http://www.pentest-standard.org/api.php?action=feedcontributions&user=Chris+gates&feedformat=atom The Penetration Testing Execution Standard - User contributions [en] 2024-03-29T08:19:01Z User contributions MediaWiki 1.36.2 http://www.pentest-standard.org/index.php?title=Post_Exploitation_Standard&diff=780 Post Exploitation Standard 2011-09-30T10:44:05Z <p>Chris gates: /* Testing exfiltration paths */</p> <hr /> <div>== Purpose ==<br /> The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.<br /> == Rules of Engagement ==<br /> The following Rules of Engagement are specific to the Post-Exploitation phase of a penetration test and are intended to ensure that the client’s systems are not subjected to unnecessary risk by the (direct or indirect) actions of the testers and to ensure a mutually agreed procedure to follow during the post-exploitation phase of the project.<br /> === Protect the Client ===<br /> The following rules are to be used as a guideline of rules to establish with a client to ensure that the day to day operations and data of the client are not exposed to risk:<br /> *Unless previously agreed upon, there will be no modification of services which the client deems “critical” to their infrastructure. The purpose of modifying such services would be to demonstrate to the client how an attacker may:<br /> **Escalate privileges<br /> **Gain access to specific data<br /> **Cause denial of service<br /> *All modifications, including configuration changes, executed against a system must be documented. After finishing the intended purpose of the modification, all settings should be returned to their original positions if possible. The list of changes should be given to the client after the engagement to allow them to ensure all changes were properly undone.<br /> *A detailed log of actions taken against compromised systems must be kept. The log should include the action taken and the time period in which it occurred. Upon completion, this log should be included as an appendix to the final report.<br /> *Any and all private and/or personal user data (including passwords and system history) uncovered during the course of the penetration test may be used as leverage to gain further permissions or to execute other actions related to the test only if the following conditions are met:<br /> **The client’s Acceptable Use Policy states all systems are owned by the client and all data stored on those systems are the property of the client.<br /> **The Acceptable Use Policy states connection to the client’s network is considered consent for the connected machine to be searched and analyzed (including all present data and configurations).<br /> **The client has confirmation that all employees have read and understand the Acceptable Use Policy. <br /> *Passwords (including those in encrypted form) will not be included in the final report. This is done to safeguard the confidentiality of the users the passwords belong to, as well as to maintain the integrity of the systems they protect.<br /> *Any method or device used to maintain access to compromised systems and that could affect the proper operation of the system or whose removal may cause downtime may not be implemented without the prior written consent of the client.<br /> *Any method or device which is used to maintain access to compromised systems must employ some form of user authentication such as digital certificates or login prompts. A reverse connection to a known controlled system is also acceptable.<br /> *All data gathered by the testers must be encrypted on the systems used by the testers.<br /> *All data gathered will be destroyed once the client has accepted the final report. Method used and proof of destruction will be provided to the client.<br /> *If data gathered is regulated by any law, the systems used and their locations will be provided by the client to ensure that the data collected and processed does not violate any applicable laws. If the systems will be those of the penetration testing team the data may not be downloaded and stored on to their systems and only proof of access will be shown (File Permissions, Record Count, file names..etc).<br /> *Third party services for password cracking will not be used, nor will there be sharing of any other type of data with third parties without the clients prior consent.<br /> *In case a compromise of a system is found by a third party all logs with actions and times recorded during the assessment by the penetration team will be saved, hashed and provided to the client and the client will determine if an incident response plan should come to effect.<br /> *No logs should be cleared or altered unless the client has authorized this in the engagement contract/statement of work. If it is to be done, a proper backup of such logs must first be made.<br /> <br /> === Protecting Yourself ===<br /> Due to the nature of a penetration test, you must ensure that you cover all your bases when dealing with the client and the tasks you will be performing. Discussions should take place with the client to clarify the following to ensure a clear understanding of the roles and responsibilities of both client and provider.<br /> *Ensure that the contract and/or statement of work signed by both the client and provider that the actions taken on the systems being tested are on behalf and in representation of the client.<br /> *Require prior to starting engagement that a copy of the security policies that govern user use of company systems and infrastructure is provided. Verify that policy covers:<br /> **Personal use of equipment and storage of personal employee data on the client systems and ownership and rights on that data.<br /> **Ownership of data stored on company equipment.<br /> *Confirm regulations and laws that govern the data that is managed and used by the client on their systems and the restrictions imposed on such data.<br /> *Use full drive encryption for those systems that will receive and store the clients data.<br /> *Discuss and establish with the client the procedures to follow in the case that a compromise from a third party is found.<br /> *Check for laws concerning the capture of audio and video since the use of this methods in post-exploitation may be considered a violation of local or country wiretap laws.<br /> == Infrastructure Analysis ==<br /> === Network Configuration ===<br /> The network configuration of a compromised machine can be used to identify additional subnets, network routers, critical servers, name servers and relationships between machine. This information can be used to identify additional targets to further penetrate the client’s network.<br /> ==== Interfaces ====<br /> Identify all of the network interfaces on the machine along with their IP address, subnet mask, and gateway. By identifying the interfaces and settings networks and services can be identify and prioritized for targeting.<br /> ==== Routing ====<br /> Identify all static and dynamic routes on the machine. For multi-homed machines determine if it is acting as a router. The routing table will contain other networks and subnets to target and enumerate. The identification of other subnets can be used to escape outside segmented network and identify possible filtering, addressing schemes can also be identified when the data from the interfaces, routing table and discovery of other hosts in ARP Tables, NetBios and other network protocols used for service and host discovery.<br /> ==== DNS Servers ====<br /> Identify all DNS servers in use, the domain settings configured like name and services on a host that integrate with DNS so as to develop and execute a plan for discovering additional hosts and services on the target network. In the case that a DNS Server is compromised the access to the DNS database will provide information about hosts and service so target prioritization can be done and further penetration can be achieved. The modification and addition of new records could be used for the interception of data of services that depend on DNS.<br /> ==== Cached DNS Entries ====<br /> Identify high value DNS entries in the cache, which may include login pages for Intranet sites, management interfaces, or external sites. Cached interfaces provide information of the most recent and most used host used by the compromised host providing a view of the relations and interactions of the hosts providing information that could be used to prioritization of targets for further penetration of the target network and infrastructure. Modification of cached entries if permitted can be used to capture authentication credential, authentication tokens or to gain further information on services used by the compromised hosts leading to further penetration of the target network and its infrastructure.<br /> ==== Proxy Servers ====<br /> Identify network level and application level proxy servers. These identified proxy servers can be targeted since the communication flow of the application that traverse thru them could be of great value and risk for the customer. If an application proxy the possibility of being able to identify and modify the flow of traffic used by the applications configured to use the service provide the means to show impact and risk to the customer.<br /> ==== ARP Entries ====<br /> Enumerate cached and static ARP table entries, which can reveal other hosts that interact with the compromised machine. Static ARP entries may represent critical machines. If modification of ARP entries is in scope for the test this could be used for the interception of data or to show the possibility of disrupting a service in a hard to identify manner showing a medium to large risk impact.<br /> <br /> === Network Services ===<br /> ==== Listening Services ====<br /> Identify all the network services offered by the machine. This may lead to the discovery of services not identified by initial scanning as well as the discovery of other machines and networks. The identification of services not shown in scanning can also provide information on possible filtering and control systems implemented in the network and/or host. In addition, the tester may be able to leverage these services to compromise other machines. Most operating system include a method of identifying TCP and UDP connections made to and from the machine. By checking both connections to and from a compromised machine it is possible to find relationships that were previously unknown. As well as the host the service should also be considered, this may reveal services listening on non-standard ports and indicate trust relationships such as keyless authentication for SSH.