The six steps/stages of a PenTest…

1. Pre-Engagement: Planning & Scope
2. Recon: Information Gathering
3. Scanning
4. Exploitation
5. Post-Exploitation
6. Post-Engagement: Report

Outline of the Recon Stage:

1. OSInt
2. Passive Recon
3. Active Recon
4. Social Engineering
5. GOALS
   1. Footprinting
   2. Enumeration (build lists!)
      • Potential vectors of attack
      • IP address to scan

This process is essential for an attack to be successful, as wasting time with exploits that either do not work or can crash the system can be a waste of energy.

• It is important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

First: Make sure you check out the tools in Kali: menu… 01 - Information Gathering…

• Unordered List ItemThere are a whole bunch of tools to use.

Then, practice: Find a “client” on BugCrowd.com

• Got to the site, select Programs… Search for what you want (or browse)
• We used Tesla for the Udemy course

whois provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.

Problem: A major problem with whois lookups today is that the amount of visible data has been greatly reduced in an effort to provide better privacy and protection.

Work-Around: There are services that provide historical whois lookups (kind of like a WayBack Machine for DNS/WhoIs stuff). Examples:

• DomainHistory.net (but it appears dead)
• WhoIsMind.com (but it appears out of service)
• What the heck…?

nslookup is similar to whois but a bit more flexible and focused.

# Basic: 
whois google.com
nslookup google.com

# Reverse:
whois 172.250.191.174
nslookup 172.250.191.174

FOCA: Fingerprinting Organizations with Collected Archives

• GitHub ReadMe. This is a Windows-only program.
• You first need to install the Express version of MicroSoft's SQL server.Go here, scroll down to “Or, download a free specialized edition” and click on the Express version Download Now button.
• Download and unzip the current release of FOCA.It is self-contained so you'll run FOCA.exe from the folder you get when you unzip the download.
• Run FOCA.exe
• When FOCA opens up, click on “Project Name” and set the Project Name, Domain website, and Folder where to save documents. Click “Create.”
• In the next window click on settings
  • Deselect all but FOCA in the Module filter
  • Check (select) all options in the Search engines and Extensions option lists.
• Click on “Search All” and let it do its thing.
• Once it's finished, you need to “Download All” the discovered files (highlight, right click).
• Then, highlight all the files, right click, and choose “Extract All Metadata.”
• This will dump all the metadata into Metadata Summary and Document Analysis
• Have fun!

Routing information is network information, and you can find it in public BGP¹⁾ route information servers called BGP Looking Glasses.

• You can find a list of them here: bgp4

Physical: go on site…

• Satellite images
• Drone recon
• Build a layout (badge readers, break areas, security guards, fences?)

Social: talk to someone, phishing, vishing, etc.

• Employees (name, job title, phone number, manager, etc.)
• Pictures (badge photos, desk photos, computer photos, etc. because you can make your own fake badge, etc.
• LinkedIn, Twitter, Facebook, etc. (people post pic from work, etc.)

Specific Passive Recon Activities:

1. Target Validation:
   1. whois, nslookup, dnsrecon
2. Finding Subdomains:
   1. Google Fu, dig, Nmap, Sublist3r, Bluto, crt.sh, etc.
3. Fingerprinting: What's running on a host? What's open and running?
   1. Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat
4. Data Breaches: Most common way to get into someone's junque quickly
   1. HaveIBeenPwned, Breach-Parse, WeLeakInfo

Email Address Gathering, Hunter.io

• You get something like 20 searches a month. But this will provide a list of addresses scraped from your target.
• It will give you the common pattern of email address (and therefore possibly logins)
• You can export to CSV

Gathering Breached Credentials with Breach-Parse

• This is TCM's own tool he wrote to parse breached passwords.
• Find it here: https://github.com/hmaverickadams
• Click on “breach-parse”
• You have to download a 45GB dump of text files containing email/pwd combos.

The Harvester

• Built into Kali Linux. Not that great… but you should know a little about it.
• Type theharvester on the command line and it will give you instructions and syntax examples.

Any kind of web hack or bug bounty gig will require you to find out what subdomains are out there related to your upper level domain.

• Example: out on bugcrowd Tesla.com shows .tesla.com for subdomains.
• You need to hunt down all the subdomains.

Tool: Sublist3r

• Install in Kali with: apt install sublist3r

Tool: crt.sh (website) | search on %.tesla.com

• This will search for certificates related to tesla.com

Tool: OWASP Amass Project (a go-to tool for bug bounty hunters)

• Install in Kali with: apt install amass

Then with a list of subdomains, you can use something like tomnomnom/httprobe to dump in a list of domains and see if they are active.

Tool: BuiltWith

Tool: Wappalyzer plugin for your browser (simpler interface and results than BuiltWith). This is a little more “active” since it hits against the web site a bit.

