Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,120 --> 00:00:01,920
Instructor: The first step in the second phase
2
00:00:01,920 --> 00:00:03,930
of the penetration testing methodology
3
00:00:03,930 --> 00:00:06,060
is to conduct information gathering,
4
00:00:06,060 --> 00:00:08,220
also known as reconnaissance.
5
00:00:08,220 --> 00:00:10,290
This is when we learn all about the organization
6
00:00:10,290 --> 00:00:14,160
in a systematic attempt to locate, gather, identify
7
00:00:14,160 --> 00:00:16,830
and record information about our various targets
8
00:00:16,830 --> 00:00:20,130
including things like hosts, servers, systems
9
00:00:20,130 --> 00:00:22,500
and even employees of the organization.
10
00:00:22,500 --> 00:00:24,090
Information gathering is also known
11
00:00:24,090 --> 00:00:25,890
as footprinting the organization
12
00:00:25,890 --> 00:00:27,510
and it includes figuring out exactly
13
00:00:27,510 --> 00:00:30,120
what types of systems the organization is gonna be using
14
00:00:30,120 --> 00:00:31,320
so we're able to attack them
15
00:00:31,320 --> 00:00:33,090
in the third phase of our assessment,
16
00:00:33,090 --> 00:00:35,850
which is the attacks and exploits phase.
17
00:00:35,850 --> 00:00:37,530
Now, reconnaissance and footprinting
18
00:00:37,530 --> 00:00:39,960
involves the identification, discovery
19
00:00:39,960 --> 00:00:41,220
and obtaining of information
20
00:00:41,220 --> 00:00:44,880
through a wide variety of tasks, goals, and outcomes.
21
00:00:44,880 --> 00:00:47,100
For example, we can gather information
22
00:00:47,100 --> 00:00:48,390
by using the internet,
23
00:00:48,390 --> 00:00:51,090
open source research by looking at press releases,
24
00:00:51,090 --> 00:00:54,330
job postings, resumes, social media sites,
25
00:00:54,330 --> 00:00:56,970
as well as using Google to search around the internet.
26
00:00:56,970 --> 00:00:59,430
These methods are considered passive reconnaissance
27
00:00:59,430 --> 00:01:01,140
since we can attempt to gain information
28
00:01:01,140 --> 00:01:03,090
about targeted computers and networks
29
00:01:03,090 --> 00:01:05,640
without actively engaging with those systems.
30
00:01:05,640 --> 00:01:07,770
We can also perform social engineering
31
00:01:07,770 --> 00:01:09,360
which is where we attempt to trick a user
32
00:01:09,360 --> 00:01:11,640
into giving us the information we need.
33
00:01:11,640 --> 00:01:14,100
This can be through email attempts like phishing,
34
00:01:14,100 --> 00:01:16,650
voice calls like vishing or even in-person
35
00:01:16,650 --> 00:01:18,630
using deception techniques
36
00:01:18,630 --> 00:01:21,150
or we may choose to go dumpster diving
37
00:01:21,150 --> 00:01:23,730
where we're gonna go to the organization's physical location
38
00:01:23,730 --> 00:01:25,830
and start going through their trash.
39
00:01:25,830 --> 00:01:27,390
Once something is thrown to the trash
40
00:01:27,390 --> 00:01:29,010
and is outside of the office,
41
00:01:29,010 --> 00:01:31,590
it becomes open for anybody to access,
42
00:01:31,590 --> 00:01:34,890
and we may be able to find things like usernames, phonelist,
43
00:01:34,890 --> 00:01:37,560
organizational charts and other useful information
44
00:01:37,560 --> 00:01:39,720
that we can use during our engagement.
45
00:01:39,720 --> 00:01:42,300
Finally, we can conduct email harvesting
46
00:01:42,300 --> 00:01:44,430
by collecting as many emails as we can
47
00:01:44,430 --> 00:01:47,880
by crafting specialized search queries inside of Google too.
48
00:01:47,880 --> 00:01:49,860
The point here is that all these techniques
49
00:01:49,860 --> 00:01:52,320
are technically considered passive reconnaissance
50
00:01:52,320 --> 00:01:53,790
because we're not directly engaging
51
00:01:53,790 --> 00:01:56,340
with the organization's workstations or servers
52
00:01:56,340 --> 00:01:58,710
like we do in our active reconnaissance phase
53
00:01:58,710 --> 00:02:00,750
when we perform enumeration and fingerprinting
54
00:02:00,750 --> 00:02:02,310
of their systems.
