Performing passive reconnaissance provides the tester large amounts of knowledge that has already been previously created and captured by various sources without sending any data directly at the target. Some of the sources are part of the infrastructure required by the Internet, such as DNS information, IP databases (ARIN), Domain Registrars, and other information that can be queried by different WHOIS requests.
In addition to the WHOIS information, data can also be gained by looking at Social Networking sites, such as LinkedIn, Twitter, and Facebook, a target’s website, any Internet forums linked to the target, geographic and physical information around the target’s business presence, and information indexed by search engines like Google and Bing.
This information can be used in Social Engineering attacks, if they are allowed, in which the tester uses information gained from the passive recon activities to manipulate employees or contacts of the target into providing sensitive information. Examples of this could be calling a Help Desk using public information to authenticate a user’s identity for the purposes of changing a password or forwarding a phone number.
The results from the passive recon phase would be a knowledge base of potentially useful information about the target’s Internet presence, key employees, IP addresses, domain names, products, or services that would be targeted in further phases.
Performing passive reconnaissance provides the tester large amounts of knowledge that has already been previously created and captured by various sources without sending any data directly at the target. Some of the sources are part of the infrastructure required by the Internet, such as DNS information, IP databases (ARIN), Domain Registrars, and other information that can be queried by different WHOIS requests.
In addition to the WHOIS information, data can also be gained by looking at Social Networking sites, such as LinkedIn, Twitter, and Facebook, a target’s website, any Internet forums linked to the target, geographic and physical information around the target’s business presence, and information indexed by search engines like Google and Bing.
During the active recon phase, the tester takes the target network’s domain names and IP addresses and starts port scanning. This is the first time the tester actually sends traffic to the target. From the port scan output, the tester will start enumerating and documenting services that are open on the target. Enumeration can be done via a “banner grab” method where the tester connects to the service to document what information is directly returned. In addition to the manual banner grab method, automated tools can be used to fingerprint the service based on banner, flags set in the packet header, and other data related to the service’s operation.
The output from this phase is a list of hosts detailing the running services, ideally with service version identified.
In this phase, the tester will correlate the detected services against different vulnerability databases. This can be done manually by matching services, or automated using a vulnerability scanner to match the service version to a known vulnerability.
If no known vulnerabilities exist, or the client requests for 0-day vulnerabilities (vulnerabilities that have not been known to be exploited) to be used, then the process to find or research 0-day vulnerabilities will begin.
From this phase, a list will be created of hosts with the vulnerabilities specified.For the attack phase, the tester will take the list of hosts with corresponding services that have documented vulnerabilities and determine if an exploit exists. As in the R&D phase, searching can be performed manually using exploit databases, or using automated tools such as Metasploit or Core Impact. DTS will only use commercially available exploits or exploits developed/tested internally to ensure that unsafe exploit code is not used.
If exploit code does not exist, it can be created, however this will take longer for a custom exploit than one readily available. Once a tested exploit is available for a specific vulnerability, it will be launched against the target.
Proof of exploit will be captured using flag files (non-executable file creation,) screenshot, terminal capture, or other agreed-upon methods.
In this optional phase, the tester can attempt to pivot by leveraging the exploited system to move into other areas of the target’s infrastructure, including systems that are not meant to be directly accessed from the Internet.
If this test is meant to be undetected by the system and network administrators, then the tester will attempt to cover the evidence of the exploit by deleting logs or creating false information to disguise the attempt.
In some cases, for longer-term testing, a back door access will be left or rootkit installed to allow the tester access after the initial exploit. From this access the tester will be able to pilfer or look for sensitive or targeted information relevant to the engagement.
EscalationAfter completion of the testing, the findings will be categorized, risk ratings assigned based on likelihood and impact of exploitation, and mitigations recommended to prevent others from using the same exploits and vulnerabilities. The findings will be contained in a report that will contain summarized data as well as individual data that can be passed to technical remediation teams in order to create a Plan of Action and Milestones (POAM)