<br /> <br /> ==== VPN Connections ====<br /> All VPN connections into and out of the machine or network should be identified. Outbound connections can give a path in to new systems which may not previously have been identified. Both in and outbound can identify new systems and possible business relationships if the connection is from a customer/supplier etc. VPN connections generally bypass firewalls and IDS/IPS due to them being unable to decrypt the traffic, this makes them idea to launch attacks through. If new targets are identified it should be confirmed as to whether they are in scope before launching attacks against them. The presence of VPN client or server capability may also provide access to credentials preciously not known that could be used to target other hosts and services.<br /> <br /> ==== Directory Services ====<br /> The identification that a compromised host uses an directory services may provide the opportunity to abuse such service to enumerate and find user accounts, hosts and services that are managed by the directory service in addition to details of users that could be used for Social Engineering and phishing campaign attacks providing a possible higher success rate.<br /> <br /> === Neighbors ===<br /> In todays network many services and operating systems use a number of protocols for neighbor discovery so as to aid in the access of services, troubleshooting and configuration. Protocols vary depending on the type of compromised host on networking equipment protocols like CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol) can be use to identify systems, configuration and other details to host connected directly to them or are present in the same subnet. In the case desktop and server operating systems protocols like mDNS (Multicast Domain Name Service) and NetBios can be used to find details of hosts and services in the same subnet.<br /> <br /> == Pillaging ==<br /> Pillaging talks to what information (files, links, documentation, etc.) the tester should be looking at using either as part of client requirements (personal information, credit card information etc.) or as part of the pivoting process to gain further access to the network. The amount of data that can be gathered can be quite large depending the types of systems, level of compromised and quantity of systems under control, the prioritization of documents and type of data to look for should be part of the initial planning stage of the engagement and information like lists of recent documents can be used to automate the collection of data. Information from applications can also be used to determine where to look since many applications store their data in different formats and places.<br /> === Installed Programs ===<br /> ==== Startup Items ====<br /> Most systems depending on the applications installed on them will have applications that can run at system startup or at user logon that can provide information on the purpose of the system, systems and services it interacts with and possible countermeasures that could be in place that may hinder further of a target network and it’s systems. Information that should be gathered would be:<br /> *List of applications and versions installed on the system.<br /> *List of updates applied to the system.<br /> === Installed Services ===<br /> Services on a system are present for the purpose of providing a service to the host they are installed on as well as serve to other hosts in the target network. Information on the configuration of these services, data hold and used by services and connection to them can provide a wealth of information that could be used to show risk and to further penetrate a client network.<br /> ==== Security Services ====<br /> Firewall Status and ruleset. HIPS, AV installed - Identifying countermeasures installed on a single compromised machine give an idea of what to expect when targeting other machines in the network. It also gives an idea of what alerts may have been triggered during the test, these can be discussed with the client during the project debrief Security Policies, UAC, SELinux, IPSec, windows security templates<br /> ==== File/Printer Shares ====<br /> File and print servers provide a means for access to data that can contain the information to prove risk or further penetrate a client network and hosts, information can be gathered in the connections and connection history of a compromised host as well as the file and print services offered by this depending the functionality of the host. The types of services would be:<br /> *File Server configurations by protocol (SMB, AFP). - The configuration files can be used to identify shares which are available, who has access to them and their permissions. This can help with gaining remote access to the shares and in gathering information which can be used in other areas of attacks, for example user name enumeration which also can give hints on the roles of the users found.<br /> *Shares offered by File Servers - Any file shares offered by target systems should be examined. Just by checking the names of the shares important information may be leaked such as the name of internal applications or projects<br /> *Access Control Lists and permissions for shares. - From the client side, if it is possible to connect to the share, then it should be checked to see if the connection is read/only or read/write. Remember that if a share contains directories then different permissions may apply to different directories. From the server side both server configuration and file/directory permissions should be examined.<br /> *Listing of content of shares<br /> *Identification of files of interest (Source code, backups, installation files, confidential data..etc)<br /> *Place Trojan files - Placing Trojans on popular shares can encourage network users to access them so triggering payloads.<br /> *Place autorun files<br /> ==== Database Servers ====<br /> Identification of services for the access or hosting of databases on a system can provide access to:<br /> *Databases<br /> *Tables<br /> *Table Content, row count for regulated content<br /> *Permission<br /> *Users, Passwords, Groups and Roles<br /> The information hosted on databases can be used to show risk, determine configuration and function of services or to further penetrate a client network and hosts.<br /> ==== Directory Servers ====<br /> The main goals of a directory service is to provide information to services and hosts for reference or/and authentication. The compromise of this service can allow the control of all hosts that depend on the service and well as provide information that could be used to further an attack. Information to look for in a directory service are:<br /> *List of objects (Users, passwords, Machines..etc)<br /> *Connections to the system<br /> *Identification of protocols and security level<br /> ==== Name Servers ====<br /> Name server provide resolution to host and services depending on the types of records it servers. Enumeration of records and controls can provide a list of targets and services to prioritize and attack to further penetrate a clients network and hosts. The ability to modify and add records can be use to show risk of denial of services as well as aid in the interception of traffic and information on a customer network.<br /> ==== Deployment Services ====<br /> Identification of deployment services allows for the access and enumeration of:<br /> *Unattended answer files<br /> *Permission on files<br /> *Updates included<br /> *Applications and versions<br /> This information can be used to further penetrate a client network and hosts. The ability to modify the repositories and configuration of the service allows for<br /> *Backdoor installation<br /> *Modification of services to make them vulnerable to attack<br /> ==== Certificate Authority ====<br /> Identification of Certificate Authority services on a compromised client host will allow for the access to <br /> *Root CA<br /> *Code Signing Certificates<br /> *Encryption and Signing Certificates<br /> Control of the service will also allow for the <br /> *Creation of new certificates for several tasks<br /> *Revocation of certificates<br /> *Modification of the Certificate Revocation List<br /> *Insertion of Root CA Certificate<br /> The control of the services shows risk and allows for the compromise of data and services on a client’s network and hosts.<br /> ==== Source Code Management Server ====<br /> Identification of source code management systems via by the service running on the compromised host or the client part of the service provides the opportunity for:<br /> *Enumerate projects - The project names can give away sensitive information on company projects.<br /> *Verify access to source code files<br /> *Modify source code files - If it is allowed in scope then modifying source code proves that an attacker could make changes that would affect the system<br /> *Enumerate developers - Developers details can be use for social engineering attacks as well as as inputs for attacking other areas of the system<br /> *Enumerate configuration<br /> ==== Dynamic Host Configuration Server ====<br /> Identification of dynamic host configuration service or use of the service by the compromised host allows for:<br /> *Enumeration leases given<br /> *Enumeration configuration<br /> *Enumeration Options<br /> *Modification of configuration<br /> *Consumption of all leases <br /> The control of the service can be used to show risk of denial of service and for use in man in the middle attacks of hosts and services on the compromised network.<br /> ==== Virtualization ====<br /> Identification virtualization services or client software allow for:<br /> *Enumerate Virtual Machines (name, configurations, OS)<br /> *Enumerate passwords and digital certificates for administration systems.<br /> *Enumerate virtualization software configuration<br /> *Configuration of Hosts<br /> *Show risk of denial of service with control of VM state<br /> *Access to data hosted on VM’s<br /> *Interception of traffic of virtual hosts or services hosted on the compromised host<br /> ==== Messaging ====<br /> Identification of services or client software for messaging provides the opportunity to <br /> *Identify Directory Services<br /> *Compromise of credentials <br /> *Access to confidential information<br /> *Identification of hosts on the network<br /> *System and business relationships<br /> All of this information and actions can be used to show risk and to further penetrate a client’s network and hosts.