Difference between revisions of "PTES Technical Guidelines"

This section is designed to be the PTES Technical Guidelines (PTES-G) that help define certain procedures to follow during a penetration test. Something to be aware of is that these are only baseline methods that have been used in the industry. They will need to be continuously updated and changed upon by the community as well as within your own standard. Guidelines are just that, something to drive you in a direction and help during certain scenarios, but not an all encompassing set of instructions on how to perform a penetration test. Think outside of the box.

How to Contribute
If you are interested in contributing to the PTES-G, then you're in the right place. Find an area that needs a contributor that interest you and take it. Document what you can in either RTF or text formatted doc. Send us the doc and associated screen-shots in a separate zip file. Please annotate in the document the correct image for the section being discussed. For example, <Screen Shot image1.png Here>. For more information or to make a submission, please contact ptes-g[at]isdpodcast[dot]com.

Tools Required

Selecting the tools required during a penetration test depends on several factors such as the type and the depth of the engagement. In general terms, the following tools are mandatory to complete a penetration test with the expected results.

Operating Systems

Selecting the operating platforms to use during a penetration test is often critical to the successfully exploitation of a network and associated system. As such it is a requirement to have the ability to use the three major operating systems at one time. This is not possible without virtualization.

MacOS X

MacOS X is a BSD-derived operating. With standard command shells (such as sh, csh, and bash) and native network utilities that can be used during a penetration test (including telnet, ftp, rpcinfo, snmpwalk, host, and dig) it is the system of choice and is the underlying host system for our penetration testing tools. Since this is a hardware platform as well, this makes the selection of specific hardware extremely simple and ensures that all tools will work as designed.

VMware Workstation

VMware Workstation is an absolute requirement to allow multiple instances of operating systems easily on a workstation. VMware Workstation is a fully supported commercial package, and offers encryption capabilities and snapshot capabilities that are not available in the free versions available from VMware. Without the ability to encrypt the data collected on a VM confidential information will be at risk, therefore versions that do not support encryption are not to be used. The operating systems listed below should be run as a guest system within VMware.

Linux

Linux is the choice of most security consultants. The Linux platform is versatile, and the system kernel provides low-level support for leading-edge technologies and protocols. All mainstream IP-based attack and penetration tools can be built and run under Linux with no problems. For this reason, BackTrack is the platform of choice as it comes with all the tools required to perform a penetration test.

Windows XP/7

Windows XP/7 is required for certain tools to be used. Many commercial tools or Microsoft specific network assessment and penetration tools are available that run cleanly on the platform.

Radio Frequency Tools

Frequency Counter

A Frequency Counter should cover from 10Hz- 3 GHz. A good example of a reasonably priced frequency counter is the MFJ-886 Frequency Counter.

Frequency Scanner

A scanner is a radio receiver that can automatically tune, or scan, two or more discrete frequencies, stopping when it finds a signal on one of them and then continuing to scan other frequencies when the initial transmission ceases. These are not to be used in Florida, Kentucky, or Minnesota unless you are a person who holds a current amateur radio license issued by the Federal Communications Commission. The required hardware is the Uniden BCD396T Bearcat Handheld Digital Scanner or PSR-800 GRE Digital trunking scanner.

Spectrum Analyzer

A spectrum analyzer is a device used to examine the spectral composition of some electrical, acoustic, or optical waveform. A spectrum analyzer is used to determine whether or not a wireless transmitter is working according to federally defined standards and is used to determine, by direct observation, the bandwidth of a digital or analog signal. A good example of a reasonably priced spectrum analyzer is the Kaltman Creations HF4060 RF Spectrum Analyzer.

802.11 USB adapter

An 802.11 USB adapter allow for the easy connection of a wireless adapter to the penetration testing system. There are several issues with using something other than the approved USB adapter as not all of them support the required functions. The required hardware is the Alfa AWUS051NH 500mW High Gain 802.11a/b/g/n high power Wireless USB.