55
00:02:02,310 --> 00:02:04,140
Now, during passive reconnaissance,
56
00:02:04,140 --> 00:02:06,060
we're gonna be looking for specific information
57
00:02:06,060 --> 00:02:06,930
at this point,
58
00:02:06,930 --> 00:02:09,449
things like phone numbers, contact names,
59
00:02:09,449 --> 00:02:12,120
organizational positions, email addresses,
60
00:02:12,120 --> 00:02:13,890
security related information,
61
00:02:13,890 --> 00:02:16,230
the type of information systems they're using,
62
00:02:16,230 --> 00:02:18,210
whether they're running Windows or Linux,
63
00:02:18,210 --> 00:02:21,060
or if they're using Apache or internet information services
64
00:02:21,060 --> 00:02:23,340
or whatever type of web server they are using.
65
00:02:23,340 --> 00:02:25,830
Most of this information is already out there
66
00:02:25,830 --> 00:02:27,540
openly available online,
67
00:02:27,540 --> 00:02:29,940
we just have to go and search for it.
68
00:02:29,940 --> 00:02:31,080
Now, when you're working as part
69
00:02:31,080 --> 00:02:34,080
of a penetration testing team, it's also important to gather
70
00:02:34,080 --> 00:02:36,570
and catalog all the information you're finding
71
00:02:36,570 --> 00:02:38,040
during your reconnaissance efforts
72
00:02:38,040 --> 00:02:40,110
so that other members of your team can also review
73
00:02:40,110 --> 00:02:40,943
what you found
74
00:02:40,943 --> 00:02:42,900
and then use it during their collection efforts
75
00:02:42,900 --> 00:02:45,690
or their exploitation efforts later on.
76
00:02:45,690 --> 00:02:47,850
Some teams will use an internal wiki
77
00:02:47,850 --> 00:02:49,950
and others will use a spreadsheet in order to list
78
00:02:49,950 --> 00:02:52,230
all of the major findings that they've found.
79
00:02:52,230 --> 00:02:53,760
Now, if you use a spreadsheet,
80
00:02:53,760 --> 00:02:55,710
you can list each finding in its own row
81
00:02:55,710 --> 00:02:57,480
and have columns going across the sheet
82
00:02:57,480 --> 00:02:59,370
with additional details you collect.
83
00:02:59,370 --> 00:03:01,680
For example, if I'm conducting reconnaissance
84
00:03:01,680 --> 00:03:02,670
against a company
85
00:03:02,670 --> 00:03:04,650
and I find that one of their former employees resumes
86
00:03:04,650 --> 00:03:06,030
was posted online,
87
00:03:06,030 --> 00:03:07,830
I might be able to gather some good details
88
00:03:07,830 --> 00:03:09,900
about the organization's technical architecture
89
00:03:09,900 --> 00:03:11,850
by looking at that resume.
90
00:03:11,850 --> 00:03:14,130
For example, here's an old sample resume
91
00:03:14,130 --> 00:03:15,960
that I use to make this point.
92
00:03:15,960 --> 00:03:18,060
Notice that in this person's current job position
93
00:03:18,060 --> 00:03:19,410
at ABC Energy,
94
00:03:19,410 --> 00:03:22,890
they're listed as a Linux administration systems analyst.
95
00:03:22,890 --> 00:03:25,350
As you look at their qualifications for that position,
96
00:03:25,350 --> 00:03:28,050
you see that they're maintaining over 200 Linux servers
97
00:03:28,050 --> 00:03:30,330
that are running Red Hat and SUSE Linux.
98
00:03:30,330 --> 00:03:32,730
This is being done across three data centers.
99
00:03:32,730 --> 00:03:35,130
They also tell us that they perform backup support
100
00:03:35,130 --> 00:03:38,160
for VMware's ESXi servers, and this tells me
101
00:03:38,160 --> 00:03:40,650
that this organization is also using virtualization
102
00:03:40,650 --> 00:03:42,390
for a lot of their servers.
103
00:03:42,390 --> 00:03:44,850
Now, I could continue to dissect each line of their resume
104
00:03:44,850 --> 00:03:47,220
for when they worked at that company, and in this case,
105
00:03:47,220 --> 00:03:49,800
it states they still work at that company currently
106
00:03:49,800 --> 00:03:52,020
so the things they're listing should be fairly close
107
00:03:52,020 --> 00:03:53,880
to the current infrastructure.
108
00:03:53,880 --> 00:03:55,560
Now, this is just an example resume
109
00:03:55,560 --> 00:03:57,900
that I like to use in my courses, so you're gonna notice
110
00:03:57,900 --> 00:04:00,510
that it's pretty out of date when it talks about technology.
