Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:01,920 Instructor: The first step in the second phase 2 00:00:01,920 --> 00:00:03,930 of the penetration testing methodology 3 00:00:03,930 --> 00:00:06,060 is to conduct information gathering, 4 00:00:06,060 --> 00:00:08,220 also known as reconnaissance. 5 00:00:08,220 --> 00:00:10,290 This is when we learn all about the organization 6 00:00:10,290 --> 00:00:14,160 in a systematic attempt to locate, gather, identify 7 00:00:14,160 --> 00:00:16,830 and record information about our various targets 8 00:00:16,830 --> 00:00:20,130 including things like hosts, servers, systems 9 00:00:20,130 --> 00:00:22,500 and even employees of the organization. 10 00:00:22,500 --> 00:00:24,090 Information gathering is also known 11 00:00:24,090 --> 00:00:25,890 as footprinting the organization 12 00:00:25,890 --> 00:00:27,510 and it includes figuring out exactly 13 00:00:27,510 --> 00:00:30,120 what types of systems the organization is gonna be using 14 00:00:30,120 --> 00:00:31,320 so we're able to attack them 15 00:00:31,320 --> 00:00:33,090 in the third phase of our assessment, 16 00:00:33,090 --> 00:00:35,850 which is the attacks and exploits phase. 17 00:00:35,850 --> 00:00:37,530 Now, reconnaissance and footprinting 18 00:00:37,530 --> 00:00:39,960 involves the identification, discovery 19 00:00:39,960 --> 00:00:41,220 and obtaining of information 20 00:00:41,220 --> 00:00:44,880 through a wide variety of tasks, goals, and outcomes. 21 00:00:44,880 --> 00:00:47,100 For example, we can gather information 22 00:00:47,100 --> 00:00:48,390 by using the internet, 23 00:00:48,390 --> 00:00:51,090 open source research by looking at press releases, 24 00:00:51,090 --> 00:00:54,330 job postings, resumes, social media sites, 25 00:00:54,330 --> 00:00:56,970 as well as using Google to search around the internet. 26 00:00:56,970 --> 00:00:59,430 These methods are considered passive reconnaissance 27 00:00:59,430 --> 00:01:01,140 since we can attempt to gain information 28 00:01:01,140 --> 00:01:03,090 about targeted computers and networks 29 00:01:03,090 --> 00:01:05,640 without actively engaging with those systems. 30 00:01:05,640 --> 00:01:07,770 We can also perform social engineering 31 00:01:07,770 --> 00:01:09,360 which is where we attempt to trick a user 32 00:01:09,360 --> 00:01:11,640 into giving us the information we need. 33 00:01:11,640 --> 00:01:14,100 This can be through email attempts like phishing, 34 00:01:14,100 --> 00:01:16,650 voice calls like vishing or even in-person 35 00:01:16,650 --> 00:01:18,630 using deception techniques 36 00:01:18,630 --> 00:01:21,150 or we may choose to go dumpster diving 37 00:01:21,150 --> 00:01:23,730 where we're gonna go to the organization's physical location 38 00:01:23,730 --> 00:01:25,830 and start going through their trash. 39 00:01:25,830 --> 00:01:27,390 Once something is thrown to the trash 40 00:01:27,390 --> 00:01:29,010 and is outside of the office, 41 00:01:29,010 --> 00:01:31,590 it becomes open for anybody to access, 42 00:01:31,590 --> 00:01:34,890 and we may be able to find things like usernames, phonelist, 43 00:01:34,890 --> 00:01:37,560 organizational charts and other useful information 44 00:01:37,560 --> 00:01:39,720 that we can use during our engagement. 45 00:01:39,720 --> 00:01:42,300 Finally, we can conduct email harvesting 46 00:01:42,300 --> 00:01:44,430 by collecting as many emails as we can 47 00:01:44,430 --> 00:01:47,880 by crafting specialized search queries inside of Google too. 48 00:01:47,880 --> 00:01:49,860 The point here is that all these techniques 49 00:01:49,860 --> 00:01:52,320 are technically considered passive reconnaissance 50 00:01:52,320 --> 00:01:53,790 because we're not directly engaging 51 00:01:53,790 --> 00:01:56,340 with the organization's workstations or servers 52 00:01:56,340 --> 00:01:58,710 like we do in our active reconnaissance phase 53 00:01:58,710 --> 00:02:00,750 when we perform enumeration and fingerprinting 54 00:02:00,750 --> 00:02:02,310 of their systems. 