<br /> ==== Monitoring and Management ====<br /> Identification of services or client software for the purpose of monitoring and/or management may provide identification of additional servers and services on the target network, in addition the configuration parameters gained may provide access to other targets host and to determine what actions performed by the tester can be detected by the client. Some services to look for:<br /> *SNMP (Simple Network Management Protocol)<br /> *Syslog<br /> Some Management Services and Software to look for to gain credentials, identify host and gain access to other services may be:<br /> *SSH Server/Client<br /> *Telnet Server/Client<br /> *RDP (Remote Desktop Protocol) Client<br /> *Terminal Server<br /> *Virtual Environment Management Software<br /> ==== Backup Systems ====<br /> Identification of services or client software for the purpose of backing up data provide a great opportunity to an attacker since these system require access to the data and systems they need to backup providing an attacker:<br /> *Enumeration of hosts and systems<br /> *Enumeration of services<br /> *Credentials to host and/or services<br /> *Access to backup data<br /> The information gained from the service can be used to show risk to the confidentiality, integrity and access tot he system and their information. Access to the backups can also provide opportunity to introduce miss configuration, vulnerable software or backdoors in to the clients systems.<br /> <br /> ==== Networking Services (RADIUS,TACACS..etc) ====<br /> Identification of services or use of networking services allows for the:<br /> *Enumeration of users<br /> *Enumeration of hosts and systems<br /> *Compromise of credentials<br /> *Show risk of denial of service if alternate methods are not present<br /> === Sensitive Data ===<br /> ==== Key-logging ====<br /> By monitoring key strokes it is possible to detect sensitive information including passwords and PII - Don’t know what the legality of this is if the user is say chatting on private IM while also using company software, anyone know? If the company says that all data on the network can be monitored then this should be ok. If the second bullet point in Protect Yourself is present and it states that use of equipment can be monitored and no personal use is permitted yes, if policy does not cover personal user or ownership of data, no. It should be extended to cover Network also.<br /> ==== Screen capture ====<br /> Screen capture can be use to show evidence of compromise as well as access to information that can shown on the screen and access thru other means is not possible. Great care should be taken with the data collected thru screen capture so as to nor show private data of employees of customers of the client. <br /> ==== Network traffic capture ====<br /> Network traffic capture can be used depending on the controls on the network and medium used for capture can be used to:<br /> *Identify hosts on the network<br /> *Intercept data<br /> *Identify services<br /> *Identify relations between hosts in the network<br /> *Capture of credentials<br /> Care should be taken to only capture traffic covered under the scope of the engagement and that the information captured does not fall under the control of local laws like the capture of Voice Over IP calls. Information retained and shown should be filtered so as to protect client’s customer and/or employee personal and confidential data.<br /> ==== Previous Audit reports ====<br /> === User Information ===<br /> In this section the main focus is on the information present on the target system related to user accounts either present on the system or that have connected remotely and have left some trace that the personnel performing the assessment can gather and analyze for further penetration or provide the desired goal of the assessment.<br /> ==== On System ====<br /> General information that can be gather on a compromised system are:<br /> *History files - History files store recent commands the user has executed. Reading through these can reveal system configuration information, important applications, data locations and other system *sensitive information.<br /> *Encryption Keys (SSH, PGP/GPG)<br /> *Interesting Documents (.doc/x, .xls/x , password.*) - Users often store passwords and other sensitive information in clear text documents. These can be located in two ways, either searching through file names for interesting words, such as password.txt, or searching through the documents themselves. Indexing services can help with this, for example the Linux locate database.<br /> *User specific application configuration parameters<br /> *Individual Application History (MRU Windows only, history files..etc)<br /> *Enumerate removable media<br /> *Enumerate network shares / domain permission (gpresult)<br /> ==== Web Browsers ====<br /> Information that can be gathered from web browsers that can be use to identify other hosts and systems as well as provide information to further penetrate a client’s network and hosts are:<br /> *Browser History<br /> *Bookmarks<br /> *Download History<br /> *Credentials<br /> *Proxies<br /> *Plugins/Extensions<br /> Great care should be taken that only data in scope for the engagement is capture since the information from a web browser may contain client’s employee confidential and private data. This data should be filtered from the data returned and report.<br /> ==== IM Clients ====<br /> Information that can be gathered from IM Clients on a compromised system is:<br /> *Enumerate Account Configuration (User, Password, Server, Proxy)<br /> *Chat Logs<br /> Great care should be taken that only data in scope for the engagement is capture since the information from a web browser may contain client’s employee confidential and private data. This data should be filtered from the data returned and report.<br /> === System Configuration ===<br /> ==== Password Policy ====<br /> By enumerating the systems password policy the ability to brute force and crack passwords becomes much more efficient, for example knowing that the minimum password length is 8 characters you can remove any word less than 8 characters from a dictionary.<br /> ==== Security Policies ====<br /> ==== Configured Wireless Networks and Keys ====<br /> By finding the targets wireless information it becomes possible to launch physical attacks through the companies wifi when on site. It can also allow a fake AP to be set up to lure targets to connect when away from site.<br /> <br /> == High Value/Profile Targets ==<br /> High value/profile targets can be identified and further expanded from the targets identified in the pre-engagement meetings thru the analysis of the data gathered from the compromised systems and the interactions of those systems and the services that run on them This view of the the operation and interactions of these high value/profile targets helps in the identification and measurement of of impact that can be gained to the business do to the data and processes and to the overall integrity of the client’s infrastructure and services.<br /> <br /> == Data Exfiltration ==<br /> === Mapping of all possible exfiltration paths ===<br /> from each of the areas where access has been achieved, a full exfiltration paths should be created. This includes secondary and tertiary means of getting to the outside world (through different accessible subnetc, etc).<br /> Once the mapping is provided, the actual exfiltration testing should be commenced.<br /> === Testing exfiltration paths ===<br /> Per exfiltration paths mapping, data should be exfiltrated from the organization being tested. This should already be covered in the [[Pre-engagement]] scoping and adequate infrastructure should have been setup which adheres to the customer's acceptable engagement policy (i.e. data being exfiltrated is usually exfiltrated to a server in the full control of the tester, and will access and ownership right to the tested organization). <br /> The exfiltration itself should simulate real-world exfiltration strategies used by the threat actors that correspond to the [[Threat Modeling Standard]] relevant for the organization (i.e. if criminal mostly then &quot;standard&quot; exfiltration using a staging area inside the network where data is archived inside zip/7z encrypted files and then sent to FTP/HTTP servers on the Internet, if a more sophisticated threat actor then using means that simulate such strategies and tactics used for exfiltration).<br /> <br /> === Measuring control strengths ===<br /> When performing exfiltration testing, the main goal of the test is to see whether the current controls for detecting and blocking sensitive information from leaving the organization actually work, as well as exercise the response teams if anything has been detected in terms of how they react to such alerts and how are the events being investigated and mitigated.<br /> <br /> == Persistance ==<br /> *Installation of backdoor that requires authentication.<br /> *Installation and/or modification of services to connect back to system. User and complex password should be used as a minimum; use of certificates or cryptographic keys is preferred where possible. (SSH, ncat, RDP). Reverse connections limited to a single IP may be used.<br /> *Creation of alternate accounts with complex passwords.<br /> *When possible backdoor must survive reboots.<br /> <br /> == Further Penetration Into Infrastructure ==<br /> Pivoting is the action in which the tester will use his presence of on the compromised system to further enumerate and gain access to other systems on the client’s infrastructure. This action can be executed from the compromised host it self using local resourced or tools uploaded to the compromised system.<br /> === From Compromised System ===<br /> Actions that can be taken from a compromised system:<br /> *Upload tools<br /> *Use local system tools<br /> *ARP Scan<br /> *Ping Sweep<br /> *DNS Enumeration of internal network<br /> *Directory Services Enumeration<br /> *Brute force attacks<br /> *Enumeration and Management thru Management Protocols and compromised credentials (WinRM, WMI, SMB, SNMP..etc)<br /> *Abuse of compromised credentials and keys (Webpages, Databases..etc)<br /> *Execute Remote Exploits<br /> The action that will be executed will depend on the information needed to show specific risk and/or further penetrating the client's network and hosts. Regular planning sessions are recommended to re-evaluate the information gather and decide the best approach to continue the post exploitation until the set goals are meet.