrase used to describe the process of using a program or bot to extract a copy of content in a website. »» Manual inspection of web links: You can manually inspect a link on a web page by right-clicking the link and choosing Inspect from the context menu. When you do this a window opens that displays the source code used to create the link and the CSS code used. »» robots.txt: The robots.txt file can be placed in the root folder of the site and contains rules on how the site and its pages are to be crawled. For example, you could create a rule in the robots.txt file that disallows a specific crawling application from crawling the site. CHAPTER 3 Information Gathering 71 Social media scraping Going through a company’s social media posts is another way to obtain informa- tion, such as key contact information. Search a company’s website to discover employee names, email addresses, and phone numbers. You may also be able to view an employee’s past employment history and job responsibilities in a posted employee biography. In addition, look for job postings that can help you identify the technology stack a company uses. For example, if a company is looking for an Azure administrator, then you know that company has a cloud presence. Using Google hacking Google hacking is the term used for an information gathering technique in which specific keywords are used to search Google or other search engines, such as Bing, for specific information on the Internet. Here are a few of the Google keywords you should be familiar with that I find quite useful: »» site: : The site keyword is used to search a specific website for a keyword. For example, if you are performing a security test for the Wiley publishing company, you could use site: www.wiley.com password to locate the login pages on the Wiley website. This could be useful if you wanted to test Wiley’s login pages against SQL injection attacks. »» intitle: : You can use the intitle keyword to search the title of a page for specific keywords. For example, if you want to find web pages that contain the word “intranet” in the title, you could use intitle: intranet. »» inurl: : The inurl operator will search the keyword given in the URLs found in the Google database. For example, if you want to locate sites that have the word “intranet” in the URL, you could use inurl: intranet. »» intext: : The intext operator searches a web page for specific text. For example, if you want to search my company site for pages that contain the word “video,” you could use site: dcatt.ca intext: video. »» filetype: : One of my personal favorites is the filetype operator, which you can use to find results containing a specific file type. For example, you could search the Internet for sample penetration reports by filetype: pdf penetration test report. When researching the company on the Internet, look for news events or articles that give an indication of the company’s reputation and security posture. For example, if the company experienced a previous security breach due to missing patches, then it could be likely that the company will fall behind in patching once again. 72 PART 1 Planning and Information Gathering Referencing online cybersecurity sources In addition to browsing Internet resources and using Google hacking to conduct your passive information gathering, research from many official sources is avail- able for OSINT gathering, especially in the realm of cybersecurity information. You should be familiar with the following sources of cybersecurity information for the PenTest+ certification exam: »» CERT: Short for Computer Emergency Response Team, there are many CERT groups available worldwide that share cybersecurity information. Example CERT groups are the US CERT group found at www.us-cert.gov and the Canadian version at www.cyber.gc.ca. »» JPCERT: The PenTest+ certification exam makes special mention to JPCERT, which is the Japan CERT group used to share information on cybersecurity. You can visit the JPCERT site at www.jpcert.or.jp/english. »» NIST: The National Institute of Standards and Technology (NIST) is a standards organization that develops a number of documents related to cybersecurity known as special publication (SP) documents. For example, SP 800-115 is a guide to security testing and assessments, while SP 800-17 is a guide to risk management. There are a number of SP documents well worth reading. The URL to access the SP documents is https://csrc.nist.gov/publica- tions/sp. »» CAPEC: The Common Attack Pattern and Enumeration Classification (CAPEC) is an information resource provided by a company called MITRE that identifies and documents attack patterns. The MITRE site can be found at http:// capec.mitre.org, and it also provides information on mitigation techniques for the attacks. »» Full disclosure: You can subscribe to mailing lists that share information related to vulnerabilities and exploitation techniques known as full disclosure lists. For example, check out https://seclists.org/fulldisclosure. »» CVE: The Common Vulnerabilities and Exposures (CVE) list is responsible for identifying known vulnerabilities by their name, number, and description. You can find a CVE list at http://cve.mitre.org. »» CWE: The Common Weakness Enumeration (CWE) list is a list of common weaknesses found in software and the mitigation techniques to protect against those weaknesses. You can find a CWE list at http://cve.mitre.org. CHAPTER 3 Information Gathering 73 Types of data The types of data you are looking to collect when using information gathering tools varies. The following is a brief list of some of the data types you will look at to collect information: »» Password dumps: You can use tools to obtain password dumps that display usernames and password hashes for each username. The username list can be fed into a dictionary attack tool or you could use a password cracker to crack the password hashes. »» File metadata: You can look at the file metadata on documents downloaded from the company’s website or other sources. Metadata is additional informa- tion about the file such as the program or device used to create the file, the creator of the file, and location information. »» Strategic search engine analysis/enumeration: You can use specific keywords in Google to target your search and find specific data about your target. »» Website archive/caching: You can view older versions of the company’s website to get additional contact information or other information that could help in an attack. For example, you could use www.archive.org and search for a website to view past versions of it. »» Public source-code repositories: A public source-code repository is an archive of application source code that is made available to the public. The repository may contain additional information with the source code such as technical documentation and code snippets that can be used to learn more about the company’s environment. Cryptographic flaws When looking at a company’s resources, be sure to review the communication protocols being used. For example, web applications should use HTTPS instead of HTTP, as HTTPS encrypts the communication. Even when HTTPS is used, you should inspect the Secure Sockets Layer (SSL) cer- tificates for flaws such as expiration dates and certificates that have been revoked and are no longer valid. Passive information-gathering tools In addition to using Google or surfing the company website, you can use a number of passive information-gathering tools, or OSINT tools, to help collect such com- pany information as contact names, email addresses, domain name system (DNS) information, and Internet Protocol (IP) addresses. 