Embed Size (px)
Citation preview
Intelligence Gathering
n00bpentesting.com
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 2
Prerequisites 3 Hardware 3 Software 3
Topics Covered 4 A Note 4 Before You Begin 4 Lab 0ne – Target Selection and OSINT 5
Scenario 5 Lab Tw0 -‐ Footprinting 13 What’s Next? 17
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 3
Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide 0ne. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.
Hardware
• Computer with Linux, Windows, or Mac OSX • 4GB RAM • Hard-‐drive with at least 50GB
Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 4
Topics Covered
• Target Selection • Open Source Intelligence (OSINT) • Footprinting
A Note All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/
Before You Begin It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 5
Lab 0ne – Target Selection and OSINT In this lab you will learn both active and passive intelligence gathering techniques.
Scenario You have already scoped the penetration test, agreed to rules of engagement and are now embarking on the penetration test. During the first phases of this lab we will use a real company of your choosing to perform passive intelligence gathering also known as “Open Source Intelligence”, or OSINT. The client is _____________________________________________ 1. Visit the “target” client website. Attempt to determine the following:
a) What do they do?
______________________________________________________________________________
b) Where they are located
______________________________________________________________________________
c) Leadership
______________________________________________________________________________
______________________________________________________________________________
d) Emails
______________________________________________________________________________
______________________________________________________________________________
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 6
e) Phone Numbers
______________________________________________________________________________
______________________________________________________________________________ 2. Visit Monster.com and search for job postings listed by the “target” client.
What did you learn?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________ 3. Visit Yahoo! Finance and search for the “target” client. What was the last
reported revenue? Any recent stock transactions? What market are they listed on?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________ 4. Google search for the client name you have chosen. What else did you find?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 7
Let’s look at a tool that we can use to capture some of this same information in an automated manner.
1) Start the Backtrack virtual machine 2) Login and startx 3) At the prompt type: cd /pentest 4) Then press ENTER
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 8
5) At the prompt type: ls, press ENTER
This is like using the dir command in Windows to see the contents of a directory.
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 9
6) At the prompt type: cd enumeration/theharvester, press ENTER
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 10
7) At the command prompt type: ls, press ENTER This will give you the contents of the directory
To run any script or program from the local directory in Linux prepend the filename with “./”
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 11
8) At the prompt type: ./theharvester, press ENTER
The following help screen will appear giving you the options for the Python script. This is true for most scripts in Backtrack. If the script is run by itself the help information will be presented.
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 12
This tool is used to get information for a given domain like google.com from multiple sources in a single command. We can see that the available data sources are google, bing, bingapi, pgp, linkedin, gooogle-‐profiles, exalead, and all. Note: “target domain” in the command will be the company you have selected as your target.
9) At the prompt type: ./theharvester –d “target domain” –b all, press ENTER
Review the results from all the sources you selected for the “target domain”. Did the harvester script get any more information than what you gathered from the manual procedures? ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 13
Lab Tw0 -‐ Footprinting Now that you have gathered open source intelligence the next step is to footprint the target. Footprinting is the method of finding active IP addresses, open service ports, etc. of the target. There are both passive and active footprinting techniques, but generally these are active, which means there is interaction with the target’s network and systems. In order to move through this and the remaining labs through exploitation, you must use the metasploitable VM or one of the many vulnerable virtual systems available for download. Caution: You must not perform any of the following procedures on any system you do not have the explicit written permission of the target. It is highly recommended you only use the vulnerable virtual machine listed in the prerequisites section. You have been warned. Please see the “Setting Up a n00bpentesting.com Lab” guide on n00bpentesting.com for proper lab configuration using VirtualBox.
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 14
1) Start the BackTrack VM and metasploitable VM.
In order to know what services are running on our vulnerable VM, we must perform a port scan.
2) In Backtrack, at the prompt type: nmap –sS “ip_address”, press Enter
We now know what service ports are open on the target system, but what versions of the software, and what operating system is running? Let’s run another NMAP scan that will give us this information.
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 15
3) At the command prompt type: nmap –sV –O “ip_address”
The NMAP output shows what version of software is running on each open port and provides the operating system that our target system is running.
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 16
Another method that can used to determine what software is running on an open service port is to “banner grab”. This is simply connecting to the target system on an open service port and capturing what the application on that port provides. Let’s look at the port 80. We’ll use NetCat.
4) At the command prompt type: nc “target_ip” 80 5) At the command prompt type: HEAD / HTTP 1.1, then press ENTER twice
Now, that this information is collected, it can be used to search for vulnerabilities that have exploits available. We now know that the target is running Linux 2.6.x and multiple other services.
n00bpentesting.com Lab Guide One
Twitter @shai_saint n00bpentesting.com 17
What’s Next? The next step is Vulnerability Analysis. Please see “Intro To Penetration Testing – Lab Guide Tw0.