External Antennas

External antennas come in a variety of shapes, based upon the usage and with a variety of connectors. All external antennas must have RP-SMA connectors that are compatible with the Alfa. Since the Alfa comes with an Omni-directional antenna, we need to obtain a directional antenna. The best choice is a panel antenna as it provides the capabilities required in a package that travels well. The required hardware is the L-com 2.4 GHz 14 dBi Flat Panel Antenna with RP-SMA connector. A good magnetic mount Omni-directional antenna such as the L-com 2.4 GHz/900 MHz 3 dBi Omni Magnetic Mount Antenna with RP-SMA Plug Connector is a good choice.

USB GPS

A GPS is a necessity to properly perform an RF assessment. Without this it's simply impossible to determine where and how far RF signals are propagating. There are numerous options are available, therefore you should look to obtain a USB GPS that is supported on operating system that you are using be that Linux, Windows and Mac OS X.

Software

The software requirements are based upon the engagement scope, however we've listed some commercial and open source software that could be required to properly conduct a full penetration test.

Maltego - (http://www.paterva.com/web5)

Nessus - (http://tenable.com/products/nessus)

IBM AppScan - (http://www-01.ibm.com/software/awdtools/appscan)

eEye Retina -(http://www.eeye.com/Products/Retina.aspx)

Nexpose - (http://www.rapid7.com)

OpenVAS - (http://www.openvas.org)

HP WebInspect - (https://www.fortify.com/products/web_inspect.html)

Backtrack - (http://www.backtrack-linux.org)

SamuraiWTF- (http://samurai.inguardians.com)

SiteDigger - (http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx)

FOCA - (http://www.informatica64.com/DownloadFOCA)

THC IPv6 Attack Toolkit - (http://www.thc.org/thc-ipv6)

Fierce2 - (http://trac.assembla.com/fierce/)

Cain - (http://www.oxid.it/cain.html)

inSSIDer - (http://www.metageek.net/products/inssider)

Kismet Newcore - (http://www.kismetwireless.net)

Rainbow Crack - (http://project-rainbowcrack.com)

DnsEnum - (http://code.google.com/p/dnsenum)

Dnsmap - (http://code.google.com/p/dnsmap)

Dnsrecon - (http://www.darkoperator.com/tools-and-scripts/dnsrecon.rb)

DnsTracer - (http://www.mavetju.org/unix/dnstracer.php)

Dnswalk - (http://sourceforge.net/projects/dnswalk)

Fierce - (http://ha.ckers.org/fierce)

Fierce2 - (http://trac.assembla.com/fierce/browser/fierce2)

FindDomains - (http://code.google.com/p/finddomains)

HostMap - (http://hostmap.lonerunners.net)

URLcrazy - (http://code.google.com/p/urlcrazy)

theHarvester - (http://www.edge-security.com/soft/theHarvester.py)

The Metasploit Framework - (http://metasploit.com/download/)

The Social-Engineer Toolkit (SET) - (http://www.secmaniac.com/files/set.tar.gz)

Fast-Track - (http://www.secmaniac.com/download/)

Intelligence Gathering

Intelligence Gathering is the phase where data or "intelligence" is gathered to assist in guiding the assessment actions. At the broadest level this intelligence gathering includes information about employees, facilities, products and plans. Within a larger picture this intelligence will include potentially secret or private "intelligence" of a competitor, or information that is otherwise relevant to the target.

OSINT

Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publically (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources.

Corporate

Information on a particular target should include information regarding the legal entity. Most states within the US require Corporations, limited liability companies and limited partnerships to file with the State division. This division serves as custodian of the filings and maintains copies and/or certifications of the documents and filings. This information may contain information regarding shareholders, members, officers or other persons involved in the target entity.