74 PART 1 Planning and Information Gathering WHOIS Whois is a widely used database search tool used to discover domain name infor- mation and IP address information about a company. The domain name informa- tion sometimes contains important contact information of senior IT professionals that you can use in a social engineering attack, while the IP information is the public IP addresses purchased by the company. Having this information handy will aid in the next phase of the pentest — discovering active hosts. A number of Whois databases that you can search are available online. For example, you could go to www.godaddy.com/whois to perform a search, or you could go to www.networksolutions.com/whois, which is shown in Figure 3-1. What is cool about the Network Solutions search page is you can search by domain name or IP address. Note that with the Whois lookup, you can collect information such as the organization’s name, the DNS servers hosting the DNS data, and sometimes contact information such as email addresses and phone numbers of company employees. FIGURE 3-1: Using Network Solutions to perform a Whois search. Many people are now using private registration with their domain registration information, which helps protect the personal information by obfuscating the information that is displayed with Whois lookups. You can also use Whois programs to discover domain name information and IP address information. For example, Kali Linux comes with a Whois program you can execute from a terminal with the following command (see Figure 3-2): whois wiley.com CHAPTER 3 Information Gathering 75 FIGURE 3-2: Performing a Whois search in Kali Linux. Another site with detailed Whois information is www.arin.net/whois. When search results come back, choose the handle. You can then see the public IP addresses that are used by that organization. Performing a Whois search also enables you to identify the technical contact and administrator contact information for that company or domain. This is valuable information as it could aid in a social engineering attack. For example, the technical contact may be the IT person for a company. If it is a large organization, you may be able to impersonate the technical contact in an email message or phone call. theHarvester theHarvester is a program in Kali Linux (https://tools.kali.org/informa- tion-gathering/theharvester) that you can use to perform passive information gathering to collect information such as employee names, email addresses, and subdomains, and discover hosts owned by the organization. You can use it to col- lect public information from Google, LinkedIn, Twitter, and Bing. The following command searches LinkedIn users for Wiley: theharvester -d wiley.com -b linkedin To collect information from all sources such as Google, LinkedIn, and Twitter, use the following command: theharvester -d wiley.com -b all -l 100 In this example, shown in Figure 3-3, I limited the results to 100. 76 PART 1 Planning and Information Gathering FIGURE 3-3: Using the-­ Harvester in Kali Linux to collect contact information. SHODAN Shodan is a search engine that collects information about systems connected to the Internet such as servers and Internet of things (IoT) devices. To use Shodan, you need to register with a free account at www.shodan.io and then you can search the company or organization being assessed (see Figure 3-4). When you perform a search in Shodan, you get a list of the target company’s publicly available serv- ers and devices along with the IP address, the services running, and the ports that are open on that system. When you view the details for that system, you can get a list of vulnerabilities for that system. A map view shows the physical location of those servers as well. FIGURE 3-4: Using Shodan to identify systems and devices on the Internet. CHAPTER 3 Information Gathering 77 MALTEGO Maltego (www.paterva.com) is OSINT software that shows a graphical representation of relationships between people, groups, web pages, and domains by analyzing online resources such as Facebook, Twitter, DNS, and Whois information. For example, you could create a graphic and add a website address to the graphic, then use Maltego to search for additional information such as Whois information, phone numbers, location information, and email addresses associated with that website and have them added to the graph. RECON-NG Recon-ng is an OSINT tool built into Kali Linux (https://tools.kali.org/ information-gathering/recon-ng) that allows you to retrieve information such as contact names, email addresses, DNS information, IP address information, and the like. Recon-ng is not as easy to use as theHarvester because it uses the module concept similar to the Metasploit Framework, a modular penetration testing plat- form based on Ruby. Let’s take a look at an example of Recon-ng you can use on Kali Linux. To start Recon-ng and add a workspace, use the following commands (a workspace repre- sents a project you are working on): recon-ng workspaces add wiley Now let’s add the domain names and company names to the Recon-ng database tables so that it uses them when performing all of the information gathering with future commands we use: add domains wiley.com add domains www.wiley.com add domains dummies.com add domains www.dummies.com add companies Wiley~A publishing company add companies Wiley Publishing~A publishing company add companies ForDummies~A Wiley product line To view the domains and company tables that have been populated, use the fol- lowing commands. show companies show domains 78 PART 1 Planning and Information Gathering The Recon-ng tool has modules that you use to collect the different types of infor- mation from online resources. Next, let’s collect the points of contact from Whois databases: use recon/domains-contacts/whois_pocs run Now, let’s discover other domain names and hosts on the Internet related to the company by using a Bing search and a Google search: use recon/domains-hosts/bing_domain_web run use recon/domains-hosts/google_site_web run After running these commands, you can see the contact names and email addresses listed in the terminal, but it would be nice to output the information to a web page that you could use for a report. The following commands will load the reporting module and specify the creator of the report, the customer, and the report file- name to generate: use reporting/html set CREATOR 'Glen E. Clarke' set CUSTOMER 'Wiley Publishing' set FILENAME /root/Desktop/Wiley_recon.html run If you open the HTML file on your desktop by double-clicking it, you will see a report similar to the report shown in Figure 3-5. Keep in mind that if we would have used other modules to collect additional information (such as the IP ranges), that information would have been included in the report as well. Again, this is just a small example; know that there are a number of recon-ng modules that enable you to do things like view social media posts by an IP address. CENSYS Censys is another browser-based search engine that identifies hosts on the Inter- net for a particular organization (see Figure 3-6). In addition to identifying the hosts, Censys will also identify the services and ports that are open on those sys- tems. You can check out Censys at www.censys.io. CHAPTER 3 Information Gathering 79 FIGURE 3-5: A sample recon-ng HTML report. FIGURE 3-6: Using Censys search to identify hosts and ports open. FOCA Fingerprinting Organizations with Collected Archives (FOCA) is a tool used to scan documents to collect metadata that is typically hidden from the user. Some exam- ples of document types that can be scanned by FOCA to extract the metadata are Microsoft Office files, Open Office files, and PDF files. For the PenTest+ certification exam, remember that Whois, theHarvester, Maltego, Recon-ng, and Censys are all tools used for OSINT gathering. 