1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TUTORIAL - Information gathering

Discussion in 'Information Gathering' started by Witranx, Apr 1, 2013.

  1. Witranx

    Witranx Staff Member

    Joined:
    Mar 25, 2013
    Messages:
    27
    Likes Received:
    21
    Information gathering;

    Information gathering is the first and most important phase in penetration testing.
    In this phase, the attacker gains information about aspects such as the target network,
    open ports, live hosts and services running on each port.

    This creates an organizational profile of the target, along with the systems and networks in use.
    Zenmap, the Kali information gathering and network
    analysis tool. The intense scan mode in Zenmap provides target information such as
    services running on each port, the version, the target operating system, network hop
    distance, work-groups and user accounts.

    Other Kali information gathering tools of interest are CMS identification and
    IDS-IPS identification for web application analysis. CMS identification gives information
    about the underlying CMS, which can be used to do a vulnerability research on the CMS
    and gather all the available exploits to test the target system. The joomscan tool (for the
    Joomla CMS) is covered later in this tutorial.

    Another interesting and powerful tool is Maltego, generally used for SMTP analysis.
    The Palette in Maltego shows the DNS name, domain, location, URL, email, and other
    details about the website. Maltego uses various transformations on these entities to
    give the pen tester necessary details about the target. Views such as mining view, edge
    weighted view, etc, provide a graphical representation of the data obtained about a
    particular target.

    Vulnerability assessment;

    The second phase in pen testing is vulnerability assessment. After gaining some initial
    information and an organizational profile of the target through conclusive foot-printing,
    we will assess the weak spots or vulnerabilities in the system. There are a number of
    vulnerability databases available on-line for ready use, but we will focus on what
    Kali has to offer in this tutorial.


    Web application scanners are used to assess website vulnerabilities.
    Joomscan is meant for Joomla-based websites and reports vulnerabilities pre-stored in the repository.
    Joomscan can be run with the following command:

    Code:
    joomscan –u <string> -x proxy:port
    Here <string> is the target Joomla website. Joomscan has options for version detection,
    server check, firewall activity, etc.

    OpenVAS (Open Vulnerability Assessment System) on Kali:
    OpenVAS is a powerful tool for performing vulnerability assessments on a target. Before
    doing the assessment, it is advisable to set up a certificate using the OpenVAS MkCert
    option. After that, we will add a new user from the menu in this Kali tutorial.

    The user can be customized by applying rules, or assigned an empty set by pressing
    Ctrl+D. Once a new user has been added with login and other credentials, we can go
    ahead with the assessment part of this tutorial.
    OpenVAS works on the client/server model in the assessment process. You should
    regularly update the arsenal to perform efficient tests.

    OpenVAS vs Nessus Scanner.
    Nessus Scanner is another vulnerability assessment tool for carrying out automated
    assessments. Let’s take a look at the difference between the two in the next step of this
    tutorial.
    Nessus has two versions, free and paid, while OpenVAS is completely free. Recent
    observations have shown that the plug-in feed from these two scanners is considerably
    different, and depending on only one tool is not recommended, as automated scanners
    can throw up lots of false positives.

    Clubbing manual scanners with other tools, alongside automated scanners, is
    recommended for doing a comprehensive assessment of the target. Kali also
    offers other tools under this category including CISCO tools, which are meant for CISCO-
    based networking hardware. Fuzzers are also available, categorized as network fuzzers
    and VOIP fuzzers.

    It’s evident from the above tutorial that Kali has a lot in offer in terms of
    information gathering and vulnerability assessment. In this tutorial, I have made an
    effort to show the one or two tools which I felt would be most useful to readers. It’s
    best to try out all tools so that you have first-hand experience of Kali, and the
    power it brings to a pen tester’s arsenal. In subsequent tutorials, we shall see how
    Kali facilitates exploitation of a target.
     