<br /> <br /> === Thru Compromised System ===<br /> Actions that can be taken thru a compromised system:<br /> *Port Forwarding<br /> *Proxy to internal network (SSH)<br /> *VPN to internal network<br /> *Execute Remote Exploit<br /> *Abuse of compromised credentials and keys (Webpages, Databases..etc)<br /> The action that will be executed will depend on the information needed to show specific risk and/or further penetrating the client's network and hosts. Regular planning sessions are recommended to re-evaluate the information gather and decide the best approach to continue the post exploitation until the set goals are meet.<br /> <br /> == Cleanup ==<br /> The cleanup process covers the requirements for cleaning up systems once the penetration test has been completed. This will include all user accounts and binaries used during the test.<br /> *Remove all executable, scripts and temporary file from a compromised system. If possible use secure delete method for removing the files and folders.<br /> *Return to original values system settings and application configuration parameters if they where modified during the assessment.<br /> *Remove all backdoors and/or rootkits installed.<br /> *Remove any user accounts created for connecting back to compromise systems.</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=737 Intelligence Gathering 2011-08-24T19:28:31Z <p>Chris gates: /* Covert Gathering */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> *Court Records<br /> **What is it: Court records are all the public records related to criminal and/or civil complaints, lawsuits, or other legal actions for or against a person or organization of interest.<br /> **Why you would do it: Court records could potentially reveal sensitive information related to an individual employee or the company as a whole. This information could be useful by itself or may be the driver for gaining additional information. It could also be used for social engineering or other purposes later on in the penetration test.<br /> **How you would do it: Much of this information is now available on the Internet via publicly available court websites and records databases. Some additional information may be available via pay services such as LEXIS/NEXIS. Some information may be available via records request or in person requests.<br /> *Political Donations<br /> **What is it: Political donations are an individual’s personal funds directed to specific political candidates, political parties, or special interest organizations.<br /> **Why you would do it: Information about political donations could potentially reveal useful information related to an individual. This information could be used as a part of social network analysis to help draw connections between individuals and politicians, political candidates, or other political organizations. It could also be used for social engineering or other purposes later on in the penetration test.<br /> **How you would do it: Much of this information is now available on the Internet via publicly available websites (i.e., http://www.opensecrets.org/) that track political donations by individual. Depending upon the laws of a given state, donations over a certain amount are usually required to be recorded.<br /> *Professional licenses or registries<br /> **What is it: Professional licenses or registries are repositories of information that contain lists of members and other related information for individuals who have attained a particular license or some measure of specific affiliation within a community.<br /> **Why you would do it: Information about professional licenses could potentially reveal useful information related to an individual. This information could be used to validate an individual's trustworthiness (do they really have a particular certification as they claim) or as a part of social network analysisto help draw connections between individuals and other organizations. It could also be used for social engineering or other purposes later on in the penetration test.<br /> **How you would do it: Much of this information is now available on the Internet via publicly available websites. Typically, each organization maintains their own registry of information that may be available online or may require additional steps to gather.<br /> <br /> ===== Social Network (SocNet) Profile =====<br /> *Metadata Leakage<br /> **Location awareness via Photo Metadata<br /> *Tone<br /> **Expected deliverable: subjective identification of the tone used in communications – aggressive, passive, appealing, sales, praising, dissing, condescending, arrogance, elitist, underdog, leader, follower, mimicking, etc…<br /> *Frequency<br /> **Expected deliverable: Identification of the frequency of publications (once an hour/day/week, etc…). Additionally - time of day/week in which communications are prone to happen.<br /> *Location awareness<br /> **Bing Map Apps<br /> **Foursquare<br /> **Google Latitude<br /> **Yelp<br /> **Gowalla<br /> *Social Media Presence<br /> **What sites do they use?<br /> <br /> ===== Internet Presence =====<br /> *Email Address<br /> **What it is? Email addresses are the public mail box ids of the users.<br /> **Why you would do it? Email address harvesting or searching is important because it serves multiple purposes - provides a probable user-id format which can later be brute-forced for access but more importantly it helps sending targeted spams and even to automated bots. These spam emails can contain exploits, malware etc. and can be addressed with specific content particularly to a user.<br /> **How you would do it? Email addresses can be searched and extracted from various websites, groups, blogs, forums, social networking portals etc. These email addresses are also available from various tech support websites. There are harvesting and spider tools to perform search for email addresses mapped to a certain domain (if needed).<br /> *Personal Handles/Nicknames<br /> *Personal Domain Names registered<br /> *Assigned Static IPs/Netblocks<br /> <br /> ===== Physical Location =====<br /> *Physical Location<br /> **Can you derive the target's physical location<br /> <br /> ===== Mobile Footprint =====<br /> *Phone #<br /> *Device type<br /> *Use<br /> *Installed applications<br /> *Owner/administrator<br /> <br /> ===== &quot;For Pay&quot; Information =====<br /> *Background Checks<br /> *For Pay Linked-In<br /> *LEXIS/NEXIS<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> * [Need Content] <br /> ===== Physical security inspections =====<br /> * [Need Content] <br /> ===== Wireless scanning / RF frequency scanning =====<br /> * [Need Content] <br /> ===== Employee behavior training inspection =====<br /> * [Need Content] <br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> * [Need Content] <br /> ===== Dumpster diving =====<br /> * [Need Content] <br /> ===== Types of equipment in use =====<br /> * [Need Content] <br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> * [Need Content] <br /> ===== Network provisioning/provider =====<br /> * [Need Content] <br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> <br /> ===== Key Employees =====<br /> * [Need Content] <br /> ===== Partners/Suppliers =====<br /> * [Need Content] <br /> ===== Social Engineering =====<br /> * [Need Content]<br /> <br /> == Footprinting ==<br /> WHAT IT IS: External information gathering, also known as footprinting, is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization.<br /> <br /> WHY: Much information can be gathered by interacting with targets. By probing a service or device, you can often create scenarios in which it can be fingerprinted, or even more simply, a banner can be procured which will identify the device. This step is necessary to gather more information about your targets. Your goal, after this section, is a prioritized list of targets.<br /> <br /> === External Footprinting ===<br /> <br /> ==== Identify Customer External Ranges ====<br /> <br /> ==== Passive Reconnaissance ====<br /> ===== WHOIS Lookups =====<br /> <br /> ==== Active Footprinting ====<br /> ===== Port Scanning =====<br /> ===== Banner Grabbing =====<br /> ===== SNMP Sweeps =====<br /> ===== Zone Transfers =====<br /> ===== SMTP Bounce Back =====<br /> ===== VoIP Mapping =====<br /> ===== ARP Discovery =====<br /> ===== DNS Discovery =====<br /> ===== Forward/Reverse DNS =====<br /> ===== DNS Bruteforce =====<br /> ===== Web Application Discovery =====<br /> ===== Virtual Host Detection &amp; Enumeration =====<br /> <br /> ==== Establish External Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> === Internal Footprinting ===<br /> <br /> ==== Passive Reconnaissance ====<br /> <br /> ==== Identify Customer Internal Ranges ====<br /> <br /> ==== Active Footprinting ====<br /> ===== Port Scanning =====<br /> ===== Banner Grabbing =====<br /> ===== SNMP Sweeps =====<br /> ===== Zone Transfers =====<br /> ===== SMTP Bounce Back =====<br /> ===== VoIP Mapping =====<br /> ===== ARP Discovery =====<br /> ===== DNS Discovery =====<br /> ===== Forward/Reverse DNS =====<br /> ===== DNS Bruteforce =====<br /> ===== Web Application Discovery =====<br /> ===== Virtual Host Detection &amp; Enumeration =====<br /> <br /> ==== Establish Internal Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ===== LUN Masking =====<br /> ==== Storage Controller ====<br /> ===== iSCSI CHAP Secret =====<br /> <br /> <br /> === User Protections ===<br /> ==== AV/Spam Filtering Software ====<br /> *SW Configuration which limit exploitability can be considered antispam / antiAV</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=736 Intelligence Gathering 2011-08-24T19:27:08Z <p>Chris gates: /* Individual */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> *Court Records<br /> **What is it: Court records are all the public records related to criminal and/or civil complaints, lawsuits, or other legal actions for or against a person or organization of interest.<br /> **Why you would do it: Court records could potentially reveal sensitive information related to an individual employee or the company as a whole. This information could be useful by itself or may be the driver for gaining additional information. It could also be used for social engineering or other purposes later on in the penetration test.