CompTIA Pentest+ PT0-002 – Section 4: Passive Reconnaissance Part 1

24. Passive Reconnaissance (OBJ 2.1)

In this section of the course, we’re going to discuss Passive Reconnaissance. As we move from our planning and scoping phase of our penetration test, we find ourselves in the second stage of the engagement, Information Gathering and Vulnerability Scanning. During this stage, we’re going to be focused on conducting reconnaissance and scanning. Now reconnaissance focuses on gathering as much information about the target as possible. This reconnaissance can either be passive or active in nature. And we’re going to focus this section of the course, on the different passive reconnaissance actions that we can conduct during our engagements. This includes things like using open-source intelligence, social media scraping, reviewing the company’s own website, and using publicly available repositories to gain as much information as we can about the target organization.

As I said, in this section of the course, we’re going to focus on Passive Reconnaissance, which is just one part of the larger set of objectives inside of Domain 2, Information Gathering and Vulnerability Scanning. In this section, we’re only going to be focusing on a single objective though, Objective 2.1. This states, that given a scenario, you must perform passive reconnaissance. Now while this objective seems short, there’s a lot of sub-bullets listed underneath it by CompTIA, and we’re going to cover all of them in this section as we go through the concepts surrounding passive reconnaissance that you need to know for the exam. As we begin this section, we’re going to first talk about Information Gathering and some of the key sources of openly available information that you can gather during an engagement. Then we’re going to move into the world of Open-Source Intelligence, also known as OSINT. Now open-source intelligence is simply defined as any publicly available information and the tools we use to aggregate and search that information.

We’re also going to spend some time looking at common OSINT tools, such as Shodan and recon-ng. After that, we’re going to discuss Social Media Scraping, which is a technique that allows you to identify key administrative and technical contacts of a given organization, find key job responsibilities of those people, and use job listings to identify the types of technology that’s used by the targeted organization. We’ll also discuss how to conduct DNS lookups to identify important information about an organization, and I’m going to demonstrate how to perform some basic passive reconnaissance functions using a great website known as CentralOps. Next, we’re going to cover the use of public repositories as a key to finding the data about your target organization and how you can use search engine analysis, also known as Google Hacking, to find all sorts of hidden information on your target during an engagement. Finally, we’ll discuss how to identify cryptographic flaws at your targeted organization using some passive reconnaissance techniques. So let’s get started in our coverage of Domain 2, Information Gathering and Vulnerability Scanning with Passive Reconnaissance in this section of the course.

25. Information Gathering (OBJ 2.1)

The first step in the second phase of the penetration testing methodology is to conduct information gathering, also known as reconnaissance. This is when we learn all about the organization in a systematic attempt to locate, gather, identify and record information about our various targets, including things like hosts, servers, systems, and even employees of the organization. Information gathering is also known as footprinting the organization, and it includes figuring out exactly what types of systems the organization is going to be using so we’re able to attack them in the third phase of our assessment, which is the attacks and exploits phase. Now reconnaissance and footprinting involves the identification, discovery and obtaining of information through a wide variety of tasks, goals, and outcomes. For example, we can gather information by using the internet, open source research by looking at press releases, job postings, resumes, social media sites, as well as using Google to search around the internet. These methods are considered passive reconnaissance since we can attempt to gain information about targeted computers and networks without actively engaging with those systems.

We can also perform social engineering, which is where we attempt to trick a user into giving us the information we need. This can be through email attempts like phishing, voice calls like vishing, or even in person using deception techniques. Or we may choose to go dumpster diving, where we’re going to go to the organizations’ physical location and start going through their trash. Once something is thrown to the trash and is outside of the office, it becomes open for anybody to access. And we may be able to find things like usernames, phone lists, organizational charts, and other useful information that we can use during our engagement. Finally, we can conduct email harvesting by collecting as many emails as we can by crafting specialized search queries inside of Google too.

The point here is that all these techniques are technically considered passive reconnaissance because we’re not directly engaging with the organization’s workstations or servers like we do in our active reconnaissance phase when we perform enumeration and fingerprinting of their systems. Now, during passive reconnaissance, we’re going to be looking for specific information at this point; things like phone numbers, contact names, organizational positions, email addresses, security related information, the type of information systems they’re using, whether they’re running Windows or Linux, or if they’re using Apache or Internet Information Services, or whatever type of web server they’re using. Most of this information is already out there, openly available online.

We just have to go and search for it. Now, when you’re working as part of a penetration testing team, it’s also important to gather and catalog all the information you’re finding during your reconnaissance efforts so that other members of your team can also review what you found and then use it during their collection efforts or their exploitation efforts later on. Some teams will use an internal wiki and others will use a spreadsheet in order to list all of the major findings that they found. Now, if you use a spreadsheet, you can list each finding in its own row and have columns going across the sheet with additional details you collect. For example, if I’m conducting reconnaissance against a company, and I find that one of their former employee’s resumes was posted online, I might be able to gather some good details about the organization’s technical architecture by looking at that resume. For example, here’s an old sample resume that I use to make this point. Notice that in this person’s current job position at ABC Energy, they’re listed as a Linux administration systems analyst. As you look at their qualifications for that position, you see that they’re maintaining over 200 Linux servers that are running Red Hat and SUSE Linux. This is being done across three data centers. They also tell us that they perform backup support for VMware’s ESXi servers. And this tells me that this organization is also using virtualization for a lot of their servers.

Now I could continue to dissect each line of their resume for when they worked at that company, and in this case, it states they still work at that company currently. So the things they’re listing should be fairly close to the current infrastructure. Now, this is just an example resume that I like to use in my courses, so you’re going to notice that it’s pretty out of date when it talks about technology. For example, it’s saying Red Hat 4 and Windows 2003. But the point here is that you can gather this type of information simply by finding employee resumes online or job postings by the organization themselves. So now that we have this resume and we have some data from it, we can add that to our spreadsheet. For example, I might list the technique use to find this information, such as LinkedIn Resume.

And then I can add the type of assets that I can identify from this resume, such as the types of servers they’re using in that organization. Next, I can add a column for the type of tool that I’m going to use if I want to gather more information and move into the enumeration phase. For example, I might conduct an Nmap scan of the company’s public IP space and look for services that are commonly associated with Linux servers to see if we can find some of those 200 Red Hat servers that are actually placed in a public-facing screen subnet. Once we do our enumeration, we can add a column for our findings and results. For example, I might find that there’s a Red Hat server located at 66.55.44.33, and it has ports 80, 443 and 22 open. The next column might have the next step or test that we’re going to want to conduct, such as a banner grabbing exercise or a vulnerability scan, or whatever it’s going to be. By gathering the information and documenting it in a shared spreadsheet or internal wiki, data can then flow from one team member to another during our penetration test.

With larger penetration testing teams, they’re often going to have different roles assigned to different members of the team. For example, you may become an information gathering ninja, so that’s going to be all you do. Then you turn that information over to another team member who’s only focused on enumeration and vulnerability scanning. In turn, they take their results and give them to one of the senior testers who might create a custom exploit based on the open ports and protocols that they found during enumeration and scanning. This allows each team member to become more specialized in their portion of the assessment, and this can help increase the efficiency and effectiveness of your overall penetration testing team.

• Category: Uncategorized