80 PART 1 Planning and Information Gathering DNS LOOKUPS/PROFILING DNS lookups or profiling involves sending queries to DNS servers to retrieve information on the systems that might exist within the company such as a mail server or a web server. Keep in mind that in passive information gathering, you are able to obtain the DNS server information for a company by doing a Whois lookup. The next step is to send queries to those servers to find out what DNS records exist. You can use a number of tools to perform DNS profiling or DNS lookups. The two most common tools are the commands nslookup and dig. »» nslookup: A TCP/IP command in Windows and Linux that allows you to query DNS for different types of DNS records. »» dig: A Linux command that allows you to query DNS servers and obtain different records. nslookup nslookup is a TCP/IP command in Windows and Linux that enables you to query DNS servers for different types of DNS records. You can use nslookup as a com- mand or as an interactive prompt where you type nslookup commands into the prompt. The following is an example of using nslookup as a regular command to retrieve the IP address of a host: nslookup www.wiley.com In Figure 3-7, you can see the address of the DNS server you have sent the query to at the top of the output, and at the bottom of the output you can see the IP addresses of the fully qualified domain name (FQDN) of www.wiley.com. In this example, four IP addresses answer the FQDN. FIGURE 3-7: Using nslookup to resolve an FQDN to an IP address. CHAPTER 3 Information Gathering 81 With nslookup you can also do things like specify you want to see the email serv- ers for a company by setting the type of query to MX (mail exchange) records. To do this, use the following commands: nslookup set type=MX wiley.com In Figure 3-8, you can see the output of the command. It looks like wiley.com has four mail servers. When performing the pentest, you would document the four FQDNs of the mail servers and then resolve those to IP addresses by using nslookup. FIGURE 3-8: Using nslookup to locate mail servers. As one final example, you can try to retrieve all of the DNS records for a particular company by doing a DNS zone transfer. DNS zone transfers should be controlled by the server administrators, so if you are successful, you definitely want to make a note of it and add it to your remediation list in the pentest report. To attempt a zone transfer from Windows using nslookup, use these commands: nslookup server set type=all ls -d Keep in mind you would have retrieved the DNS server information from the Whois lookup you performed during your passive information gathering earlier. Pretending the DNS server is 192.168.1.1 for wiley.com (which it is not), you could use the following commands to do a zone transfer: 82 PART 1 Planning and Information Gathering nslookup server 192.168.1.1 Set type=all ls -d wiley.com dig dig, which is short for Domain Information Gopher, is a command in Linux used to perform DNS profiling. I like the output of dig a bit better than the output of nslookup as in my opinion, it is easier to read. To find out the IP address of www.wiley.com, type the following command on a Kali Linux machine: dig www.wiley.com Notice in Figure 3-9 that the question section is seeking information about the IP address of www.wiley.com, and the answer section is listing the four IP addresses associated with it. FIGURE 3-9: Using dig to query DNS. What I like about dig as a command is that you can ask for the short version of the output by adding +short to the command. For example: dig www.wiley.com +short Notice that the output in Figure 3-10 is much cleaner than the output shown in Figure 3-9, and the IP addresses stand out right away. CHAPTER 3 Information Gathering 83 FIGURE 3-10: Adding +short in dig keeps the output clean. If you want to use dig to retrieve specific records, such as MX records to find out the email servers for a company, you could use the following command: dig wiley.com MX You could also clean up the output by adding +short to that command: dig wiley.com MX +short Figure 3-11 displays the output of using dig to find the MX records. FIGURE 3-11: Retrieving the email server list with dig. If you want to do a zone transfer with dig to attempt to retrieve all of the DNS records that exist, you could use the following dig command: dig wiley.com axfr You may notice that you do get a few records that identify the DNS servers for the company (NS) and also a few host records (A); however, you may also notice that at the bottom of the output it says “Transfer Failed.” This is because the server administrators for that company are blocking full zone transfers as it exposes too 84 PART 1 Planning and Information Gathering much information to the hacker. If you are testing a company and zone transfers are not refused, you want to be sure to document that in your pentest report. For the PenTest+ certification exam, know that dig and nslookup are two tools that can be used to perform DNS profiling to help identify hosts that exist within an organization. Active information gathering/active reconnaissance Now that you have seen some of the tools and types of information you can retrieve by performing passive information gathering, let’s take a look at active informa- tion gathering. With active information gathering, you are engaging with the tar- gets to retrieve information. Some examples of tasks you may perform during active reconnaissance are: »» Wardriving: Using a wireless scanner to discover wireless networks that exist within the company. »» Network traffic: Capturing (also known as sniffing) and analyzing network traffic using a packet analyzer to discover sensitive information traveling on the network. You can also capture API requests and responses to see what type of calls a piece of software is making and the information submitted with the request or received in a response. »» Cloud asset discovery: Collecting information to identify assets the company has across all cloud providers. »» Third-party hosted services: Identifying any services the company is hosting with third-party companies. »» Detection avoidance: Avoiding detection with the target’s intrusion detection systems while performing active reconnaissance. You will learn about some ways to do this with Nmap later in this chapter. Many of the active information gathering techniques involve scanning target sys- tems to find out things such as the operating system that is running and the ser- vices that are running on the system, and I discuss the many tools available for active scanning in the next section of this chapter. CHAPTER 3 Information Gathering 85 Understanding Scanning and Enumeration Some of the tools you have seen so far in this chapter perform some system scan- ning and enumeration by reporting back to you the services and ports that are running. For example, Shodan is a great tool to identify and enumerate hosts that exist on the Internet for a particular company. After you finish the DNS profiling stage, you should now have a list of IP addresses of the systems the company is using for its web servers, DNS servers, and mail servers. You are now ready to move into the scanning and enumeration phase of information gathering. There are two types of scanning: passive scanning and active scanning. Passive scanning means you do not interact with the target hosts, but are