Tool: WhatWeb * Already built into Kali. Just run it from the command line. * Syntax: whatweb [url]

The more tools you use, the more information you will obtain. Each tool will give you something the others did not.

This tool is part of Kali, so start it up via the menu.

• After you set it up (per following), you might want to install the Firefox extension called Foxy Proxy.

Set up Firefox:

• Go into Preferences > Network Settings (all the way down at the bottom > Manual Proxy Configuration…
• Set your Manual proxy configuration HTTP Proxy to 127.0.0.1 on port 8080 and check the box for “Use this proxy for all protocols.” Click on OK
• After that, open a new tab in Firefox and go to https://burp
• Click through the stuff to accept whatever… until you get to a burp welcome screen. On that screen click the certificate button in the top left and save the certificate.
• Go back into the tab with the preferences. Go into Privacy & Security. Scroll all the way to the bottom… Click on View Certificates…
• Click on the Import button. Downloads should open up (if not, navigate there). Select your cert “cacert.der” and click the Open button. Check both boxes on the pop-up and click on OK.
• Click on OK to get back to your preferences. That should be it to get the burp cert recognized.

When you now use Firefox to load a website (like tesla.com) BurpSuite will intercept the calls and information.

• Go into BurpSuite and choose the Proxy tab (it should be orange).
• Note the button “Intercept is on” which tells you Burp is intercepting requests, etc.
• You can click the Forward button to move through the requests, etc. and see what info is changing hands.
• You can also change anything you want in the information displayed.

Got into the Target tab and you can see all the places information was pulled from.

Other tools for OSINT: LinkedIn, Twitter, Facebook

• e.g., Go to the company web site… Photos. Look for things like badge photos, desk pictures, etc. Twitter is a gold mine for these kinds of things.
• You can pull names of employees of the company off of LinkedIn and take that back to the email address format you found before. People are lazy with their passwords… Fall2019! or Winter2020!

TCM really likes Google.

• Search Google for Google Search Syntax. That will give you syntax for advanced searching.
• Search only the Tesla site: `site:tesla.com`
• You can search for file types, remove strings, etc. `site:tesla.com filetype:csv`
• You're looking for potentionally sensitive files or information left out on their website.
• A little Google Fu will result in a lot of interesting stuff.

The Google Guide

• For Google tips, tricks, & how Google works…

Four of the most useful Google queries:

1. inurl:[string]: Restricts results to documents containing your string in the URL.
   • Example: inurl:101labs
2. intitle:[string]: Restricts results to documents containing your string in the web page's title.
   • Example: intitle:apple
3. site[site | domain]: Restrics results to the site or domain specified.
   • Example: site:.gov
   • Example: site:theology101.net
4. filetype:[filetype suffix]: Restrics results to documents with the suffix specified.
   • Example: filetype:pdf

Much of active recon involves scanning. So… for right now, see “ Scanning.”

URL enumeration makes a list of URLs in a domain, often showing hidden files and directories.

• This is especially important in web application pentesting.
• NOTE: This is an aggressive process.
• Tool: FFUF (Fuzz Faster U Fool)

DNS enumeration is like an aggressive DNS lookup (think whois on steroids).

• This is active recon and it will take a long time.
• It barfs out a butt-ton of information.
• Tool: dnsenum

Example syntax: dnsenum –enum google.com

Simple Mail Transfer Protocol (SMTP): A vintage email sending protocol.

• No much built in security.
• Runs on port 25.

You can gather info on SMTP by telnetting to the service port (25) and grabbing the banner information and then using VRFY and/or EXPN to gather more info. Example sytax:

telnet example.server.com 25

# once connected, type:
VRFY [username]
# or
EXPN [user_alias]

Exploits: SMTP exploits are usually associated with a vulnerable version.

• Connect (by telnet). Grab banner info (VRFY, EXPN).
• This should give you a clue as to the SMTP version on your target.

You can use SNMP to gather information on a system if you have access to the system and you know the “read” community string (which is often: public).

Tools:

1. snmpenum
2. snmpwalk

# Example syntax for snmpwalk, assuming 'public' as the community string
snmpwalk -c public -v1 192.168.1.1

The Social-Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly.

Watering Hole (simple example): Lure people into a fake Facebook page, harvest their login creds.

• The following will capture all POSTs on a website.
• It's best if the cloned page has a username and password form.
• But, regardless… you'll get all POSTs from the cloned page.

Steps:

1. Start SET
2. Select 1 from the menu: Social-Engineering Attacks
3. Select 2 from the menu: Website Attack Vectors
4. Select 3 from the menu: Credential Harvester Attack Method
5. Select 2 from the menu: Site Cloner (POST back IP address is the address to which your harvested creds will be sent; it defaults to your current IP; leave it alone unless you have another IP to use.)
6. Enter the URL you want to clone: https://www.facebook.com/

The target machine needs to enter your attack box IP into their browser… the cloned URL will load… target enters creds… and they register in SET.