Internet is full of information and extracting relevant information can play a game changing role in many situations. Extracting information from the internet is easy, or so it seems. When performing a penetration test, it is very crucial to give enough emphasis on reconnaissance. Many times the information collected during the recon phase plays critical role during exploitation as well as post-exploitation phase of a pentest.
Sometimes recon can go beyond collecting basic information to understand the system and can also identify information which might straight away lead to exploitation, that too sometimes without actually touching the entity being tested. Even after having such significance this phase is not given enough importance and most of the tests focus straight away on exploitation. The key point here is that exploitation is certainly important but performing a thorough recon could prove very helpful in it and also make it easier, faster and stealthier.
Depending upon the entity under assessment the information that is to be collected changes, for example in case of a web application identifying the CMS version and the third party libraries being used can help a lot; similarly for a network identifying the open ports and the services running on them is a core requirement. There are a variety of tools which can perform these functions and hence are part of pentesters’ arsenal. Penetration Testing Execution Standard (PTES) has a huge list of such resources at http://tinyurl.com/ln8p5jy.
Some such tools which can be of great assistance in performing information gathering are:
When it comes to intelligence gathering this is a one stop shop. Maltego provides a rich GUI with a lot of interesting features. Using it we can find various kinds of information related to different entities. Though the community version has some limitations as compared to the commercial one yet it is good enough for smaller engagements or demonstration purpose. Maltego provides a huge list of entities and a list of transforms for each one of them and allows users to create a visualization of the information collected. The transforms are also programmatically interlinked to create machines which helps to run a series of functions in a predefined sequence. The framework is easily extensible which adds to the list of already great features available in the framework.
Recon-ng is a python based framework which can perform various reconnaissance functions and prove vital during a pentest exercise. Those familiar with Metasploit framework would find it very easy to use utilizing its interactive environment. It has various inbuilt modules to perform different types of operations and is easily extensible.
Wappalyzer is a browser extension which helps to identify the technologies being used on a web application. Simply opening the website in the browser and clicking on the extension icon brings down the details related to the web application. It can identify information such as the CMS, web platform, server, tracking scripts and analytics tools etc. Similar to Wappalyzer there is another extension named buildwith which performs the same function, the only major difference is that Wappalyzer performs the technology identification on client side and buildwith does it on server side.
Shodan is a computer search engine which scan the internet and grabs the banner information. Using shodan we can easily perform a passive identification of the open posts and services on a public IP address without sending any probe packets to the actual target. Though the information provided by it might not be real time yet it can provide a fair idea about what we are dealing with. The application can accessed at http://shodanhq.com/ and is also available as Chrome extention and Firefox addon.
These are just some of the tools which can unearth information, critical from a pentesters perspective, but the tools are only as good as the person using them, so the testers need to understand what information needs to be extracted, how to extract it and most importantly how to make it actionable. When performing a pentest it is important to understand that any information related to the target how small it may seem, can make a great difference and hence considerable emphasis should be given to the information gathering phase.