capturing traffic on the target network to see what you can pick up as far as information goes. With active scanning you are actually sending packets to the target systems to find out things such as the operating system that is running and the services that are run- ning on the system. You will perform passive scanning first, as it is less intrusive and you are hoping it will run undetected. Once you start active scanning and communicating with the target hosts, you run the risk of being detected by the company’s security controls. Passive scanning Passively scanning the target organization typically involves monitoring or inspecting network traffic to see if you can discover information that can be used in an attack later on. Packet inspection When monitoring network traffic or inspecting packets, look for key information inside the packets. For example, keep your eye out for source and destination IP addresses to understand the hosts that exist on the network, but also look for layer-2 addresses (MAC addresses) in the packets as you may be able to spoof one of those MAC addresses to bypass security controls. For example, if monitoring a wireless network, knowing the MAC address of valid clients is very helpful infor- mation to bypass MAC filtering on the wireless network. You can also look for sensitive information in the payload of the packets, such as usernames and passwords, or other confidential information. Eavesdropping Part of packet inspecting is being able to capture the packets or eavesdrop on the network. Other terms for eavesdropping are sniffing and packet sniffing. With 86 PART 1 Planning and Information Gathering eavesdropping, or packet sniffing, you are capturing the network packets so that you can then analyze the traffic and look for information that could help you exploit the network and its systems. A number of tools can be used for packet sniffing on a wired network such as Wireshark (www.wireshark.org), which enables you to capture all packets and then analyze them. You can also use some of the tools on Kali Linux such as net- discover (Figure 3-12), which monitors network traffic for Address Resolution Protocol (ARP) messages and then uses that information to help you discover the IP addresses of hosts on the network and their associated MAC addresses. FIGURE 3-12: Using netdiscover to identify hosts on the network. Many additional tools are available that you can use for wireless sniffing or radio frequency (RF) communication monitoring. In Chapter 6 you learn about Airod- ump-ng and Kismet, which are tools used to monitor and capture wireless traffic. Active scanning When it comes to active scanning, you can use several tools to help identify and enumerate hosts on the network, identify the operating system of those hosts, the services that are running, and the ports that are open. A key tool to be familiar with when it comes to active scanning is Nmap (https://tools.kali.org/ information-gathering/nmap), which is an open-source network scanner used to discover hosts on a computer network. Available in Kali Linux, Nmap is the de facto standard for port scanning. In the following sections I outline the main Nmap scans you should be familiar with, and then take a peek at hping3 (https:// tools.kali.org/information-gathering/hping3), a free packet generator and analyzer also available on Kali Linux. Ping sweep (-sP or -sn) The first step in active scanning is to do a ping sweep across the network with Nmap to identify what IP addresses have live systems up and running. A ping sweep is when a program sends ping messages to every IP address in the network range given so that you can find out which systems on the network are up and running. CHAPTER 3 Information Gathering 87 To perform a ping sweep with Nmap on Kali Linux, start a terminal session and then type the following command: nmap -sP 192.168.1.0/24 This command performs a scan (-s), but the type of scan is a ping sweep (P), which is why a capital P appears after the -s. Notice in Figure 3-13 that Nmap has discovered four systems up and running after scanning the entire 192.168.1.0 net- work. (Note that 192.168.1.3 is up and running in this example.) FIGURE 3-13: Using Nmap switch -sP to do a ping sweep. Note that the Nmap Help feature does not mention using the -sP switch for ping sweeps. Instead, Nmap help shows that the -sn switch can be used to perform a ping scan (or ping sweep). Use the following command to do a ping sweep of the network using -sn: nmap -sn 192.168.1.0/24 For the PenTest+ certification exam, remember that you perform a ping sweep without doing a port scan with the -sn switch on Nmap. Full connect scan (-sT) If you want Nmap to do a port scan of the system to help you identify the services running on the system, you can use a few types of scans. The first scan is called a TCP connect scan, which does a full TCP three-way handshake with each port to determine if the port is open. A TCP connect scan is considered very accurate because it conducts a full three-way handshake. The downfall of the TCP connect scan is that the traffic it generates to do the three-way handshake per port is eas- ily detected by a security team. 88 PART 1 Planning and Information Gathering To perform a TCP connect scan with the IP of 192.168.1.3, use the following command: nmap -sT 192.168.1.3 Note that the -s switch is used because we are doing a scan, but it is followed with a capital T to specify that it is a TCP connect scan. Figure 3-14 shows the results. FIGURE 3-14: Performing a full connect scan with the -sT switch. Note that seven ports are open on that system including the web server port (80) and the remote desktop port (3389). Keep in mind that you could have performed a TCP connect scan against the entire network with the command, nmap -sT 192.168.1.0/24. So know you can scan a single system or multiple systems. Port selection (-p) Another switch you need to be familiar with is the -p switch, which allows you to list the ports you wish to scan. For example, if you are performing an assessment and have an exploit that works against the RDP port, you may want to get a list of systems that have that port open. You could execute the following command to do a port scan across the network looking for port 3389 to be open: nmap -sT 192.168.1.0/24 -p 3389 You could specify multiple ports by using something like -p 3389,80,25 to scan for ports 3389, port 80, and port 25 and determine if the ports are open or closed. For the PenTest+ certification exam, remember that you can specify the target ports of the scan with the -p switch. CHAPTER 3 Information Gathering 89 SYN scan (-sS) If you want to generate less traffic when enumerating the ports, you can do what is called a SYN scan, or a half-open scan. With a SYN scan, a full three-way hand- shake is not performed. The Nmap program will send a SYN message to the port, and if the port replies with a SYN/ACK, the system does not send a final ACK as part of the process. So a full connection is not established. To perform a SYN scan you can use the following command: nmap -sS 192.168.1.3 You shouldn’t really see much difference between the SYN scan and TCP connect scan on the screen, but underneath the scenes the packets that are sent across the network are different — hopefully avoiding detection. Detection avoidance while performing scanning is important as you do not want to trigger the intrusion detection systems on the network. For the PenTest+ certification exam, remember the difference between a TCP con- nect scan and a SYN scan. You can perform a TCP connect scan with an -sT switch, while a SYN scan is performed with an -sS switch on the Nmap command. Service identification (-sV) Once you know what ports are open on a system, you would next want to find out the version of the software that is running that is causing that port to be opened. This is important information as you can take the knowledge of the version of the software and look up vulnerabilities with that software. To determine the version of the software running on each port, use the version scan with the syntax of nmap -sV 192.168.1.3, as shown in Figure 3-15. FIGURE 3-15: Identifying the version of software with the -sV switch. 