PenTest+ .001

Penetration Testing Lab: Passive Reconaissance Techniques

For the past eight years, I have been honing my skills in conducting OSINT (Open-Source Intelligence) the old-fashioned way. My initiation into this came during my early days in the military, and I was astonished by the vast amount of information that could be easily acquired without the target's knowledge. I made a conscious decision to raise awareness among my family and friends about the utmost importance of security in the realm of social media. In today's digital age, there are individuals with expertise in geolocation, capable of pinpointing your exact location from a seemingly innocent picture of you and your loved ones (the so-called Expert GeoGuessrs). Frankly, it's a chilling thought. Therefore, it is crucial to always be vigilant and review our privacy settings, asking ourselves, "What kind of information could someone gather if they were to see this?" Today's lesson highlighted the interconnectedness of information, underscoring the potential risks posed by social engineering attacks. Even seemingly insignificant details, like someone's Facebook likes, could become the gateway for malicious intruders. Emphasizing these aspects reinforced the importance of safeguarding our personal information and staying one step ahead in the ever-evolving landscape of online security.

Today's enlightening journey led me to delve into the realm of passive reconnaissance techniques, with a particular focus on manual tools like DNS look-up and SSL scanning in Kali Linux. These powerful tools provided me with a wealth of valuable information, uncovering intriguing domains and subdomains of interest. My exploration extended to utilizing the harvester tool, which proved to be an invaluable asset in extracting relevant data through Google searches. This hands-on experience has significantly deepened my understanding of passive reconnaissance and its potential applications in gathering critical intelligence.

Penetration Testing Passive hunting tools:

1. DNS lookup - the process of querying DNS servers to obtain information about a domain name, such as its associated IP address and other DNS records. This helps in resolving domain names to their corresponding IP addresses enabling devices to communicate over the internet. There are multiple types of records you can find on there about the address (both IPv4 and IPv6), the Mail Exchange, and other information about the domain. A good website for this is lookup.icann.org

2. Whois - similar to DNS lookup but more about the registration of the domain and the identity of the owner and administrators. You can find information about the creation and expiration and name servers associated with the domain. A good website for this is nslookup.io

3. Google dorking - advanced search operators on Google to discover sensitive information or vulnerabilities inadvertently exposed on websites. Here is a simple example of Google dorking filetype:pdf site:example.com This is simplying saying I am looking for pdf documents on a certain website. Here is what it looks like filled in with harvard.com = "filetype:pdf site:harvard.com" which brought me to a DIY Formatting and Layout Guidelines.

4. Maltego - A tool for gathering and visualization of information about entities and their relationships on the internet. You can find information on the targeted domain, which could lead to subdomains. IP addresses associated with the target domain and Email addresses associated with the targets domain as well. The visualization looks something like a web connecting each entity to the host (original target).

5. theHarvester - theHarvester is designed to perform passive reconnaissance by collecting information from search engines, websites, and other publicly available data sources. The tool aims to provide a comprehensive picture of the target's online presence, which can be useful for understanding potential attack vectors, identifying security risks, or gathering intelligence about an organization's digital footprint.

6. Fingerprinting Organizations with Collected Archives (FOCA) - Similar to theHarvester the main objective of FOCA is to identify and collect metadata from documents, such as Microsoft Office files (Word, Excel, PowerPoint), PDFs, and other formats, to extract information that might reveal details about the organization's internal network infrastructure, usernames, email addresses, system paths, and more. This information can be valuable for understanding potential security vulnerabilities and conducting targeted attacks.

In today's world, where companies are increasingly prioritizing cybersecurity, it is alarming to see how inadvertently they provide information to potential adversaries through their job postings or even their employees' posts. A seemingly innocent post from a new employee about the installation of a new firewall could unknowingly become a vulnerability that gets leaked to lurking hackers. It serves as a stark reminder of the importance of being cautious and vigilant in this interconnected digital landscape. A job posting can lead people to the software being utilized by the company and give hackers a good idea of where to start when looking into your company.

In the lab from ITpro.tv, I was given a targeted website where I was able to find the contact information of the targeted company, the goals of the company and the job postings in the company. You are probably thinking, "Who cares that is on everyone's website" and that is true however, improperly trained HR department could recieve phishing emails or attacks that have the social engineering just from their website. Let's unite in our efforts to stop cybercriminals from exploiting people's vulnerabilities and create a safer online environment for all. Together, we can build a formidable defense and foster a cybersecurity-conscious community, ensuring everyone can enjoy the digital world without fear of cybercrime.

My next adventure is to find a company on Hackerone.com that is looking for bug bounty hunters and try some of these tools to see what information they have exposed. I will keep you posted on the results. #UnseenLegendsOfTheCyberRealm