<br /> **How you would do it: Much of this information is now available on the Internet via publicly available court websites and records databases. Some additional information may be available via pay services such as LEXIS/NEXIS. Some information may be available via records request or in person requests.<br /> *Political Donations<br /> **What is it: Political donations are an individual’s personal funds directed to specific political candidates, political parties, or special interest organizations.<br /> **Why you would do it: Information about political donations could potentially reveal useful information related to an individual. This information could be used as a part of social network analysis to help draw connections between individuals and politicians, political candidates, or other political organizations. It could also be used for social engineering or other purposes later on in the penetration test.<br /> **How you would do it: Much of this information is now available on the Internet via publicly available websites (i.e., http://www.opensecrets.org/) that track political donations by individual. Depending upon the laws of a given state, donations over a certain amount are usually required to be recorded.<br /> *Professional licenses or registries<br /> **What is it: Professional licenses or registries are repositories of information that contain lists of members and other related information for individuals who have attained a particular license or some measure of specific affiliation within a community.<br /> **Why you would do it: Information about professional licenses could potentially reveal useful information related to an individual. This information could be used to validate an individual's trustworthiness (do they really have a particular certification as they claim) or as a part of social network analysisto help draw connections between individuals and other organizations. It could also be used for social engineering or other purposes later on in the penetration test.<br /> **How you would do it: Much of this information is now available on the Internet via publicly available websites. Typically, each organization maintains their own registry of information that may be available online or may require additional steps to gather.<br /> <br /> ===== Social Network (SocNet) Profile =====<br /> *Metadata Leakage<br /> **Location awareness via Photo Metadata<br /> *Tone<br /> **Expected deliverable: subjective identification of the tone used in communications – aggressive, passive, appealing, sales, praising, dissing, condescending, arrogance, elitist, underdog, leader, follower, mimicking, etc…<br /> *Frequency<br /> **Expected deliverable: Identification of the frequency of publications (once an hour/day/week, etc…). Additionally - time of day/week in which communications are prone to happen.<br /> *Location awareness<br /> **Bing Map Apps<br /> **Foursquare<br /> **Google Latitude<br /> **Yelp<br /> **Gowalla<br /> *Social Media Presence<br /> **What sites do they use?<br /> <br /> ===== Internet Presence =====<br /> *Email Address<br /> **What it is? Email addresses are the public mail box ids of the users.<br /> **Why you would do it? Email address harvesting or searching is important because it serves multiple purposes - provides a probable user-id format which can later be brute-forced for access but more importantly it helps sending targeted spams and even to automated bots. These spam emails can contain exploits, malware etc. and can be addressed with specific content particularly to a user.<br /> **How you would do it? Email addresses can be searched and extracted from various websites, groups, blogs, forums, social networking portals etc. These email addresses are also available from various tech support websites. There are harvesting and spider tools to perform search for email addresses mapped to a certain domain (if needed).<br /> *Personal Handles/Nicknames<br /> *Personal Domain Names registered<br /> *Assigned Static IPs/Netblocks<br /> <br /> ===== Physical Location =====<br /> *Physical Location<br /> **Can you derive the target's physical location<br /> <br /> ===== Mobile Footprint =====<br /> *Phone #<br /> *Device type<br /> *Use<br /> *Installed applications<br /> *Owner/administrator<br /> <br /> ===== &quot;For Pay&quot; Information =====<br /> *Background Checks<br /> *For Pay Linked-In<br /> *LEXIS/NEXIS<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> WHAT IT IS: External information gathering, also known as footprinting, is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization.<br /> <br /> WHY: Much information can be gathered by interacting with targets. By probing a service or device, you can often create scenarios in which it can be fingerprinted, or even more simply, a banner can be procured which will identify the device. This step is necessary to gather more information about your targets. Your goal, after this section, is a prioritized list of targets.<br /> <br /> === External Footprinting ===<br /> <br /> ==== Identify Customer External Ranges ====<br /> <br /> ==== Passive Reconnaissance ====<br /> ===== WHOIS Lookups =====<br /> <br /> ==== Active Footprinting ====<br /> ===== Port Scanning =====<br /> ===== Banner Grabbing =====<br /> ===== SNMP Sweeps =====<br /> ===== Zone Transfers =====<br /> ===== SMTP Bounce Back =====<br /> ===== VoIP Mapping =====<br /> ===== ARP Discovery =====<br /> ===== DNS Discovery =====<br /> ===== Forward/Reverse DNS =====<br /> ===== DNS Bruteforce =====<br /> ===== Web Application Discovery =====<br /> ===== Virtual Host Detection &amp; Enumeration =====<br /> <br /> ==== Establish External Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> === Internal Footprinting ===<br /> <br /> ==== Passive Reconnaissance ====<br /> <br /> ==== Identify Customer Internal Ranges ====<br /> <br /> ==== Active Footprinting ====<br /> ===== Port Scanning =====<br /> ===== Banner Grabbing =====<br /> ===== SNMP Sweeps =====<br /> ===== Zone Transfers =====<br /> ===== SMTP Bounce Back =====<br /> ===== VoIP Mapping =====<br /> ===== ARP Discovery =====<br /> ===== DNS Discovery =====<br /> ===== Forward/Reverse DNS =====<br /> ===== DNS Bruteforce =====<br /> ===== Web Application Discovery =====<br /> ===== Virtual Host Detection &amp; Enumeration =====<br /> <br /> ==== Establish Internal Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ===== LUN Masking =====<br /> ==== Storage Controller ====<br /> ===== iSCSI CHAP Secret =====<br /> <br /> <br /> === User Protections ===<br /> ==== AV/Spam Filtering Software ====<br /> *SW Configuration which limit exploitability can be considered antispam / antiAV</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=735 Intelligence Gathering 2011-08-24T19:08:00Z <p>Chris gates: /* Footprinting */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> WHAT IT IS: External information gathering, also known as footprinting, is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization.<br /> <br /> WHY: Much information can be gathered by interacting with targets. By probing a service or device, you can often create scenarios in which it can be fingerprinted, or even more simply, a banner can be procured which will identify the device. This step is necessary to gather more information about your targets. Your goal, after this section, is a prioritized list of targets.<br /> <br /> === External Footprinting ===<br /> <br /> ==== Identify Customer External Ranges ====<br /> <br /> ==== Passive Reconnaissance ====<br /> ===== WHOIS Lookups =====<br /> <br /> ==== Active Footprinting ====<br /> ===== Port Scanning =====<br /> ===== Banner Grabbing =====<br /> ===== SNMP Sweeps =====<br /> ===== Zone Transfers =====<br /> ===== SMTP Bounce Back =====<br /> ===== VoIP Mapping =====<br /> ===== ARP Discovery =====<br /> ===== DNS Discovery =====<br /> ===== Forward/Reverse DNS =====<br /> ===== DNS Bruteforce =====<br /> ===== Web Application Discovery =====<br /> ===== Virtual Host Detection &amp; Enumeration =====<br /> <br /> ==== Establish External Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> === Internal Footprinting ===<br /> <br /> ==== Passive Reconnaissance ====<br /> <br /> ==== Identify Customer Internal Ranges ====<br /> <br /> ==== Active Footprinting ====<br /> ===== Port Scanning =====<br /> ===== Banner Grabbing =====<br /> ===== SNMP Sweeps =====<br /> ===== Zone Transfers =====<br /> ===== SMTP Bounce Back =====<br /> ===== VoIP Mapping =====<br /> ===== ARP Discovery =====<br /> ===== DNS Discovery =====<br /> ===== Forward/Reverse DNS =====<br /> ===== DNS Bruteforce =====<br /> ===== Web Application Discovery =====<br /> ===== Virtual Host Detection &amp; Enumeration =====<br /> <br /> ==== Establish Internal Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ===== LUN Masking =====<br /> ==== Storage Controller ====<br /> ===== iSCSI CHAP Secret =====<br /> <br /> <br /> === User Protections ===<br /> ==== AV/Spam Filtering Software ====<br /> *SW Configuration which limit exploitability can be considered antispam / antiAV</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=734 Intelligence Gathering 2011-08-24T18:59:18Z <p>Chris gates: /* Footprinting */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> === External Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Identify Customer External Ranges ====<br /> ==== Establish External Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> === Internal Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Identify Customer Internal Ranges ====<br /> ==== Establish Internal Target List ====<br /> ===== Mapping versions =====<br /> ===== Identifying patch levels =====<br /> ===== Looking for weak web applications =====<br /> ===== Identify lockout threshold =====<br /> ===== Error Based =====<br /> ===== Identify weak ports for attack =====<br /> ===== Outdated Systems =====<br /> ===== Virtualization platforms vs VMs =====<br /> ===== Storage infrastructure =====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ===== LUN Masking =====<br /> ==== Storage Controller ====<br /> ===== iSCSI CHAP Secret =====<br /> <br /> <br /> === User Protections ===<br /> ==== AV/Spam Filtering Software ====<br /> *SW Configuration which limit exploitability can be considered antispam / antiAV</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=733 Intelligence Gathering 