90 PART 1 Planning and Information Gathering Notice in Figure 3-15 that not only can you see the ports that are open, but also you can see the version of the software running behind those ports. For example, notice that port 8 has IIS version 10 associated with it. Now we can research how to exploit IIS version 10. This is an important part of our information gathering! Keep in mind that you can combine most of the Nmap switches with one another. For example, if you want to do a version scan on specific ports you could add the -p switch followed by the port numbers. OS fingerprinting (-O) Once you have identified the version of the software for each service running on a system, you may want to know the operating system running on each system. This type of information is known as OS fingerprinting. To perform OS fingerprint- ing on a system, you can add -O to the command, such as nmap -sS -O 192.168.1.3 (see Figure 3-16). Note that you could do it to the entire network range as well with nmap -sS -O 192.168.1.0/24. Notice in Figure 3-16 that the SYN scan is performed, but at the bottom of the out- put it says “OS details: Microsoft Windows Server 2016 build 10586.” Bingo! We now know the operating system the target is using. We just need to research how to exploit that operating system. FIGURE 3-16: Performing OS fingerprinting with Nmap switch -O. CHAPTER 3 Information Gathering 91 UDP scan (-sU) If you wanted to scan the UDP ports on a system or group of systems, you can do a UDP scan using the -sU switch on Nmap. The following command performs a UDP scan on the system with the IP address of 192.168.1.3: nmap -sU 192.168.1.3 Disabling ping (-Pn) When you do a port scan of an entire network, you may notice that the port scan is finished pretty quickly given the number of systems that could exist. For exam- ple, when I run nmap -sS 192.168.1.0/24, it takes 8.87 seconds to complete. That is quick considering it had to go through 256 IP addresses. The reason the port scan happens so quickly is because Nmap does a ping sweep first to determine if the IP address is up and running. If it isn’t, then it doesn’t do a port scan on that IP. (That makes sense — why do a port scan on a system that is not running?) The problem with this is that it creates more network traffic (more noise on the network) that can increase the chances of getting detected. You can disable the ping operation contained in a port scan, but keep in mind that doing so will increase your time to do the scan because now it does a port scan on every IP no matter what. You can disable ping by entering: nmap -sS -Pn 192.168.1.0/24 For the PenTest+ certification exam, remember that you can tell Nmap to not per- form ping operations at the beginning of the scan with the -Pn switch. Target input file (-iL) One of the cool features of Nmap is that you can create a text file containing a list of hosts you wish to scan with each IP address or FQDN on its own line in the file. You can then feed that file as input to the Nmap program with: nmap -sS -iL computers.txt Nmap will then read the file and use each entry in the file as one of the targets to scan. This is useful when there are a large number of hosts to scan. 92 PART 1 Planning and Information Gathering Timing (-T) If you suspect that the target network has an intrusion detection system that will detect your Nmap scans, you can modify the timing of the scan, such as slow it down, by using one of the timing templates built-in. Each timing template has a number associated with it and is designed for a particular scenario: »» 0 (Paranoid): Used to try to avoid an IDS by increasing the time between scan packets delivered. The slowest of scans. »» 1 (Sneaky): Used to try to avoid an IDS, but increases the speed of the scan over the speed of Paranoid. »» 2 (Polite): Slows down the scan to use less bandwidth and resources on the target machine. »» 3 (Normal): The Nmap default. »» 4 (Aggressive): Increases the speed of the scan and assumes you have the bandwidth to do so. »» 5 (Insane): Dramatically increases the speed of the scan and assumes you want to exchange speed for the accuracy of the scan. If you want to slow down the scan as a method to avoid detection by the IDS, you could use the following command: nmap -sS -T0 192.168.1.3 For the PenTest+ certification exam, remember that you can change the timing of the scan by either slowing it down with a -T0 or by increasing the speed with a -T4. There are other timing templates, but those two are the most common. Miscellaneous options (-A) If you want to do OS detection, version detection, script scanning, and traceroute, you can use the -A option on Nmap. The following command uses the -A switch: nmap -A 192.168.1.3 Output parameters All of the examples so far have outputted the result to the screen. When perform- ing your pentest, you will want to output the information to a file so that you can include those results in your report. You can write the output to a file using -o in CHAPTER 3 Information Gathering 93 Nmap, but Nmap includes a number of output switches that support different output formats, including: »» -oN : Used to output the normal information you see with Nmap to a file. »» -oX : Used to output the information to an XML file. »» -oG : Used to output the information to a greppable file that can be searched with Linux commands such as grep or awk. »» -oA : This will output the information in all formats. You just need to give the name of the file without an extension and the command will create a normal file with a.nmap extension, an XML file with a.xml extension, and a grep file with a.gnmap extension. For example, if I wanted to perform a scan and output the information to an XML file, I could use something like: nmap -sS 192.168.1.0/24 -oX wileyportscan.xml Packet crafting One of the challenges with the scanning phase is that there could be firewalls blocking the packets used by the scan. For example, using a pinger tool to ping a system to find out if the system is up and running may not work if the tool is using Internet Control Message Protocol (ICMP), and the firewalls are blocking ICMP traffic. The cool thing is you can craft, or create, your own packets and choose the protocol you wish to use for those packets. This will help you bypass firewalls. For example, you can use hping3 in Kali Linux to craft your own packets that use TCP for the ping messages instead of ICMP. While crafting these packets, you can specify the source and destination ports of the packet to help it bypass the firewall. Here is an example of the hping3 com- mand you can use in Kali Linux: hping3 -c 3 -p 53 -S www.wiley.com This command will send three packets out (-c) to destination port 53 (-p) and set the SYN flag in the packet so it looks like the first phase of the three-way hand- shake (-S). The system being pinged with TCP here is www.wiley.com. You can also use Scapy, a packet manipulation tool, to craft your own packets. Scapy also allows you to create packets and send them on the network, as well as capture and decode packets. 