Physical

Often the first step in OSINT is to identify the physical locations of the target corporation. This information might be readily available for publically known or published locations, but not quite so easy for more secretive sites. Public sites can often be location by using search engines such as:

• Google -http://www.google.com
• Yahoo - http://yahoo.com
• Bing - http://www.bing.com
• Ask.com - http://ask.com

Locations

Shared/Individual

As part of identifying the physical location it is important to note if the location is an individual building or simply a suite in a larger facility. It is important to attempt to identify neighboring businesses as well as common areas.

Owner

Once the physical locations have been identified, it is useful to identify the actual property owner(s). This can either be an individual, group, or corporation. If the target corporation does not own the property then they may be limited in what they can physically do to enhance or improve the physical location.

Land/tax records

Land and tax records generally include ownership, possession or other rights in land to provide evidence of title and facilitate transactions. The information recorded and the protection provided varies greatly by jurisdiction. Land and tax records within the United States are usually a matter for individual states.

• Nationwide Environmental Title Research - http://publicrecords.netronline.com

Datacenter Locations

Identifying any target business data center locations via either the corporate website, public filings, land records or via a search engine can provide additional potential targets.

Time zones

Identifying the time zones that the target operates in provides valuable information regarding the hours of operation. It is also significant to understand the relationship between the target time zone and that of the assessment team. A time zone map is often useful as a reference when conducting any test.

TimeZone Map

Offsite gathering

Identifying any recent or future offsite gatherings or parties via either the corporate website or via a search engine can provide valuable insight into the corporate culture of a target. It is often common practice for businesses to have offsite gatherings not only for employees, but also for business partners and customers. Collecting this data could provide insight into potential items of interest to an attacker.

Product/Services

Identifying the target business products and any significant data related to such launches via the corporate website, new releases or via a search engine can provide valuable insight into the internal workings of a target. It is often common practice for businesses to make such notifications publicly in an effort to garner publicity and to inform current and/or new customers of the launch. Publicly available information includes, but is not limited to, foreign language documents, radio and television broadcasts, Internet sites, and public speaking.

Company Dates

Significant company dates can provide insight into potential days where staff may be on alert higher than normal. This could be due to potential corporate meetings, board meetings, investor meetings, or corporate anniversary. Normally, businesses that observe various holidays have a significantly reduced staff and therefore targeting may prove to be much more difficult during these periods.

Position identification

Within every target it is critical that you identify and document the top positions within the organization. This is critical to ensure that the resulting report is targeting the correct audience. At a minimum, key employees should be identified as part of any engagement.

Organizational Chart

Understanding the organizational structure is important, not only to understand the depth of the structure, but also the breadth. If the organization is extremely large, it is possible that new staff or personnel could go undetected. In smaller organizations, the likelihood is not as great. Getting a good picture of this structure can also provide insight into the functional groups. This information can be useful in determining internal targets.

Corporate Communications

Identifying corporate communications either via the corporate website or a job search engine can provide valuable insight into the internal workings of a target.

Marketing

Marketing communications are often used to make corporate announcements regarding currently, or future product releases, and partnerships.

Lawsuits

Communications regarding the targets involvement in litigation can provide insight into potential threat agent or data of interest.

Transactions

Communications involving corporate transactions may be indirect response to a marketing announcement or lawsuit.

Job openings

Searching current job openings or postings via either the corporate website or via a job search engine can provide valuable insight into the internal workings of a target. It is often common practice to include information regarding currently, or future, technology implementations. Collecting this data could provide insight into potential items of interest to an attacker. Several Job Search Engines exist that can be queried for information regarding the target.

Relationships

Identifying the targets logical relationships is critical to understand more about how the business operates. Publicly available information should be leveraged to determine the target business relationship with vendors, business partners, law firms, etc. This is often available via news releases, corporate web sites (target and vendors), and potentially via industry related forums.

Charity Affiliations

Identifying any target business charity affiliations via either the corporate website or via a search engine can provide valuable insight into the internal workings and potentially the corporate culture of a target. It is often common practice for businesses to make charitable donations to various organizations. Collecting this data could provide insight into potential items of interest to an attacker.