2011-08-24T18:56:35Z <p>Chris gates: /* Identify Protection Mechanisms */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> === External Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Identify Customer External Ranges ====<br /> ==== Establish External Target List ====<br /> <br /> <br /> === Internal Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Identify Customer Internal Ranges ====<br /> ==== Establish Internal Target List ====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ===== LUN Masking =====<br /> ==== Storage Controller ====<br /> ===== iSCSI CHAP Secret =====<br /> <br /> <br /> === User Protections ===<br /> ==== AV/Spam Filtering Software ====<br /> *SW Configuration which limit exploitability can be considered antispam / antiAV</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=732 Intelligence Gathering 2011-08-24T18:53:20Z <p>Chris gates: /* Footprinting */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> === External Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Identify Customer External Ranges ====<br /> ==== Establish External Target List ====<br /> <br /> <br /> === Internal Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Identify Customer Internal Ranges ====<br /> ==== Establish Internal Target List ====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ==== ??? ====</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=731 Intelligence Gathering 2011-08-24T18:52:37Z <p>Chris gates: /* Footprinting */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> === External Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Establish External Target List ====<br /> ==== Identify Customer External Ranges ====<br /> <br /> === Internal Footprinting ===<br /> ==== Active Footprinting ====<br /> ==== Passive Reconnaissance ====<br /> ==== Establish Internal Target List ====<br /> ==== Identify Customer Internal Ranges ====<br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ==== ??? ====</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=730 Intelligence Gathering 2011-08-24T18:49:54Z <p>Chris gates: /* Identify Protection Mechanisms */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==<br /> <br /> === Network Based Protections ===<br /> ==== &quot;Simple&quot; Packet Filters ====<br /> ==== Traffic Shaping Devices ====<br /> ==== DLP Systems ====<br /> ==== Encryption/Tunneling ====<br /> <br /> <br /> === Host Based Protections ===<br /> ==== Stack/Heap Protections ====<br /> ==== Application Whitelisting ====<br /> ==== AV/Filtering/Behavioral Analysis ====<br /> ==== DLP Systems ====<br /> <br /> <br /> === Application Level Protections ===<br /> ==== Identify Application Protections ====<br /> ==== Encoding Options ====<br /> ==== Potential Bypass Avenues ====<br /> ==== Whitelisted Pages ====<br /> <br /> <br /> === Storage Protections ===<br /> ==== HBA - Host Level ====<br /> ==== ??? ====</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=729 Intelligence Gathering 2011-08-24T18:44:33Z <p>Chris gates: /* Covert Gathering */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=728 Intelligence Gathering 2011-08-24T18:44:04Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> === Corporate ===<br /> <br /> <br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=727 Intelligence Gathering 2011-08-24T18:43:40Z <p>Chris gates: /* &quot;For Pay&quot; Information */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> *<br /> <br /> == Covert Gathering ==<br /> <br /> === Corporate ===<br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=726 Intelligence Gathering 2011-08-24T18:42:41Z <p>Chris gates: /* Covert Gathering */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> <br /> == Covert Gathering ==<br /> <br /> === Corporate ===<br /> ==== On-Location Gathering ====<br /> *<br /> ===== Physical security inspections =====<br /> *<br /> ===== Wireless scanning / RF frequency scanning =====<br /> *<br /> ===== Employee behavior training inspection =====<br /> *<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> *<br /> ===== Dumpster diving =====<br /> *<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> *<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> *<br /> ===== Partners/Suppliers =====<br /> *<br /> ===== Social Engineering =====<br /> *<br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=725 Intelligence Gathering 2011-08-24T18:41:40Z <p>Chris gates: /* Covert Gathering */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> <br /> == Covert Gathering ==<br /> <br /> === Corporate ===<br /> ==== On-Location Gathering ====<br /> ===== Physical security inspections =====<br /> ===== Wireless scanning / RF frequency scanning =====<br /> ===== Employee behavior training inspection =====<br /> ===== Accessible/adjacent facilities (shared spaces) =====<br /> ===== Dumpster diving =====<br /> ===== Types of equipment in use =====<br /> *<br /> <br /> <br /> ==== Offsite Gathering ====<br /> ===== Data center locations =====<br /> ===== Network provisioning/provider =====<br /> *<br /> <br /> === HUMINT ===<br /> Human intelligence complements the more passive gathering on the asset as it provides information that could not have been obtained otherwise, as well as add more “personal” perspectives to the intelligence picture (feelings, history, relationships between key individuals, “atmosphere”, etc...)<br /> <br /> The methodology of obtaining human intelligence always involves direct interaction - whether physical, or verbal. Gathering should be done under an assumed identity, that would be created specifically to achieve optimal information exposure and cooperation from the asset in question.<br /> <br /> Additionally, intelligence gathering on more sensitive targets can be performed by utilizing observation only - again, either physically on location, or through electronic/remote means (CCTV, webcams, etc...). This is usually done in order to establish behavioral patterns (such as frequency of visitations, dress code, access paths, key locations that may provide additional access such as coffee shops).<br /> ==== Results ====<br /> ===== Key Employees =====<br /> ===== Partners/Suppliers =====<br /> ===== Social Engineering =====<br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=724 Intelligence Gathering 2011-08-24T18:36:15Z <p>Chris gates: </p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> <br /> == Covert Gathering ==<br /> <br /> === Corporate ===<br /> ==== On-Location Gathering ====<br /> ==== Offsite Gathering ====<br /> <br /> <br /> <br /> === HUMINT ===<br /> ==== Key Employees ====<br /> ==== Partners/Suppliers ====<br /> ==== Social Engineering ====<br /> <br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=723 Intelligence Gathering 2011-08-24T18:35:39Z <p>Chris gates: /* Covert Gathering */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> <br /> == Covert Gathering ==<br /> <br /> === Corporate ===<br /> ==== On-Location Gathering ====<br /> ==== Offsite Gathering ====<br /> <br /> <br /> <br /> === HUMINT ===<br /> ==== Key Employees ====<br /> ==== Partners/Suppliers ====<br /> ==== Social Engineering ====<br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=722 Intelligence Gathering 2011-08-24T18:32:29Z <p>Chris gates: /* OSINT */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> ==== Employee ====<br /> ===== History =====<br /> ===== Social Network (SocNet) Profile =====<br /> ===== Internet Presence =====<br /> ===== Active Updates =====<br /> ===== Physical Location =====<br /> ===== Mobile Footprint =====<br /> ===== &quot;For Pay&quot; Information =====<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=721 Intelligence Gathering 2011-08-24T18:28:29Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> * [Need Content]<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> * [Need Content]<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> * [Need Content]<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> * [Need Content]<br /> ===== Court records =====<br /> * [Need Content]<br /> ===== Political donations =====<br /> * [Need Content]<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> * [Need Content]<br /> ===== Email addresses =====<br /> * [Need Content]<br /> ===== External infrastructure profile =====<br /> * [Need Content]<br /> ===== Technologies used =====<br /> * [Need Content]<br /> ===== Purchase agreements =====<br /> * [Need Content]<br /> ===== Remote access =====<br /> * [Need Content]<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> * [Need Content]<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> * [Need Content]<br /> ===== Market analysis =====<br /> * [Need Content]<br /> ===== Trade capital =====<br /> * [Need Content]<br /> ===== Value history =====<br /> * [Need Content]<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=720 Intelligence Gathering 2011-08-24T18:26:14Z <p>Chris gates: /* Target Selection */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> === Identification and Naming of Target ===<br /> === Consider any Rules of Engagement limitations ===<br /> * Rules of Engagement<br /> ** Typical Reconnaissance rules<br /> ** Defining your own rules<br /> === Consider time length for test ===<br /> === Consider end goal of the test ===<br /> === Consider what you want to accomplish from the Information Gathering phase ===<br /> === Make the plan to get it ===<br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=719 Intelligence Gathering 2011-08-24T18:21:17Z <p>Chris gates: /* OSINT */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> <br /> <br /> === Individual ===<br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=718 Intelligence Gathering 2011-08-24T18:20:43Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> * [Need Content]<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> * [Need Content]<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> * [Need Content]<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=717 Intelligence Gathering 2011-08-24T18:19:51Z <p>Chris gates: /* Professional licenses or registries */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> *<br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=716 Intelligence Gathering 2011-08-24T18:19:32Z <p>Chris gates: /* Affiliates */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> * [Need Content]<br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=715 Intelligence Gathering 2011-08-24T18:18:56Z <p>Chris gates: /* Professional licenses or registries */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=714 Intelligence Gathering 2011-08-24T18:18:38Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=713 Intelligence Gathering 2011-08-24T18:17:19Z <p>Chris gates: /* Market Vertical */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> *Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> <br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=712 Intelligence Gathering 2011-08-24T18:17:00Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> *Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> *What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> *Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> *How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> *Meeting Minutes published?