External penetration testing reconnaissance is a critical first step in a professional security assessment. By using the same methods and resources that attackers use to get into networks, along with open source intelligence, pen testers can get a much richer profile of an organization’s security strengths and weaknesses and conduct more successful and accurate assessments.
In this blog, I’ll walk you through some of the different tools and techniques our pen testing experts use in the information gathering process as they prepare to simulate external network attacks. This includes DNS hostname discovery, search engines, and social media, among others. Let’s look at each of these now.
DNS Hostname Discovery
When you’re attempting to connect to a system, you’ll often need to include a DNS or NetBIOS name to establish a valid connection. For example, some web servers and load balancers require the correct DNS hostname in the HTTP vHost field in order to respond.
This is a great security control because it protects those systems when malicious hackers are doing “drive by” scans simply with a target’s IP address. With this in mind, DNS hostname discovery, sometimes referred to as a ping scan, can be very important in ultimately establishing connections to systems.
Depending on how applications are designed, search engines can help you discover both linked and unlinked content without ever touching the server. This is beneficial for an attacker because it allows them to collect potentially critical information without leaving a fingerprint or log entry on the target system.
You can use Google and other search engines to run queries for all cached links for in-scope domain names, legacy Active Server Pages (ASP), code, documents (i.e., .doc, .docx, .xls, .xlsx, .pdf, etc.), and sensitive files such as logs, Web Services Description Language (WSDL), WebResource.axd files, and configuration files. Searches can also reveal clues that sometimes take reconnaissance in unique directions. Experienced pen testers understand this and know how to follow these clues wherever they lead.
Another type of search engine you might not think of immediately is WHOIS records. Many domain name registrars and registries offer look up services that can tell you who has registered particular domain names, how many domain names a company has registered, admin email addresses, and other valuable information, provided the domains aren’t privately registered.
Social media poses an interesting dilemma for many organizations. On the one hand, these platforms are invaluable for companies for easily sharing information about events, job postings, and new services. On the other, they can be a treasure trove for malicious hackers and pen testers.
LinkedIn in particular can be quite helpful for reconnaissance. With phishing being such a popular tactic to compromise networks, LinkedIn is an easy way to find all the employees at an organization, along with their roles and often corporate email addresses, and target them accordingly. For example, roles that might have privileged access, such as IT or database administrators, are often a target. Individuals who have access to Personally Identifiable Information (PII) or Protected Health Information (PHI), such as those in Accounting or Human Resources, are often spear phishing targets as well.
Another way that attackers and pen testers use social media is to find passwords that may be reused on corporate accounts. For example, LinkedIn had a data breach in 2016 that resulted in approximately 167 million user email addresses and their corresponding password hashes being publicly released online. These password hash dump files, accessible to anyone, were invaluable for attackers looking for people who have reused passwords between social media accounts and corporate accounts.
Shodan is a search engine for anything connected to the Internet, including devices like web cams, water treatment facilities, yachts, medical devices, traffic lights, wind turbines, smart TVs, and anything else you could possibly imagine. It constantly scans the Internet from a distributed network looking for anything that’s connected, and it provides a wealth of information. At its most basic level, it provides a way of creating an Internet-facing attack surface map without port-scanning the target systems.
From an attacker’s perspective, this accomplishes three key goals:
- It provides a listening service and potential vulnerability information without the attacker ever touching the system.
- Because it never makes an actual connection, the mapping process remains anonymous during this phase of the attack.
- Given the distributed, slow nature of the Shodan network in hitting IP addresses, it can evade Intrusion Detection Systems (IDS) simply looking at port scans from a single host.
Pen testers should manually inspect any ports that do not appear in a live scan but appear in a Shodan search to produce a combined view, which leads us to our next topic.
Enumeration and Fingerprinting
In cyber security lingo, enumeration refers to the process of identifying systems and services for further inspection. Fingerprinting provides additional information about discovered servers and services to identify specific versions or implementations. This information is then used in the vulnerability identification phase to assess potential attack vectors in installed software versions. A combination of manual techniques, custom tools, and automated scanning are utilized during this stage of the analysis.
Pen testers use this information to supplement live port scans and find services that don’t show up in an active scan. Any ports that do not appear in a live scan but that appear in a Shodan search are manually inspected, and a combined view is produced.