    #1
    baa, José Brito and wlan0 like this.
  2. DarkSolo

    DarkSolo Staff Member

    Joined:
    Mar 14, 2013
    Messages:
    205
    Likes Received:
    49
    thanks for your time ! good job !
     
    #2
    Witranx likes this.
  3. Witranx

    Witranx Staff Member

    Joined:
    Mar 25, 2013
    Messages:
    27
    Likes Received:
    21
    #3
  4. danlix

    danlix New Member

    Joined:
    Apr 14, 2013
    Messages:
    4
    Likes Received:
    0
    Great ...
     
    #4
  5. logic

    logic OpenWire CEO

    Joined:
    Apr 20, 2013
    Messages:
    22
    Likes Received:
    6
    I think you skipped a major part of recon which is getting to know the company or person you are trying to attack. Most of the time, people use password that can easily be guess by using someones name, date of birth, city, pets names. Stuff like that. Amazing tutorial tho :)
     
    #5
    AfterBurn likes this.
  6. Lotfi

    Lotfi New Member

    Joined:
    Apr 24, 2013
    Messages:
    8
    Likes Received:
    0
    Tanks, good work :)
     
    #6
  7. José Brito

    José Brito New Member

    Joined:
    Apr 29, 2013
    Messages:
    3
    Likes Received:
    0
    Nice , good work bro
     
    #7
  8. phadeb

    phadeb New Member

    Joined:
    Jun 1, 2013
    Messages:
    3
    Likes Received:
    1
    Thanks for this tut', very useful.

    And if you have trouble launching joomscan like me, try updating the packages :

    Code:
    apt-get update && apt-get install joomscan
    joomscan update
    
     
    #8
    Crashbandicot likes this.
  9. AfterBurn

    AfterBurn Member

    Joined:
    Jun 4, 2013
    Messages:
    64
    Likes Received:
    8
    Indeed. You need to do more recon than just a port scan and vuln scan.

    The social aspect, such as logic wrote about is a MUST. Not only would it help you in guessing passwords, etc, but if all else fails scan wise, you need to be nimble enough to use Social Engineering to gain access to more information, or the network itself.

    Most companies tend to be a bit on the naive side and list their company directory on their website in terms of extensions/emails. Take notice of the naming conventions of emails. Since first names are mostly common, normally the schema for emails is the first letter of the first name, followed by the last name @ company.tld. For instance User John Smith might be .smith@company.com or since both John and Smith are common first and last names, it might be j.smith@company.com. The latter is more common if 2 john smith's work at the same company.

    Find out who the IT guy (if there is one) or who their current IT provider is, and their email/domain.

    Spoof an email to a user (not the CEO!) from that of the IT guy. Ask in the email for them to "click this link" to update their machine password, etc. Be creative here. Reverse shell anyone? :)
     
    #9
  10. fareezizwar

    fareezizwar New Member

    Joined:
    Apr 16, 2013
    Messages:
    10
    Likes Received:
    1
    good job !
     
    #10
  11. dragon

    dragon New Member

    Joined:
    May 31, 2013
    Messages:
    11
    Likes Received:
    1
    Thanks for this tut..good job bro
     
    #11
  12. Shaikh Mubashirulislam

    Shaikh Mubashirulislam New Member

    Joined:
    Jun 18, 2013
    Messages:
    1
    Likes Received:
    0
    Nic3 Tutorial........
     
    #12
  13. baa

    baa New Member

    Joined:
    Jun 18, 2013
    Messages:
    6
    Likes Received:
    0
    Thanks Mr. Witranx :)
     
    #13
  14. Crashbandicot

    Crashbandicot New Member

    Joined:
    Sep 7, 2013
    Messages:
    2
    Likes Received:
    0
    keep rockin brother.
     
    #14
  15. erphidi

    erphidi New Member

    Joined:
    May 8, 2013
    Messages:
    20
    Likes Received:
    2
    how to determine the proxy and port on the target website ?
     
    #15

Share This Page