<br /> *Meetings open to public?<br /> ===== Significant company dates =====<br /> *Board meetings<br /> *Holidays<br /> *Anniversaries<br /> *Product/service launch<br /> ===== Job openings =====<br /> *By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=711 Intelligence Gathering 2011-08-24T18:15:11Z <p>Chris gates: /* Business Partners */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> *Target’s advertised business partners. Sometimes advertised on main www.<br /> ===== Business Clients =====<br /> *Target’s advertised business clients. Sometimes advertised on main www.<br /> <br /> ===== Competitors =====<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> ===== Job openings =====<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=710 Intelligence Gathering 2011-08-24T18:13:34Z <p>Chris gates: /* Org Chart */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> ===== Job openings =====<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=709 Intelligence Gathering 2011-08-24T18:12:58Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> ===== Job openings =====<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> ==== Org Chart ====<br /> ===== Position identification =====<br /> *Important people in the organization<br /> *Individuals to specifically target<br /> ===== Transactions =====<br /> *[Need Content]<br /> ===== Affiliates =====<br /> <br /> <br /> ==== Electronic ====<br /> ===== Document Metadata =====<br /> *What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> *Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> *How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> ===== Marketing Communications =====<br /> <br /> <br /> ==== Infrastructure Assets ==== <br /> [!!This section needs to be added to mindmap!!]<br /> ===== Network blocks owned =====<br /> ===== Email addresses =====<br /> ===== External infrastructure profile =====<br /> ===== Technologies used =====<br /> ===== Purchase agreements =====<br /> ===== Remote access =====<br /> ===== Application usage =====<br /> ===== Defense technologies =====<br /> ===== Human capability =====<br /> <br /> <br /> ==== Financial ====<br /> ===== Reporting =====<br /> ===== Market analysis =====<br /> ===== Trade capital =====<br /> ===== Value history =====<br /> ===== EDGAR (SEC) =====<br /> *What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> *Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> *How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=708 Intelligence Gathering 2011-08-24T18:09:28Z <p>Chris gates: /* Financial */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> ===== Job openings =====<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> ==== Org Chart ====<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> ==== Electronic ====<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> ==== Infrastructure Assets ==== [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> ==== Financial ====<br /> *Reporting<br /> *Market analysis<br /> *Trade capital<br /> *Value history<br /> *EDGAR (SEC)<br /> **What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> **Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> **How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=707 Intelligence Gathering 2011-08-24T18:09:04Z <p>Chris gates: /* Financial = */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> ===== Job openings =====<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> ==== Org Chart ====<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> ==== Electronic ====<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> ==== Infrastructure Assets ==== [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> ==== Financial ====<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=706 Intelligence Gathering 2011-08-24T18:08:23Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> ==== Logical ==== <br /> Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> ===== Business Partners =====<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> ===== Competitors =====<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> ===== Touchgraph =====<br /> ===== Hoovers profile =====<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> ===== Product line =====<br /> ===== Market Vertical =====<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> ===== Marketing accounts =====<br /> ===== Meetings =====<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> ===== Job openings =====<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> ===== Charity affiliations =====<br /> ===== Court records =====<br /> ===== Political donations =====<br /> ===== Professional licenses or registries =====<br /> <br /> <br /> ==== Org Chart ====<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> ==== Electronic ====<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> ==== Infrastructure Assets ==== [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> ==== Financial =====<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=705 Intelligence Gathering 2011-08-24T18:04:42Z <p>Chris gates: /* Physical */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== <br /> Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> *Infrastructure Assets [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> *Financial<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=704 Intelligence Gathering 2011-08-24T18:04:26Z <p>Chris gates: /* Pervasiveness */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== <br /> Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> *Infrastructure Assets [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> *Financial<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=703 Intelligence Gathering 2011-08-24T18:04:04Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> *Infrastructure Assets [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> *Financial<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=702 Intelligence Gathering 2011-08-24T18:03:33Z <p>Chris gates: /* Physical */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> ===== Locations ===== -- Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> *Owner<br /> *Land/tax records<br /> *Shared/individual<br /> *Timezones<br /> *Hosts / NOC<br /> ===== Pervasiveness =====<br /> *[Need Content]<br /> ===== Relationships ===== -- Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> *Relationships<br /> *Shared office space<br /> *Shared infrastructure<br /> *Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> *Infrastructure Assets [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> *Financial<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=701 Intelligence Gathering 2011-08-24T18:02:06Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> ==== Physical ====<br /> *Locations -- Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> ***Owner<br /> ***Land/tax records<br /> ***Shared/individual<br /> ***Timezones<br /> ***Hosts / NOC<br /> **Pervasiveness<br /> ***[Need Content]<br /> **Relationships -- Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> ***Relationships<br /> ***Shared office space<br /> ***Shared infrastructure<br /> ***Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> *Infrastructure Assets [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> *Financial<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=700 Intelligence Gathering 2011-08-24T18:00:03Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> *Physical<br /> **Locations -- Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> ***Owner<br /> ***Land/tax records<br /> ***Shared/individual<br /> ***Timezones<br /> ***Hosts / NOC<br /> **Pervasiveness<br /> ***[Need Content]<br /> **Relationships -- Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> ***Relationships<br /> ***Shared office space<br /> ***Shared infrastructure<br /> ***Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> **Document Metadata<br /> ***What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.<br /> ***Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.<br /> ***How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.<br /> **Marketing Communications<br /> <br /> <br /> *Infrastructure Assets [!!This section needs to be added to mindmap!!]<br /> **Network blocks owned<br /> **Email addresses<br /> **External infrastructure profile<br /> **Technologies used<br /> **Purchase agreements<br /> **Remote access<br /> **Application usage<br /> **Defense technologies<br /> **Human capability<br /> <br /> <br /> *Financial<br /> **Reporting<br /> **Market analysis<br /> **Trade capital<br /> **Value history<br /> **EDGAR (SEC)<br /> ***What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.<br /> ***Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.<br /> ***How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=699 Intelligence Gathering 2011-08-24T17:50:36Z <p>Chris gates: /* Corporate */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> *Physical<br /> **Locations -- Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> ***Owner<br /> ***Land/tax records<br /> ***Shared/individual<br /> ***Timezones<br /> ***Hosts / NOC<br /> **Pervasiveness<br /> ***[Need Content]<br /> **Relationships -- Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> ***Relationships<br /> ***Shared office space<br /> ***Shared infrastructure<br /> ***Rented / Leased Equipment <br /> <br /> <br /> *Logical -- Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.<br /> **Business Partners<br /> ***Target’s advertised business partners. Sometimes advertised on main www.<br /> **Business Clients<br /> ***Target’s advertised business clients. Sometimes advertised on main www.<br /> **Competitors<br /> ***Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.