94 PART 1 Planning and Information Gathering For the PenTest+ certification exam, remember you can craft your own packets with hping3 or scapy. Other scanning considerations The CompTIA PenTest+ exam calls out your attention to a few other consider- ations when performing scanning operations: »» Fingerprinting: The concept of identifying the operating system that is running on the system. Remember you can use the -O switch with Nmap to do this. »» Cryptography: Many of the information-gathering tools such as Shodan will download the certificate from a host and allow for certificate inspection, which can reveal the name of the server that issued the certificate and the certificate path. »» Decompilation: You can look to gain some insight into an organization by obtaining some of its compiled applications (.exe files) and then using a decompiler to convert that binary file into a readable format. You are looking for information such as remote systems the application connects to, database connection strings, or usernames and passwords used by the software. »» Debugging: You should be familiar with two points related to debugging for the PenTest+ certification exam. First, once you have decompiled the applica- tion, you could review the application in a debugger. A debugger allows you to slowly step through code to analyze what it is doing and allows you to monitor things like variable assignments and data types. Second, many of the pentest tools have a debugging option that displays detailed information about the current operation on the screen so you can collect detailed information that is not typically displayed. Enumeration As part of the scanning phase of information gathering, you also will perform what is known as enumeration, which is a process of connecting to and interrogat- ing a network or system to retrieve information about that network or system. We looked at enumeration earlier in this chapter when we looked at things like doing a port scan, which enabled us to retrieve a list of services running on the system. Nmap contains scripts that you can call upon for enumeration that are known as the Nmap Scripting Engine (NSE) scripts. You can call upon the NSE scripts with the --script parameter of Nmap. CHAPTER 3 Information Gathering 95 The PenTest+ certification exam objectives make reference to the following types of information you want to enumerate, or collect, about an organization: »» Hosts: Enumerating hosts on the network is used to discover the hosts that exist. You can use Nmap to enumerate hosts. You can use Zenmap in Kali Linux to perform an intense scan, which will identify the hosts and services on the network, and help create a network topology (see Figure 3-17). »» Networks: You identify the networks that exist by using tools during informa- tion gathering such as a Whois lookup to identify the public IP ranges. You can also use Zenmap to create a network topology to help identify the network layout. Zenmap is a version of Nmap that has a graphical interface. »» Domains: You can identify the domains in an organization by using a combination of Whois lookups and DNS profiling. Use tools such as Whois, Shodan, and recon-ng to collect domain information. »» Users: You can try to enumerate users, or list the users, with a number of different tools. For example, you can use an Nmap script on Kali Linux with the following command: nmap --script smb-enum-users.nse 192.168.1.3 »» Groups: You can enumerate the groups on a system with an Nmap script as well called smb-enum-groups.nse. For example, use the following command to enumerate the groups on IP 192.168.1.3: nmap --script smb-enum-groups.nse 192.168.1.3 »» Network shares: You can enumerate systems to get a list of SMB shares on the system. SMBMap (https://tools.kali.org/information-gather- ing/smbmap) is one of a number of tools available, or you can use an Nmap script known as smb-enum-shares.nse. After downloading the script, you can use it with the following command: nmap --script smb-enum-shares.nse 192.168.1.3 »» URLs/Web pages: After identifying systems that are running webservers, you can use tools such as w3af (http://w3af.org) or BurpSuite (https:// portswigger.net/burp) to enumerate uniform resource locators (URLs) and retrieve the web pages. You can also use the following Nmap script on Kali Linux to enumerate web pages: nmap --script http-enum.nse 192.168.1.3 »» Applications: Identifying the software running on a system is a very tricky task. You could run a script against a system to see a list of processes running, 96 PART 1 Planning and Information Gathering but you typically would need to provide credentials to connect to that system. You can use Ncrack (https://tools.kali.org/password-attacks/ ncrack) to perform a dictionary attack on the administrator account and then supply that as the credentials to a script. »» Services: You can get a list of services running on a system by performing an Nmap scan. You could do a regular Nmap scan to find ports that are open, or perform an enumeration of the system with the smb-enum-services.nse script file: nmap --script smb-enum-services.nse 192.168.1.3 »» Tokens: You can obtain the security token of a user as part of your exploita- tion tasks. »» Social networking sites: You can enumerate social media posts by a user with a given IP address by using tools such as recon-ng. FIGURE 3-17: Using Zenmap to identify hosts on the network. One additional Nmap option that appears in current PenTest+ certification exam objectives is the ability to call upon the vulnerability script with Nmap and scan for vulnerabilities on a system. For example, the following command will check the 10.0.0.1 system for vulnerabilities: nmap --script vuln 10.0.0.1 CHAPTER 3 Information Gathering 97 Analyze the results of a reconnaissance exercise For the CompTIA PenTest+ certification exam, you are expected to know how to use the many tools discussed in this chapter and be able to understand the results displayed by each of the tools. Some examples of reconnaissance information you should know how to read: »» Fingerprinting: Know the software to use and how to perform operating system (OS) fingerprinting of a system, network, and network device. Nmap and telnet can be used for this. »» Analyze output: Know how to read the output of DNS lookups, crawling websites, network traffic, Address Resolution Protocol (ARP) traffic, the different Nmap scans, and how to look at web logs. For example, the following shows entries in a web server log with the header line identifying the different fields such as server IP address (s-ip), the HTTP method used (get or post), the web page requested (cs-uri-stem), the server port (s-port), client IP address (c-ip), and the program used (cs user-agent): date time s-ip cs-method cs-uri-stem s-port c-ip cs(User-Agent) 2021-08-27 16:41:44 10.0.0.1 GET /logon.aspx 80 10.0.0.10 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0; +rv:11.0) In this code sample, a client with the IP address of 10.0.0.10 is requesting the web page of logon.aspx from the server of 10.0.0.1. Be sure to practice the tools discussed in this chapter and do the lab exercises that appear at the end. As you use the tools and do the exercises, be sure to read the results carefully and ensure you could identify the command used based off the results displayed. Detection Methods and Tokens During the information gathering phase you may want to discover whether load balancers are used in the environment and whether firewalls are being used to protect assets. In this section, you learn how to detect these platforms and take a look at security tokens. 