Intelligence Gathering
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Prerequisites Hardware Software
3 3 3
Topics Covered
4
A Note
4
Before You Begin
4
Lab 0ne – Target Selection and OSINT Scenario
5 5
Lab Tw0 -‐ Footprinting
13
What’s Next?
17
Twitter @shai_saint
2
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide 0ne. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.
Hardware • • •
Computer with Linux, Windows, or Mac OSX 4GB RAM Hard-‐drive with at least 50GB
Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent
Twitter @shai_saint
3
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Topics Covered
• • •
Target Selection Open Source Intelligence (OSINT) Footprinting
A Note
All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/
Before You Begin
It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐ upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER
Twitter @shai_saint
4
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Lab 0ne – Target Selection and OSINT In this lab you will learn both active and passive intelligence gathering techniques.
Scenario You have already scoped the penetration test, agreed to rules of engagement and are now embarking on the penetration test. During the first phases of this lab we will use a real company of your choosing to perform passive intelligence gathering also known as “Open Source Intelligence”, or OSINT. The client is _____________________________________________ 1. Visit the “target” client website. Attempt to determine the following: a) What do they do? ______________________________________________________________________________ b) Where they are located ______________________________________________________________________________ c) Leadership ______________________________________________________________________________ ______________________________________________________________________________ d) Emails ______________________________________________________________________________ ______________________________________________________________________________
Twitter @shai_saint
5
n00bpentesting.com
n00bpentesting.com
Lab Guide One
e) Phone Numbers ______________________________________________________________________________ ______________________________________________________________________________ 2. Visit Monster.com and search for job postings listed by the “target” client. What did you learn? ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ 3. Visit Yahoo! Finance and search for the “target” client. What was the last reported revenue? Any recent stock transactions? What market are they listed on? ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ 4. Google search for the client name you have chosen. What else did you find? ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________
Twitter @shai_saint
6
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Let’s look at a tool that we can use to capture some of this same information in an automated manner. 1) Start the Backtrack virtual machine 2) Login and startx 3) At the prompt type: cd /pentest 4) Then press ENTER
Twitter @shai_saint
7
n00bpentesting.com
n00bpentesting.com
Lab Guide One
5) At the prompt type: ls, press ENTER
This is like using the dir command in Windows to see the contents of a directory.
Twitter @shai_saint
8
n00bpentesting.com
n00bpentesting.com
Lab Guide One
6) At the prompt type: cd enumeration/theharvester, press ENTER
Twitter @shai_saint
9
n00bpentesting.com
n00bpentesting.com
Lab Guide One
7) At the command prompt type: ls, press ENTER This will give you the contents of the directory
To run any script or program from the local directory in Linux prepend the filename with “./”
Twitter @shai_saint
10
n00bpentesting.com
n00bpentesting.com
Lab Guide One
8) At the prompt type: ./theharvester, press ENTER The following help screen will appear giving you the options for the Python script. This is true for most scripts in Backtrack. If the script is run by itself the help information will be presented.
Twitter @shai_saint
11
n00bpentesting.com
n00bpentesting.com
Lab Guide One
This tool is used to get information for a given domain like google.com from multiple sources in a single command. We can see that the available data sources are google, bing, bingapi, pgp, linkedin, gooogle-‐profiles, exalead, and all. Note: “target domain” in the command will be the company you have selected as your target. 9) At the prompt type: ./theharvester –d “target domain” –b all, press ENTER
Review the results from all the sources you selected for the “target domain”. Did the harvester script get any more information than what you gathered from the manual procedures? ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________
Twitter @shai_saint
12
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Lab Tw0 -‐ Footprinting
Now that you have gathered open source intelligence the next step is to footprint the target. Footprinting is the method of finding active IP addresses, open service ports, etc. of the target. There are both passive and active footprinting techniques, but generally these are active, which means there is interaction with the target’s network and systems. In order to move through this and the remaining labs through exploitation, you must use the metasploitable VM or one of the many vulnerable virtual systems available for download. Caution: You must not perform any of the following procedures on any system you do not have the explicit written permission of the target. It is highly recommended you only use the vulnerable virtual machine listed in the prerequisites section. You have been warned. Please see the “Setting Up a n00bpentesting.com Lab” guide on n00bpentesting.com for proper lab configuration using VirtualBox.
Twitter @shai_saint
13
n00bpentesting.com
n00bpentesting.com
Lab Guide One
1) Start the BackTrack VM and metasploitable VM. In order to know what services are running on our vulnerable VM, we must perform a port scan. 2) In Backtrack, at the prompt type: nmap –sS “ip_address”, press Enter
We now know what service ports are open on the target system, but what versions of the software, and what operating system is running? Let’s run another NMAP scan that will give us this information.
Twitter @shai_saint
14
n00bpentesting.com
n00bpentesting.com
Lab Guide One
3) At the command prompt type: nmap –sV –O “ip_address”
The NMAP output shows what version of software is running on each open port and provides the operating system that our target system is running.
Twitter @shai_saint
15
n00bpentesting.com
n00bpentesting.com
Lab Guide One
Another method that can used to determine what software is running on an open service port is to “banner grab”. This is simply connecting to the target system on an open service port and capturing what the application on that port provides. Let’s look at the port 80. We’ll use NetCat. 4) At the command prompt type: nc “target_ip” 80 5) At the command prompt type: HEAD / HTTP 1.1, then press ENTER twice
Now, that this information is collected, it can be used to search for vulnerabilities that have exploits available. We now know that the target is running Linux 2.6.x and multiple other services.
Twitter @shai_saint
16
n00bpentesting.com
n00bpentesting.com
Lab Guide One
What’s Next?
The next step is Vulnerability Analysis. Please see “Intro To Penetration Testing – Lab Guide Tw0.
Twitter @shai_saint
17
n00bpentesting.com