<br /> **Touchgraph<br /> **Hoovers profile<br /> ***What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.<br /> ***Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.<br /> ***How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).<br /> **Product line<br /> **Market Vertical<br /> ***Which industry the target resides in. i.e. financial, defense, agriculture, government, etc<br /> **Marketing accounts<br /> **Meetings<br /> ***Meeting Minutes published?<br /> ***Meetings open to public?<br /> **Significant company dates<br /> ***Board meetings<br /> ***Holidays<br /> ***Anniversaries<br /> ***Product/service launch<br /> **Job openings<br /> ***By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.<br /> **Charity affiliations<br /> **Court records<br /> **Political donations<br /> **Professional licenses or registries<br /> <br /> <br /> *Org Chart<br /> **Position identification<br /> ***Important people in the organization<br /> ***Individuals to specifically target<br /> **Transactions<br /> ***[Need Content]<br /> **Affiliates<br /> <br /> <br /> *Electronic<br /> <br /> <br /> *Financial<br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=698 Intelligence Gathering 2011-08-24T17:33:28Z <p>Chris gates: </p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> === Corporate ===<br /> *Physical<br /> **Locations<br /> ***Owner<br /> ***Land/tax records<br /> ***Shared/individual<br /> ***Timezones<br /> ***Hosts / NOC<br /> **Pervasiveness<br /> ***[Need Content]<br /> **Relationships<br /> ***Relationships<br /> ***Shared office space<br /> ***Shared infrastructure<br /> ***Rented / Leased Equipment <br /> <br /> '''Location Expected deliverable:''' per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…<br /> <br /> '''Relationships Expected deliverable:''' Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc<br /> <br /> *Logical<br /> <br /> <br /> === Individual ===<br /> <br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=697 Intelligence Gathering 2011-08-24T17:21:28Z <p>Chris gates: </p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]<br /> <br /> <br /> == Target Selection ==<br /> * Identification and Naming of Target<br /> * Consider any Rules of Engagement limitations<br /> ** Rules of Engagement<br /> *** Typical Reconnaissance rules<br /> *** Defining your own rules<br /> * Consider time length for test<br /> * Consider end goal of the test<br /> * Consider what you want to accomplish from the Information Gathering phase<br /> * Make the plan to get it<br /> <br /> <br /> == OSINT ==<br /> Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.<br /> <br /> *'''Passive Information Gathering''': Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.<br /> <br /> <br /> *'''Semi-passive Information Gathering''': The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.<br /> <br /> <br /> *'''Active Information Gathering''': Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.<br /> <br /> <br /> == Covert Gathering ==<br /> <br /> <br /> == HUMINT ==<br /> <br /> <br /> == Footprinting ==<br /> <br /> <br /> == Identify Protection Mechanisms ==</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=696 Intelligence Gathering 2011-08-24T17:07:28Z <p>Chris gates: /* What is it? */</p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=695 Intelligence Gathering 2011-08-24T17:07:09Z <p>Chris gates: </p> <hr /> <div>== General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.<br /> <br /> <br /> == Intelligence Gathering ==<br /> <br /> <br /> === What is it? ===<br /> * Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> *Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> <br /> === Why do it ===<br /> * We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> <br /> === What is it not ===<br /> * [Needs Content]</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=694 Intelligence Gathering 2011-08-24T17:00:51Z <p>Chris gates: </p> <hr /> <div><br /> == General ==<br /> <br /> This section defines the Intelligence Gathering activities of a penetration test.<br /> <br /> <br /> === Intelligence Gathering ===<br /> <br /> <br /> What is it?<br /> Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> Why do it<br /> We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> What is it not? (more important.)<br /> Purpose of this document<br /> Provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.</div> Chris gates http://www.pentest-standard.org/index.php?title=Intelligence_Gathering&diff=693 Intelligence Gathering 2011-08-24T16:59:57Z <p>Chris gates: Created page with &quot;General This section defines the Intelligence Gathering activities of a penetration test. Intelligence Gathering What is it? Intelligence Gathering is performing re...&quot;</p> <hr /> <div>General<br /> This section defines the Intelligence Gathering activities of a penetration test.<br /> <br /> Intelligence Gathering<br /> <br /> What is it?<br /> Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.<br /> Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [http://en.wikipedia.org/wiki/Open_source_intelligence]<br /> Why do it<br /> We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer. <br /> What is it not? (more important.)<br /> Purpose of this document<br /> Provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.</div> Chris gates http://www.pentest-standard.org/index.php?title=FAQ&diff=692 FAQ 2011-08-24T16:55:27Z <p>Chris gates: /* Q: Who is involved with this standard? */</p> <hr /> <div>== Penetration Testing Execution Standard - the FAQ ==<br /> <br /> <br /> ==== '''Q''': What is this &quot;Penetration Testing Execution Standard&quot;? ====<br /> '''A''': It is a new standard designed to provide both businesses and security<br /> service providers with a common language and scope for performing<br /> penetration testing (i.e. Security evaluations).<br /> <br /> ===='''Q''': Who is involved with this standard?====<br /> '''A''': We are a group of information security practitioners from all areas of<br /> the industry (I.e. Financial Institutions, Service Providers, Security<br /> Vendors). The group currently consists of:<br /> *[http://twitter.com/indi303 Chris Nickerson], CEO - [http://www.lares.com Lares Consulting].<br /> *[http://twitter.com/dave_rel1k Dave Kennedy], Director of Information Security - [http://www.secmaniac.com/ blog] Diebold.<br /> *[http://twitter.com/chrisjohnriley Chris John Riley], IT Security Analyst - [http://blog.c22.cc blog] Raiffeisen Informatik GmbH.<br /> *[http://twitter.com/infosecmafia Eric Smith], Partner - [http://www.lares.com Lares Consulting].<br /> *[[User:iamit|Iftach Ian Amit]], VP Consulting - [http://www.iamit.org/blog blog] [http://www.security-art.com Security Art].<br /> *[http://www.pentest-standard.org/index.php?title=User:drew Andrew Rabie], Wizard - [http://www.avon.com/ Avon Products Inc].<br /> *[http://twitter.com/stfn42 Stefan Friedli], Senior Security Consultant - [http://www.scip.ch scip AG].<br /> *[[User:Meeas|Justin Searle]], Senior Security Analyst - [http://www.inguardians.com InGuardians].<br /> *[http://twitter.com/kaospunk Brandon Knight], Senior Security Engineer - Amazon.<br /> *[http://twitter.com/carnal0wnage Chris Gates], Senior Security Consultant - [http://carnal0wnage.attackresearch.com/ blog] [http://www.lares.com Lares Consulting].<br /> *[http://twitter.com/j0emccray Joe McCray], CEO - Strategic Security.<br /> *[http://twitter.com/Carlos_Perez Carlos Perez], Lead Vulnerability Research Engineer - Tenable Security.<br /> *[http://twitter.com/strandjs John Strand], Owner - Black Hills Information Security.<br /> *[http://twitter.com/steve_tornio Steve Tornio], Senior Consultant - Sunera LLC.<br /> *[http://twitter.com/c7five Nick Percoco], Senior Vice President - SpiderLabs at Trustwave.<br /> *[http://twitter.com/daveshackleford Dave Shackelford], Security Consultant, SANS Instructor.<br /> *[http://twitter.com/attackresearch Val Smith] - Attack Research.<br /> *[http://twitter.com/digininja Robin Wood], Senior Security Engineer - [http://www.digininja.org/ blog] [http://www.randomstorm.com RandomStorm].<br /> *[http://twitter.com/wimremes Wim Remes], Security Consultant - EY Belgium.<br /> *[http://twitter.com/isdpodcast Rick Hayes], Sr. Principal Consultant - Dell SecureWorks<br /> <br /> ===='''Q''': So is this a closed group or can I join in?====<br /> '''A''': We started this with about 6 people, the first in-person meeting held<br /> almost 20. We would love more insight and down-to-earth opinions so if you<br /> can contribute please feel free to email us.<br /> <br /> ===='''Q''': Is this going to be a formal standard?====<br /> '''A''': We are aiming to create an actual standard so that businesses can have<br /> a baseline of what is needed when they get a pentest as well as an understanding of what type of testing they require or would provide value to their business. The lack of<br /> standardization now is only hurting the industry as businesses are getting<br /> low-quality work done, and practitioners lack guidance in terms of what is<br /> needed to provide quality service.<br /> <br /> ===='''Q''': Is the standard going to include all possible pentest scenarios?====<br /> '''A''': While we can't possibly cover all scenarios, the standard is going to<br /> define a baseline for the minimum that is required from a basic pentest,<br /> as well as several &quot;levels&quot; on top of it that provide more comprehensive<br /> activities required for organizations with higher security needs. The<br /> different levels would also be defined as per the industry in which they<br /> should be the baseline for.<br /> <br /> ===='''Q''': Is this effort going to standardize the reporting as well?====<br /> '''A''': Yes. We feel that providing a standard for the test without defining<br /> how the report is provided would be useless. We will define both executive<br /> (business) reporting as well as technical reporting as an integrated part<br /> of the standard.<br /> <br /> ===='''Q''': Who is the intended audience for this standard/project?====<br /> '''A''': Two main communities: businesses that require the service, and service providers. For businesses the goal is to enable them to demand a specific baseline of work as part of a pentest. For service providers the goal is to provide a baseline for the kinds of activities needed, what should be taken into account as part of the pentest from scoping through reporting and deliverables.</div> Chris gates