98 PART 1 Planning and Information Gathering Defense detection Detection of the solutions used to protect assets is an important part of informa- tion gathering. The following are some tools you can use to detect the solutions that are protecting the targets of your pentest: »» Load balancer detection: You can check to see if a target is using a load balancing solution with the lbd (load balancing detector) command in Kali Linux. For example, you could use lbd wiley.com to check to see if the Wiley domain is using a DNS load balancing or an HTTP load balancing solution. If DNS load balancing is used, you will see the IP addresses of the web servers, but if HTTP load balancing is used, you will see the name of the platform, for example, GWS (Google Web Server) or Kestrel. »» Web application firewall (WAF) detection: To determine if the target is behind a web application firewall (WAF), you can use the wafw00f command in Kali Linux. For example, if you type wafw00f www.wiley.com -a -v in Kali Linux, you will see that Wiley is sitting behind a Cloudflare web application firewall. »» Antivirus: When performing a penetration test you may need to encode some of your attack tools to try to trick the antivirus software into not seeing the code as being harmful. »» Firewall: To detect what ports a firewall is forwarding on to a target, you can use the firewalk command that comes with Kali Linux. For example, the command, firewalk -S1-1024 -i eth0 -n -pTCP 10.0.1.1 10.0.2.50 can be used to send TCP packets to the port range of 1 to 1024 to the firewall of 10.0.1.1 in order to reach the target behind the firewall of 10.0.2.50. Security tokens Security tokens are used to gain access to resources on the network. After authen- ticating to a system, a security token is created and presented to a system or application in order to gain access to that system. The following are some key terms to remember about tokens for the PenTest+ cer- tification exam: »» Scoping: When security tokens are used in an application environment, they can be scoped to authorize a user to perform certain actions within the application. CHAPTER 3 Information Gathering 99 »» Issuing: Token issuing refers to the process an application or environment uses to create new tokens. It is important to verify that the process of issuing tokens is secure. »» Revocation: Token revocation refers to the process used to ensure that a token is no longer valid and used to ensure that a user no longer has access to the system. Lab Exercises In these exercises, you experiment with some of the information-gathering tools discussed in this chapter. Remember that all exercises should be performed in a test lab environment. Exercise 3-1: Conduct a Whois Search In this exercise, you use www.arin.net/whois to discover information about your organization. 1. Go to www.arin.net/whois. 2. Search for Microsoft in the Whois database by entering Microsoft in the ARIN Whois/RDAP Search bar. 3. Scroll through the Entity Search Results. 4. Choose the link for the Handle “MICRO-218.” This will display more information about this registration including the range of IP addresses. 5. Scroll through the results. Notice that toward the bottom of the results list there is an entry with a net range of 63.243.229.0–63.243.229.127. If you were performing a pentest for this organization, you would document those public IPs. 6. Take the time to perform the same type of Whois search for your organization to determine the public IP blocks your company may have. If you cannot find any results try some of the other Whois database search sites mentioned in the chapter. 100 PART 1 Planning and Information Gathering Exercise 3-2: Use theHarvester to collect email addresses In this exercise, you use theHarvester to collect email addresses and hosts IP addresses for your organization. 1. Start a terminal session in your Kali Linux system. 2. Use the following command to use theHarvester to collect email address and IP addresses of public systems for wiley.com: theharvester -d wiley.com -b all You should see a number of email addresses and IP addresses. As a pentester you would document these if you were hired to do a pentest for that organization. 3. Now use theHarvester to collect email addresses and IP addresses for your organization. Exercise 3-3: Use Shodan to discover sys- tems on the Internet In this exercise, you use shodian.io to discover systems and information about systems on the Internet for your organization. 1. Navigate to www.shodan.io. If you haven’t already registered on the site, you will need to. 2. Once logged into Shodan, use the Search box to search for your company. 3. Scroll through the results. 4. Choose the Maps tab to see the physical locations of those systems. You can double-click to zoom in. 5. Choose one of the red dots representing one of the systems. It shows the IP address and ports open on that system. 6. Click the View Details button to view more information about that system including some of the underlining technologies used by the system (such as JQuery). 7. Go back to your main results. CHAPTER 3 Information Gathering 101 Exercise 3-4: Use recon-ng for OSINT infor- mation gathering In this exercise, you use recon-ng on Kali Linux to perform OSINT information gathering. 1. On your Kali Linux system, open a terminal and use the recon-ng section in this chapter as a guide to the commands you can use. 2. In recon-ng, configure the domains and the company names for the company for which you wish to collect information. 3. Retrieve the Whois point-of-contact information. 4. Retrieve a list of related domains and hosts from Bing and Google. 5. Generate an HTML report to view the data that was collected. Exercise 3-5: Use dig for DNS profiling In this exercise, you use dig to perform DNS profiling of your organization. 1. In Kali Linux, open a terminal. 2. To determine the IP address of a system, run the following command: dig www.domain_name.com +short 3. To determine the DNS servers for the company, run the following command: dig domain_name.com NS +short 4. To determine the email servers for the company, run the following command: dig domain_name.com MX +short Exercise 3-6: Use Nmap to port scan In this exercise, you use Nmap to perform a port scan of your network. Be sure to run these commands in a lab environment, as running them on a production net- work may trigger the intrusion detection systems. 102 PART 1 Planning and Information Gathering 1. On your Kali Linux system, start a new terminal. 