55 00:02:02,310 --> 00:02:04,140 Now, during passive reconnaissance, 56 00:02:04,140 --> 00:02:06,060 we're gonna be looking for specific information 57 00:02:06,060 --> 00:02:06,930 at this point, 58 00:02:06,930 --> 00:02:09,449 things like phone numbers, contact names, 59 00:02:09,449 --> 00:02:12,120 organizational positions, email addresses, 60 00:02:12,120 --> 00:02:13,890 security related information, 61 00:02:13,890 --> 00:02:16,230 the type of information systems they're using, 62 00:02:16,230 --> 00:02:18,210 whether they're running Windows or Linux, 63 00:02:18,210 --> 00:02:21,060 or if they're using Apache or internet information services 64 00:02:21,060 --> 00:02:23,340 or whatever type of web server they are using. 65 00:02:23,340 --> 00:02:25,830 Most of this information is already out there 66 00:02:25,830 --> 00:02:27,540 openly available online, 67 00:02:27,540 --> 00:02:29,940 we just have to go and search for it. 68 00:02:29,940 --> 00:02:31,080 Now, when you're working as part 69 00:02:31,080 --> 00:02:34,080 of a penetration testing team, it's also important to gather 70 00:02:34,080 --> 00:02:36,570 and catalog all the information you're finding 71 00:02:36,570 --> 00:02:38,040 during your reconnaissance efforts 72 00:02:38,040 --> 00:02:40,110 so that other members of your team can also review 73 00:02:40,110 --> 00:02:40,943 what you found 74 00:02:40,943 --> 00:02:42,900 and then use it during their collection efforts 75 00:02:42,900 --> 00:02:45,690 or their exploitation efforts later on. 76 00:02:45,690 --> 00:02:47,850 Some teams will use an internal wiki 77 00:02:47,850 --> 00:02:49,950 and others will use a spreadsheet in order to list 78 00:02:49,950 --> 00:02:52,230 all of the major findings that they've found. 79 00:02:52,230 --> 00:02:53,760 Now, if you use a spreadsheet, 80 00:02:53,760 --> 00:02:55,710 you can list each finding in its own row 81 00:02:55,710 --> 00:02:57,480 and have columns going across the sheet 82 00:02:57,480 --> 00:02:59,370 with additional details you collect. 83 00:02:59,370 --> 00:03:01,680 For example, if I'm conducting reconnaissance 84 00:03:01,680 --> 00:03:02,670 against a company 85 00:03:02,670 --> 00:03:04,650 and I find that one of their former employees resumes 86 00:03:04,650 --> 00:03:06,030 was posted online, 87 00:03:06,030 --> 00:03:07,830 I might be able to gather some good details 88 00:03:07,830 --> 00:03:09,900 about the organization's technical architecture 89 00:03:09,900 --> 00:03:11,850 by looking at that resume. 90 00:03:11,850 --> 00:03:14,130 For example, here's an old sample resume 91 00:03:14,130 --> 00:03:15,960 that I use to make this point. 92 00:03:15,960 --> 00:03:18,060 Notice that in this person's current job position 93 00:03:18,060 --> 00:03:19,410 at ABC Energy, 94 00:03:19,410 --> 00:03:22,890 they're listed as a Linux administration systems analyst. 95 00:03:22,890 --> 00:03:25,350 As you look at their qualifications for that position, 96 00:03:25,350 --> 00:03:28,050 you see that they're maintaining over 200 Linux servers 97 00:03:28,050 --> 00:03:30,330 that are running Red Hat and SUSE Linux. 98 00:03:30,330 --> 00:03:32,730 This is being done across three data centers. 99 00:03:32,730 --> 00:03:35,130 They also tell us that they perform backup support 100 00:03:35,130 --> 00:03:38,160 for VMware's ESXi servers, and this tells me 101 00:03:38,160 --> 00:03:40,650 that this organization is also using virtualization 102 00:03:40,650 --> 00:03:42,390 for a lot of their servers. 103 00:03:42,390 --> 00:03:44,850 Now, I could continue to dissect each line of their resume 104 00:03:44,850 --> 00:03:47,220 for when they worked at that company, and in this case, 105 00:03:47,220 --> 00:03:49,800 it states they still work at that company currently 106 00:03:49,800 --> 00:03:52,020 so the things they're listing should be fairly close 107 00:03:52,020 --> 00:03:53,880 to the current infrastructure. 108 00:03:53,880 --> 00:03:55,560 Now, this is just an example resume 109 00:03:55,560 --> 00:03:57,900 that I like to use in my courses, so you're gonna notice 110 00:03:57,900 --> 00:04:00,510 that it's pretty out of date when it talks about technology. 