111
00:04:00,510 --> 00:04:04,260
For example, it's saying Red Hat 4 and Windows 2003
112
00:04:04,260 --> 00:04:06,060
but the point here is that you can gather
113
00:04:06,060 --> 00:04:07,290
this type of information
114
00:04:07,290 --> 00:04:09,630
simply by finding employee resumes online
115
00:04:09,630 --> 00:04:12,960
or job postings by the organization themself.
116
00:04:12,960 --> 00:04:14,430
So now that we have this resume
117
00:04:14,430 --> 00:04:15,720
and we have some data from it,
118
00:04:15,720 --> 00:04:17,700
we can add that to our spreadsheet.
119
00:04:17,700 --> 00:04:19,980
For example, I might list the technique used
120
00:04:19,980 --> 00:04:23,400
to find this information such as LinkedIn resume
121
00:04:23,400 --> 00:04:25,260
and then I can add the type of assets
122
00:04:25,260 --> 00:04:27,330
that I can identify from this resume,
123
00:04:27,330 --> 00:04:29,040
such as the types of servers they're using
124
00:04:29,040 --> 00:04:30,660
in that organization.
125
00:04:30,660 --> 00:04:32,730
Next, I can add a column for the type of tool
126
00:04:32,730 --> 00:04:35,190
that I'm gonna use if I wanna gather more information
127
00:04:35,190 --> 00:04:37,260
and move into the enumeration phase.
128
00:04:37,260 --> 00:04:39,720
For example, I might conduct an Nmap scan
129
00:04:39,720 --> 00:04:42,600
of the company's public IP space and look for services
130
00:04:42,600 --> 00:04:44,640
that are commonly associated with Linux servers
131
00:04:44,640 --> 00:04:47,490
to see if we can find some of those 200 Red Hat servers
132
00:04:47,490 --> 00:04:50,790
that are actually placed in a public facing screen subnet.
133
00:04:50,790 --> 00:04:52,320
Once we do our enumeration,
134
00:04:52,320 --> 00:04:54,750
we can add a column for our findings and results.
135
00:04:54,750 --> 00:04:57,390
For example, I might find that there's a Red Hat server
136
00:04:57,390 --> 00:05:01,680
located at 66.55.44.33
137
00:05:01,680 --> 00:05:05,430
and it has ports 80, 443, and 22 open.
138
00:05:05,430 --> 00:05:07,950
The next column might have the next step or test
139
00:05:07,950 --> 00:05:09,180
that we're gonna want to conduct
140
00:05:09,180 --> 00:05:12,150
such as a banner grabbing exercise or a vulnerability scan
141
00:05:12,150 --> 00:05:13,590
or whatever it's gonna be.
142
00:05:13,590 --> 00:05:15,720
By gathering the information and documenting it
143
00:05:15,720 --> 00:05:18,030
in a shared spreadsheet or internal wiki,
144
00:05:18,030 --> 00:05:20,220
data can then flow from one team member to another
145
00:05:20,220 --> 00:05:22,020
during our penetration tests.
146
00:05:22,020 --> 00:05:24,060
With larger penetration testing teams,
147
00:05:24,060 --> 00:05:25,800
they're often gonna have different roles assigned
148
00:05:25,800 --> 00:05:27,570
to different members of the team.
149
00:05:27,570 --> 00:05:30,990
For example, you may become an information gathering ninja
150
00:05:30,990 --> 00:05:32,610
so that's gonna be all you do.
151
00:05:32,610 --> 00:05:35,310
Then you turn that information over to another team member
152
00:05:35,310 --> 00:05:37,080
who's only focused on enumeration
153
00:05:37,080 --> 00:05:38,880
and vulnerability scanning.
154
00:05:38,880 --> 00:05:40,800
In turn, they take their results
155
00:05:40,800 --> 00:05:42,510
and give them to one of the senior testers
156
00:05:42,510 --> 00:05:44,010
who might create a custom exploit
157
00:05:44,010 --> 00:05:45,900
based on the open ports and protocols
158
00:05:45,900 --> 00:05:48,510
that they found during enumeration and scanning.
159
00:05:48,510 --> 00:05:51,000
This allows each team member to become more specialized
160
00:05:51,000 --> 00:05:52,470
in their portion of the assessment
161
00:05:52,470 --> 00:05:54,990
and this can help increase the efficiency and effectiveness
162
00:05:54,990 --> 00:05:57,063
of your overall penetration testing team.
12394
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.