Collect Information About the Target
Learning Objectives
After completing this unit, you’ll be able to:
- List the different tools to perform reconnaissance.
- List tools penetration testers use for scanning and enumeration.
- Describe how penetration testers identify threats and vulnerabilities.
Phase 3: Gather Information About the Target
With your plan in hand, you start scanning the web application targeted for testing using a web app scanner like OWASP ZAP or Burp Suite. Your goal is to discover vulnerabilities within scope by mapping out the application in search of outdated software, misconfigurations, unprotected endpoints, etc..
There are several key strategies that you can use to collect information about the target web application : reconnaissance; scanning and enumeration; and vulnerability analysis. Each of these strategies plays a crucial role in building a comprehensive understanding of the target system. Let’s take a closer look.
Reconnaissance
In application penetration testing active reconnaissance involves gathering data about the application. This could include understanding the application's functionality, identifying the technologies it's built on (such as the web framework, server software, and database systems), and gathering information about endpoints and exposed data.
Passive reconnaissance might involve reviewing publicly available information about the application, such as documentation, user guides, or forums.
Let’s take a closer look at some of the common tools you can use to perform reconnaissance.
Tool |
Testing Type |
Description |
---|---|---|
Domain Name Searches (Whois) |
Often used in web application and network penetration testing. |
Identifies domain ownership and contact details, including server names and IP address ranges. |
Internet Search Engines |
Useful for web application and network reconnaissance. |
Reveals documents mentioning networking equipment, server names, and potentially outdated web pages with sensitive data. |
Job Advertisements/Posting Sites |
Useful for web application and network reconnaissance |
Discloses software, or equipment details that may have known vulnerabilities. |
Social Engineering |
Primarily used in social engineering tests. |
Involves deception to extract confidential information such as posing as a client, and asking for sensitive information. |
Shodan |
Ideal for network and IoT penetration testing. |
Enables searches for internet-connected devices (like a smart speaker), identifying potentially insecure IoT devices on a network. |
Google Hacking Database |
Useful in web application and network penetration testing |
Indexes search engine queries to find sensitive information publicly available on the internet. |
Wayback Machine (www.archive.org) |
Useful in web application penetration testing |
Archives past versions of websites, revealing historical information and removed content. |
Scanning and Enumeration
Scanning in the context of application testing often involves using automated tools to identify common vulnerabilities like SQL injection, cross-site scripting (XSS), or security misconfigurations.
Once you’ve scanned the application, you engage in enumeration, or more targeted probing of the application, to identify specific details, such as user roles, application behavior under different conditions, and error messages that could reveal underlying architecture of the database structure.
Below are examples of some tools that perform one or both tasks.
Network Mapper (Nmap)
- Description: A free and open-source tool to perform network discovery and security auditing. It’s used to discover hosts and services on a computer network, detect open ports, identify services running on those ports, and sometimes determine the operating system of the target..
- Testing type: Primarily used in network penetration testing
Note: Ports are a part of the internet’s communication model. They are the channels through which applications on the client computer can reach the software on the server. If a port is open, it is configured to accept packets of data. Penetration testers may be able to use open ports to deliver malicious payloads to a computer without the user’s knowledge.
Wireshark:
- Description: A network protocol analyzer that lets you capture and interactively browse the traffic running on a computer network. It's useful for understanding network protocols and diagnosing network problems.
- Testing Type: Often used in network and traffic analysis during network penetration testing.
Nessus:
- Description: A vulnerability scanner that detects vulnerabilities, misconfigurations, and potential areas of non-compliance. It also offers remediation advice.
- Testing Type: Commonly used in vulnerability assessments and network penetration testing.
Burp Suite:
- Description: An integrated platform for performing security testing of web applications. It has a variety of tools that work together to support the entire testing process, from initial mapping to analysis of an application's attack surface.
- Testing Type: Primarily used in web application penetration testing.
Your Actions:
- Tools Used: OWASP ZAP and Burp Suite for initial network scanning to identify the application’s infrastructure and open ports and an exploit database to search for exposed financial data related to the web application.
- Outputs: You identified multiple vulnerabilities including outdated server software, misconfigured security headers, and exposed admin interfaces. You also discovered potential SQL injection points and cross-site scripting (XSS) vulnerabilities in web forms.
During the next phase of penetration testing, you will validate if the vulnerabilities you’ve discovered are exploitable. You will then share a list of vulnerabilities with the customer at the end of the penetration test through the penetration testing report.
Knowledge Check
Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column under the matching term on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.
Sum It Up
Great work! Now that you understand how to collect information about your target, it’s time to to perform a targeted attack. Let’s go!
Resources
-
External Site: ScienceDirect: Passive Reconnaissance
-
External Site: Nmap Security Scanner
-
External Site: Medium: Back to Basics: DNS Enumeration
-
External Site: PentesterAcademy: Web Application Pentesting
-
External Site: Software Testing Help: Beginners Guide To Web Application Penetration Testing
-
External Site: OWASP: Vulnerability Scanning Tools