Intelligence Gathering – Penetration Testing

by do son · Published July 22, 2017 · Updated November 4, 2024

Intelligence Gathering

Prior to an attack, the penetration tester should know as much as possible about the target environment and the characteristics of the system. The more targeted information the penetration tester finds, the better the chances of identifying the easiest and fastest way to succeed. Black-box testing requires more reconnaissance than white-box testing because testers do not get too much data. Scouting services may include Internet footprints for investigating targets, monitoring resources, monitoring personnel, processes, etc., scanning network information (such as IP addresses and system types), and social engineering public services such as help desks. Reconnaissance is the first step in penetration testing, whether the penetration tester is known to confirm the target system, or to find known intelligence. When reconnaissance, the target environment must be defined according to the work area. Once the target is identified, a survey is performed to gather information about the target, such as which ports are used for communication, where the target is hosted, what services it provides to the customer, and so on. This data can be used to develop a plan to see what the best way to get the desired results. The results of the reconnaissance process should include a list of all target assets, what applications are associated with the asset, services to be used, and possible asset owners. Kali Linux provides a category labeled “Information Gathering”, which is a reconnaissance resource. Tools include tools for investigating networks, data centers, wireless networks, and host systems. The following is a checklist of reconnaissance goals: Acknowledging the goals Defining the use of applications and services Acknowledging the type of system, confirming the available ports, confirming the running services, social engineering information, document discovery.

On this posting, I’m going to introduce enum.sh script. This script will perform various reconnaissance on your target domain.