Target Scoping & Information Gathering
Week 2 (2 March 2018)
1.0 Definition of Target Scoping
Target scoping is an observational process to gather the target assessment requirements.
2.0 Key Concept of Target Scoping
2.1 Gathering Client Requirement
The purpose of this gathering is to obtain as much information from the client that may be necessary for the penetration testing process
2.2 Prepare Test Plan
Prepare what is necessary and what is not necessary, sign an NDA / Contract with the client.
2.3 Profiling Test Boundaries
Make sure to make an agreement of what is the limitation of the penetration testing such as knowledge and technology.
2.4 Defining Business Objectives
Based on the Requirements, it is important to define what is the business objectives. This means that when the penetration testing is done, what can the company of the client improve? Whether in IT(security) side, financial, etc.
2.5 Project Management & Scheduling
Project management and scheduling also important because penetration tester should finish in time. There are a lot of application and tools to help managing the penetration testing and conclude an outline of how long the process will take.
3.0 Definition of Information Gathering
Information gathering is where the tester gather as many information as possible from the target, like DNS, hostnames, IP Addresses, username, password reset information, secret questions, contact information, etc. Knowledge is power, there is nothing wrong with too much information gathered. Keep in mind that when you gather less info, you can be undetectable. Active scanning can lead to detection or suspicion by someone.
4.0 Information Gathering Tools
Gathering information can be carried out in different ways, using public tools such as search engine, scanners, anything that force the system to leak information.
4.1 Public Resources
Using phone call to ask the information about the company and maybe disguise as the employee there. This step is counted as social engineering.
Search engine can be used to obtain information as well, finding the company email, job title, full name, social media, etc.
One Example is the website whois.net is to find the registrant of the website, pentest.id is my teacher website, he allowed us to practice on the website.
4.2 The Whois Database command
Same as whois.net, whois command ~#whois domainname will also show the information of the registrant of the owner of the domain.
4.3 Host command
Host command is used to find the IP Address of the domain name
~# host domainname
the command -a will look for the A, AAAA, and MX records for the domain
A is IPv4, AAAA is IPv6, and MX is the Mail eXchange record.
4.4 Dig command
Dig command ~# dig dommainname is the same as host, this usually used because more flexible and clear.
4.5 Dnsenum command
Dnsenum is used to collect information from the DNS, command -f and create your own txt file will brute force finding the subdomain of the domain.
4.6 DMitry command
DMitry stands for DeepMagic Information Gathering Tool, this is used like whois tool but this tool also can find subdomain, MX, and open ports.4.7 Tcptraceroute command
The way this tool work is by sending packet to the target. If the port is open, the output will be syn & ack, and rst package if closed.