2. Using the commands discussed in this chapter, perform a SYN scan of your network 3. Identify the version of software running on the ports by doing a version scan. 4. Perform a SYN scan of a specific system, but this time identify the OS that is running on the system. Reviewing Key Concepts This chapter highlights a number of concepts related to active and passive infor- mation gathering. Following is a quick review of some of the key points to remem- ber from this chapter: »» Remember that active information gathering involves engaging with the target network and systems, while passive information gathering involves using Internet resources to collect information. »» When doing manual browsing of the Internet for your information gathering, remember to target your searches with Google hacking keywords such as site, inurl, intext, and filetype. »» A Whois database search can give you some information related to names, email address, addresses, phone numbers, and the network IP ranges used by the company. »» Tools such as theHarvester can help collect contact names and email addresses, while recon-ng can help you collect a wealth of information such as names, email addresses, and hosts’ IP addresses. You can also generate a nice report of all the data with recon-ng. »» Shodan and Censys are search engines you can use to locate hosts and identify the services running and ports open on those hosts. Using Shodan, you may also be able to see vulnerabilities associated with those hosts. »» Nslookup and dig can perform DNS profiling during which you retrieve information from publicly available DNS servers. »» You can use Nmap to perform a number of scanning and enumeration tasks such as a ping sweep, port scan, and enumeration of users, groups, and services. CHAPTER 3 Information Gathering 103 Prep Test 1. You are performing a penetration test of Company XYZ whose network ID is 10.1.0.0/24. You are in the information gathering phase and would like to do a port scan identifying any open ports on the systems and the version of the software running on those ports. What command would you use? (A) nmap -sT 10.1.0.0/24 (B) nmap -sV 10.1.0.0/24 (C) nmap -sS 10.1.0.0/24 (D) nmap -sP 10.1.0.0/24 2. During your information gathering, you are looking at discovering hosts on the network using a passive approach. What tool will monitor for ARP traffic on the network and list the active hosts on the network as a result? (A) recon-ng (B) theHarvester (C) Maltego (D) netdiscover 3. You are starting your host discovery stage of the information gathering process and would like to identify the systems that are running on the network. What command would you use? (A) nmap -sT 10.1.0.0/24 (B) nmap -sV 10.1.0.0/24 (C) nmap -sS 10.1.0.0/24 (D) nmap -sP 10.1.0.0/24 4. You would like to attempt to enumerate the shares on a Windows server that has the IP address of 10.1.0.10. What command would you use? (A) nmap --script smb-enum-shares.nse 10.1.0.10 (B) nmap -sS 10.1.0.10 (C) hping3 -c 3 -p 53 -S 10.1.0.10 (D) theharvester -d 10.1.0.10 -b all -l 100 104 PART 1 Planning and Information Gathering 5. You are performing a SYN port scan on a customer’s network that falls into the scope of the pentest. You would like to disable pings before enumerating the ports on each of the systems. What command would you use? (A) nmap -sS 10.1.0.0/24 -p 80 (B) nmap -sS 10.1.0.0/24 -T0 (C) nmap -sS 10.1.0.0/24 -Pn (D) nmap -sS 10.1.0.0/24 -oX customerabc_scanresults.xml 6. You are performing a port scan on the network and wish to go with the most accurate scan possible. What scan type would you use? (A) nmap -sT 10.1.0.0/24 (B) nmap -sA 10.1.0.0/24 (C) nmap -sS 10.1.0.0/24 (D) nmap -sP 10.1.0.0/24 7. You are performing a penetration test for one of your customers and you are familiar with an exploit against Remote Desktop Services. What command would you use to identify any systems that have Remote Desktop Services running? (A) nmap -sS 10.1.0.0/24 -p 1433 (B) nmap -sS 10.1.0.0/24 -p 3389 (C) nmap -sS 10.1.0.0/24 -Pn (D) nmap -sS 10.1.0.0/24 -oX customerabc_scanresults.xml 8. You are using Nmap to discover systems and services on the network and would like to identify the OS that is being used by the system with the IP address of 10.1.0.10. What command would you use? (A) nmap -sS 10.1.0.10 -p 25,80,3389,1433 -Pn (B) nmap -sS 10.1.0.10 -p 25,80,3389,1433 -T0 (C) nmap -sS 10.1.0.10 -p 25,80,3389,1433 -oX results.xml (D) nmap -sS 10.1.0.10 -p 25,80,3389,1433 -O CHAPTER 3 Information Gathering 105 9. You are trying to ping a number of IP addresses that are in the scope of the pentest. You are not getting any replies from the IP addresses, so you suspect the firewall is blocking ICMP traffic. What command would you use to perform a ping request in hopes to bypass the firewall? (A) theharvester -d 10.1.0.10 -b all -l 100 (B) hping3 -c 3 -p 53 -S 10.1.0.10 (C) nmap -sS 10.1.0.10 -p 25,80,3389,1433 -Pn (D) netdiscover 10. You are performing a black box pentest and would like to discover the public IP ranges used by an organization. What tool would you use? (A) theHarvester (B) nmap (C) Whois (D) hping3 11. You have been hired to perform a pentest for a customer and would like to perform some OSINT information gathering on the company. What tools would you use? (Choose two.) (A) Nmap (B) Shodan (C) Wireshark (D) Maltego (E) BeEF 106 PART 1 Planning and Information Gathering Answers 1. B. To perform a port scan and identify the version of the software running on those systems, you can use an -sV switch on the Nmap tool. See “Active scanning.” 2. D. You can use netdiscover, which is a tool that comes with Kali Linux that identi- fies systems on the network by sniffing ARP packets. Review “Passive scanning.” 3. D. You can identify systems that are up and running on a network by performing a ping sweep with Nmap. To do this you use the -sP switch on the Nmap command. Check out “Active scanning.” 4. A. The Nmap program has a number of scripts that are available that can be used to enumerate the network. You can execute an Nmap script by using the --script parameter. Peruse “Enumeration.” 5. C. When performing a port scan with Nmap, you can disable pings that are done before the port scan to determine if there is a system at the IP address. To do this, you use the -Pn switch on the Nmap program. Take a look at “Active scanning.” 6. A. A full TCP connect scan has Nmap perform a full three-way handshake with each ports being scanned to determine if the port is open. Peek at “Active scanning.” 7. B. You can use -p with Nmap and specify the ports to scan. This is useful when trying to find systems with a specific port open such as locating all the systems that have remote desktop. Look over “Active scanning.” 8. D. To identify the operating system running on a system with Nmap, you can add the -O switch. Study “Active scanning.” 9. B. The hping3 program is used to craft your own ping type packets and specify characteristics of the packet such as the protocol (it uses TCP by default), source port, and destination port. Peek at “Packet crafting.” 10. C. You can perform a Whois search on an organization to identify contact information and IP ranges being used by that company. Peek at “Passive information- gathering tools.” 11. B, D. Both Shodan and Maltego are considered OSINT information-gathering tools. Peek at “Passive information-gathering tools.” CHAPTER 3 Information Gathering 107 EXAM OBJECTIVES »» Understanding vulnerabilities in your targets »» Performing vulnerability scans and analyzing results »» Mapping vulnerabilities to exploits »» Learning the types of weaknesses in specialized systems Chapter 4 Vulnerability Identification A fter performing active and passive reconnaissance, the next step in phase two of the CompTIA PenTest+ penetration testing process is vulnerability identification. In this step, you scan targets for vulnerabilities. Once you understand the vulnerabilities that exist within your targets, you can then focus on using the vulnerabilities to exploit the systems — phase three of the penetra- tion testing process. But let’s not get ahead of ourselves. In this chapter, we look at the vulnerability discovery process to take when performing a penetration test. Vulnerability scanning itself is considered a passive assessment because you are not actually trying to exploit the system when doing the vulnerability scan. With the vulnerability scan, you are simply looking to identify the weaknesses within the system. Understanding Vulnerabilities A vulnerability is a weakness within the system that can be discovered and exploited in order to compromise the security of the system and potentially gain full access to the system. CHAPTER 4 Vulnerability Identification 109

Use Quizgecko on...
Browser
Browser