Penetration testing reconnaissance -- Footprinting, scanning and enumerating

In this, the second installment of a six-part penetration testing tutorial for consultants and value-added resellers (VARs), I discuss reconnaissance, footprinting, scanning and enumerating -- the information gathering processes a tester employs to begin a penetration test.

As a penetration tester, you should use the same processes a hacker uses to examine a network. Penetration (or external assessment) testing usually starts with three pre-test phases: footprinting, scanning and enumerating. These pre-test phases are very important and can make the difference between a successful penetration test that provides a complete picture of the customer's exposure or one that doesn't.

Together, the three pre-test phases are called reconnaissance. This process seeks to gather as much information about the target network as possible, following these seven steps:

Keep in mind the penetration test process is more organic than these steps would indicate. These pre-test phases entail the process of discovery, and although the process is commonly executed in this order, a good tester knows how to improvise and head in a different direction, depending upon the information found.

Footprinting

Footprinting is the active blueprinting of the security profile of an organization. It involves gathering information about your customer's network to create a unique profile of the organization's networks and systems. It's an important way for an attacker to gain information about an organization passively, that is, without the organization's knowledge.

Footprinting employs the first two steps of reconnaissance, gathering the initial target information and determining the network range of the target. Common tools/resources used in the footprinting phase are:

We'll explore these and other tools in the next installment of this series.

Footprinting may also require manual research, such as studying the company's Web p

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Channel Checklist: Windows Vista security An introduction to penetration testing and its legal implications for VARs and consultants Network penetration testing: Ethical hacking tools and techniques Penetration testing -- Big bad bugs Penetration testing -- Social engineering, IDS and honey pots Penetration testing -- Securing wireless access points Windows security administration using command-line tools Windows Vista BitLocker basics and advanced techniques Microsoft Windows Vista firewall enhancements Windows services locked down in Vista and Longhorn Penetration Testing and Ethical Hacking Security site assessment FAQ: Podcast with Joel Scambray Penetration testing 101: How to offer pen test services How to prepare for network penetration testing services Network penetration tools Top five security service provider tips of 2007 Checklist: Top five security assessment tools Penetration testing tutorial for service providers An introduction to penetration testing and its legal implications for VARs and consultants Network penetration testing: Ethical hacking tools and techniques Penetration testing -- Securing wireless access points Pen Testing Methodology Penetration testing 101: How to offer pen test services Penetration testing -- Big bad bugs Penetration testing -- Securing wireless access points Penetration testing -- Social engineering, IDS and honey pots Cross-site scripting vulnerability penetration testing VPN penetration testing When should automated penetration testing be supplemented with manual pen testing? Storage penetration testing Secure the domain controller with a penetration test Web application penetration testing: Best practices

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

age for useful information, for example:

Other resources that may have information about the target company are:

You can also get more active with footprinting. For example, you can call the organization's help desk, and by employing social engineering techniques, get them to reveal privileged information.

Scanning

The next four information-gathering steps -- identifying active machines, discovering open ports and access points, fingerprinting the operating system, and uncovering services on ports -- are considered part of the scanning phase. Your goal here is to discover open ports and applications by performing external or internal network scanning, pinging machines, determining network ranges and port scanning individual systems.

Although you're still in info-gathering mode, scanning is more active than footprinting, and here the you'll begin to get a more detailed picture of your target (customer).

Some common tools used in the scanning phase are:

Again, I'll get into more detail about these tools in part three.

Enumerating

The last step mentioned, mapping the network, is the result of the scanning phase and leads us to the enumeration phase. As the final pre-test phase, the goal of enumeration is to paint a fairly complete picture of the target.

In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares using active connections to systems and directed queries.

The type of information sought by testers during the enumeration phase can be users and groups, network resources and shares, and applications.

The techniques used for enumeration include:

Remember that during a penetration test, you'll need to document every step and finding, not only for the final report, but also to alert the organization immediately to serious vulnerabilities that may exist.

In the next segment of our penetration testing tutorial, we look at some of the penetration testing tools and techniques mentioned here, including password cracking tools.

About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. As an expert for SearchSecurityChannel.com, Russell welcomes your questions on pen testing and information security threats.

Rate this Tip To rate tips, you must be a member of SearchSecurityChannel.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.