Introduction

This phase consists of gathering as much information as possible to gain more understanding of the target. Furthermore, it is the most overlooked and most important because in this phase, you will find and craft the attack vectors for the exploitation and post-exploitation phases.

The vectors of attack could be:

• Use of compromised or weak credentials

• Phishing attacks.

• Employee impersonation

• The exploitation of service misconfiguration

• Sniffing unencrypted or weakly encrypted communications

• The exploitation of N-Day vulnerabilities

Information Gathering Methods

The methods used to collect information can be classified in two different ways.

• Passive: Gather information without establishing a direct connection between the pentester and the client. It involves analysing public information on the Internet (blogs, news, social networks, etc.), public DNS queries, OSINT tools, etc.

• Active: Gather information establishing contact between the pentester and the client. It involves HUMINT, port enumeration, private DNS queries, vulnerability scanning, credentials brute force, directory listing, etc.

OSINT

Open Source Intelligence (OSINT) extracts high-value intelligence by harvesting open-source records to create a comprehensive profile of specific targets. Open-source information can be defined as that information that is publicly available material that anyone can lawfully obtain by request, purchase or observation—as examples of public sources can be newspapers, journals, radio, television and the Internet, being the latter the most used nowadays.

HUMINT

Human Intelligence (HUMINT) is intelligence gathered from any human resource. Unlike OSINT, which employs passive information gathering methods, HUMINT requires direct contact with people; that is why it needs more qualified agents capable of influencing, persuading and/or manipulating their victims for obtaining semi-public or private information—using techniques like person impersonation, social engineering, eavesdropping, trashing, etc.

Furthermore, since the obtained information is not public, it can not be contrasted; hence, the attacker must consider the sources' reliability.

HUMINT techniques are used during a pentesting for testing employees' adherence to the security policies and practices defined by the company; and for the attacker to get access to sensitive information or facilities infrastructure.

Finally, making a small comparison between OSINT and HUMINT, we know that the first one is more efficient, economical and challenging to detect.

Types of information

The information obtained can be categorised into different principal topics.

Physical

This information involves the client's different buildings (Headquarters, branch offices, franchises...) and the physical security of each office (camera placements, fences, sensors, guards, control access...). This information is helpful in physical pentesting or red teaming.

Logical

The logical category consists of getting information about relationships between business clients and partners, their main competitors, their offered products, marketing activities, company significant dates, job openings, court records, charity affiliations... Useful for HUMINT attacks.

Organisational Breakdown Structure

Obtain information about the organisation's structure and the relationships between ranks, jobs and employees. This information will help you to impersonate employees for spear phishing attacks.

Employees

Starting from the "Organisational Breakdown Structure", we can obtain specific data from each company employee like email, social networks (metadata), court records, tastes and hobbies, professional licenses or registries... The obtained information can be used during a pentesting or red teaming service:

• The company will check each individual's trustworthiness.

• The employee will know how much data they expose on the Internet.

• The pentester will be able to craft spear-phishing attacks.

Digital

The information categorised as digital consists of the company's published documents with their metadata, company's email addresses and social networks, public IPs, domains and subdomains, opened ports, software used, external and internal infrastructure, public repositories and services, vulnerabilities, defence technologies...

Thanks to the digital information, the pentester will find attack vectors later used in the pentesting.

Finding vulnerabilities methodology

This section shows the required steps you should follow in order to find vulnerabilities for each service on a target computer.

1. Identify the software running.

   • Obtain the banner.

   • Use Google Images to detect the software based on the service/web page logo.

2. Identify the software version.

3. Look for vulnerabilities in that version.

   • Search for vulnerabilities on Metasploit

   • Search for vulnerabilities on Searchsploit

   • Search for vulnerabilities on Google

   • Search for Proofs of Concept on GitHub/GitLab.

4. Look for software misconfiguration.

5. Try default credentials or use brute-forcing (Exploitation phase)

   • If some credentials are found, try them everywhere

You can also use automatic tools to help you identify vulnerabilities in each service. But, you will have to check that the results do not contain false positives. Here there are some automatic tools for general services:

• Nessus

• OpenVas

• Nmap

• Acunetix

• Nuclei