Skip to main content

Collect Information About the Target

Learning Objectives

After completing this unit, you’ll be able to:

  • List the different tools to perform reconnaissance.
  • List tools penetration testers use for scanning and enumeration.
  • Describe how penetration testers identify threats and vulnerabilities.

Phase 3: Gather Information About the Target

With your plan in hand, you start scanning the web application targeted for testing using a web app scanner like OWASP ZAP or Burp Suite. Your goal is to discover vulnerabilities within scope by mapping out the application in search of outdated software, misconfigurations, unprotected endpoints, etc.. 

There are several key strategies that you can use  to collect information about the target web application : reconnaissance; scanning and enumeration; and vulnerability analysis. Each of these strategies plays a crucial role in building a comprehensive understanding of the target system. Let’s take a closer look. 

The three strategies to collect information: A woman with binoculars symbolizing reconnaissance, a computer screen with folders symbolizing scanning and enumeration, etc.

Reconnaissance

In application penetration testing active reconnaissance involves gathering data about the application. This could include  understanding the application's functionality, identifying the technologies it's built on (such as the web framework, server software, and database systems), and gathering information about endpoints and exposed data.

Passive reconnaissance might involve reviewing publicly available information about the application, such as documentation, user guides, or forums.

Let’s take a closer look at some of the common tools you can use to perform reconnaissance. 

Tool

Testing Type

Description

Domain Name Searches (Whois) 

Often used in web application and network penetration testing.

Identifies domain ownership and contact details, including server names and IP address ranges. 

Internet Search Engines 

Useful for web application and network reconnaissance.

Reveals documents mentioning networking equipment, server names, and potentially outdated web pages with sensitive data.

Job Advertisements/Posting Sites

Useful for web application and network reconnaissance

Discloses software, or equipment details that may have known vulnerabilities.

Social Engineering

Primarily used in social engineering tests.

Involves deception to extract  confidential information such as  posing as a client, and asking for sensitive information.

Shodan 

Ideal for network and IoT penetration testing.

Enables searches for internet-connected devices (like a smart speaker), identifying potentially insecure IoT devices on a network. 

Google Hacking Database

Useful in web application and network penetration testing

Indexes search engine queries to find sensitive information publicly available on the internet. 

Wayback Machine (www.archive.org) 

Useful in web application penetration testing

Archives past versions of websites, revealing historical information and removed content. 

Scanning and Enumeration

Scanning in the context of application testing often involves using automated tools to identify common vulnerabilities like SQL injection, cross-site scripting (XSS), or security misconfigurations.

Once you’ve scanned the application, you engage in enumeration, or more targeted probing of the application, to identify specific details, such as user roles, application behavior under different conditions, and error messages that could reveal underlying architecture of the database structure.

Below are examples of some tools that perform one or both tasks. 

Network Mapper (Nmap)

  • Description: A free and open-source tool to perform network discovery and security auditing. It’s used  to discover hosts and services on a computer network, detect open ports, identify services running on those ports, and sometimes determine the operating system of the target..
  • Testing type: Primarily used in network penetration testing

Note: Ports are a part of the internet’s communication model. They are the channels through which applications on the client computer can reach the software on the server. If a port is open, it is configured to accept packets of data. Penetration testers may be able to use open ports to deliver malicious payloads to a computer without the user’s knowledge.

Wireshark:

  • Description: A network protocol analyzer that lets you capture and interactively browse the traffic running on a computer network. It's useful for understanding network protocols and diagnosing network problems.
  • Testing Type: Often used in network and traffic analysis during network penetration testing.

Nessus:

  • Description: A vulnerability scanner that detects vulnerabilities, misconfigurations, and potential areas of non-compliance. It also offers remediation advice.
  • Testing Type: Commonly used in vulnerability assessments and network penetration testing.

Burp Suite:

  • Description: An integrated platform for performing security testing of web applications. It has a variety of tools that work together to support the entire testing process, from initial mapping to analysis of an application's attack surface.
  • Testing Type: Primarily used in web application penetration testing.

Your Actions: 

  1. Tools Used: OWASP ZAP and Burp Suite for initial network scanning to identify the application’s infrastructure and open ports and an exploit database to search for exposed financial data related to the web application.
  2. Outputs: You identified multiple vulnerabilities including outdated server software, misconfigured security headers, and exposed admin interfaces. You also discovered potential SQL injection points and cross-site scripting (XSS) vulnerabilities in web forms.
Note

Practice Activity: Use OWASP ZAP, a web app scanner, in its online demo mode to simulate the discovery of web application vulnerabilities.

During the next phase of penetration testing, you will validate if the vulnerabilities you’ve discovered are exploitable. You will then share a list of vulnerabilities with the customer at the end of the penetration test through the penetration testing report. 

Knowledge Check

Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column under the matching term on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Sum It Up

Great work! Now that you understand how to collect information about your target, it’s time to to perform a targeted attack. Let’s go!

Resources

Compartilhe seu feedback do Trailhead usando a Ajuda do Salesforce.

Queremos saber sobre sua experiência com o Trailhead. Agora você pode acessar o novo formulário de feedback, a qualquer momento, no site Ajuda do Salesforce.

Saiba mais Continue compartilhando feedback