111 00:04:00,510 --> 00:04:04,260 For example, it's saying Red Hat 4 and Windows 2003 112 00:04:04,260 --> 00:04:06,060 but the point here is that you can gather 113 00:04:06,060 --> 00:04:07,290 this type of information 114 00:04:07,290 --> 00:04:09,630 simply by finding employee resumes online 115 00:04:09,630 --> 00:04:12,960 or job postings by the organization themself. 116 00:04:12,960 --> 00:04:14,430 So now that we have this resume 117 00:04:14,430 --> 00:04:15,720 and we have some data from it, 118 00:04:15,720 --> 00:04:17,700 we can add that to our spreadsheet. 119 00:04:17,700 --> 00:04:19,980 For example, I might list the technique used 120 00:04:19,980 --> 00:04:23,400 to find this information such as LinkedIn resume 121 00:04:23,400 --> 00:04:25,260 and then I can add the type of assets 122 00:04:25,260 --> 00:04:27,330 that I can identify from this resume, 123 00:04:27,330 --> 00:04:29,040 such as the types of servers they're using 124 00:04:29,040 --> 00:04:30,660 in that organization. 125 00:04:30,660 --> 00:04:32,730 Next, I can add a column for the type of tool 126 00:04:32,730 --> 00:04:35,190 that I'm gonna use if I wanna gather more information 127 00:04:35,190 --> 00:04:37,260 and move into the enumeration phase. 128 00:04:37,260 --> 00:04:39,720 For example, I might conduct an Nmap scan 129 00:04:39,720 --> 00:04:42,600 of the company's public IP space and look for services 130 00:04:42,600 --> 00:04:44,640 that are commonly associated with Linux servers 131 00:04:44,640 --> 00:04:47,490 to see if we can find some of those 200 Red Hat servers 132 00:04:47,490 --> 00:04:50,790 that are actually placed in a public facing screen subnet. 133 00:04:50,790 --> 00:04:52,320 Once we do our enumeration, 134 00:04:52,320 --> 00:04:54,750 we can add a column for our findings and results. 135 00:04:54,750 --> 00:04:57,390 For example, I might find that there's a Red Hat server 136 00:04:57,390 --> 00:05:01,680 located at 66.55.44.33 137 00:05:01,680 --> 00:05:05,430 and it has ports 80, 443, and 22 open. 138 00:05:05,430 --> 00:05:07,950 The next column might have the next step or test 139 00:05:07,950 --> 00:05:09,180 that we're gonna want to conduct 140 00:05:09,180 --> 00:05:12,150 such as a banner grabbing exercise or a vulnerability scan 141 00:05:12,150 --> 00:05:13,590 or whatever it's gonna be. 142 00:05:13,590 --> 00:05:15,720 By gathering the information and documenting it 143 00:05:15,720 --> 00:05:18,030 in a shared spreadsheet or internal wiki, 144 00:05:18,030 --> 00:05:20,220 data can then flow from one team member to another 145 00:05:20,220 --> 00:05:22,020 during our penetration tests. 146 00:05:22,020 --> 00:05:24,060 With larger penetration testing teams, 147 00:05:24,060 --> 00:05:25,800 they're often gonna have different roles assigned 148 00:05:25,800 --> 00:05:27,570 to different members of the team. 149 00:05:27,570 --> 00:05:30,990 For example, you may become an information gathering ninja 150 00:05:30,990 --> 00:05:32,610 so that's gonna be all you do. 151 00:05:32,610 --> 00:05:35,310 Then you turn that information over to another team member 152 00:05:35,310 --> 00:05:37,080 who's only focused on enumeration 153 00:05:37,080 --> 00:05:38,880 and vulnerability scanning. 154 00:05:38,880 --> 00:05:40,800 In turn, they take their results 155 00:05:40,800 --> 00:05:42,510 and give them to one of the senior testers 156 00:05:42,510 --> 00:05:44,010 who might create a custom exploit 157 00:05:44,010 --> 00:05:45,900 based on the open ports and protocols 158 00:05:45,900 --> 00:05:48,510 that they found during enumeration and scanning. 159 00:05:48,510 --> 00:05:51,000 This allows each team member to become more specialized 160 00:05:51,000 --> 00:05:52,470 in their portion of the assessment 161 00:05:52,470 --> 00:05:54,990 and this can help increase the efficiency and effectiveness 162 00:05:54,990 --> 00:05:57,063 of your overall penetration testing team. 12394