Network Providers

Identifying any network provisioning or providers either via the allocated netblock /address information, corporate website or via a search engine can provide valuable insight into the potentially of a target. It is often common practice for businesses to make charitable donations to various organizations. Collecting this data could provide insight into potential items of interest to an attacker.

Business Partners

Identifying business partners is critical to gaining insight into not only the corporate culture of a target, but also potentially technologies being used. It is often common practice for businesses to announce partnership agreements. Collecting this data could provide insight into potential items of interest to an attacker.

Competitors

Identifying competitors can provide a window into potential adversaries. It is not uncommon for competitors to announce news that could impact the target. These could range from new hires, product launches, and even partnership agreements. Collecting this data is important to fully understand any potential corporate hostility.

Individuals

Social Networking Profile

The numbers of active Social Networking websites as well as the number of users make this a prime location to identify employee's friendships, kinships, common interest, financial exchanges, likes/dislikes, sexual relationships, or beliefs. It is even possible to determine an employee's corporate knowledge or prestige.

Social Networking Websites

Tone and Frequency

Identifying an employee's tone and frequency of postings can be a critical indicator of a disgruntled employee as well as the corporate acceptance of social networking. While time consuming it is possible to establish an employee's work schedule and vacation periods.

Location awareness

Most social networking sites offer the ability to include geolocation information in postings. This information can be useful in identifying exactly where the person was physically located when a posting was made. In addition, it is possible that geolocation information is included in images that are uploaded to social networking sites. It is possible that the user may be savy enough to turn this off, however, sometimes it's just as simple as reading a post that indicates exactly where they're located.

Cree.py

Cree.py is Beta tool that is used to automate the task of information gathering from Twitter as well as FourSquare. In addition, Cree.py can gather any geolocation data from flickr, twitpic.com, yfrog.com, img.ly, plixi.com, twitrpix.com, foleext.com, shozu.com, pickhur.com, moby.to, twitsnaps.com and twitgoo.com. Cree.py is an open source intelligence gathering application. To install Cree.py, you will need to add a repository to your /etc/apt/sources.list.

echo "deb http://people.dsv.su.se/~kakavas/creepy/ binary/" >> /etc/apt/sources.list

Update package list

apt-get update

Install creepy

apt-get install creepy

Cree.py Interface

Cree.py is primarily targeting geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

Cree.py Interface

Internet Footprint

Internet Footprinting is where we attempt to gather externally available information about the target infrastructure that we can leveraged in later phases.

Email addresses

Gathering email addresses while seemingly useless can provide us with valuable information about the target environment. It can provide information about potential naming conventions as well as potential targets for later use. There are many tools that can be used to gather email addresses, Maltego for example.

Maltego

Paterva Maltego is used to automate the task of information gathering. Maltego is an open source intelligence and forensics application. Essentially, Maltego is a data mining and information-gathering tool that presents the information gathered in a format that is easily understood. The documentation of Maltego is relatively sparse so we are including the procedures necessary to obtain the data required.

Once you have started Maltego, the main interface should be visible. If you are missing any components, you can essentially reset the interface to the default. Launch Maltego and familiarize yourself with the interface. The six main areas of the interface are the toolbar, the Palette, graph, (or view) area, overview area, the detailed area, and the property area.

Screenshot Here

The Palette contains all the transforms that are available (or activated) for use. As of this writing, there are approximately 72 transforms. A transform will perform the action against a given site. The graph area allows you to process the transforms as well as view the data in either the mining view, dynamic view, edge weighted view as well as the entity list. The overview area provides a mini-map of the entities discovered based upon the transforms. The detail area is where it is possible to drill into the specifics of the entity. It is possible to view such things as the relationships, as well as details of how the information was generated. The property area allows you to see the specific properties of the transform populated with the results specific to the entity. To begin using Maltego we need to drag and drop a transform from the Palette to the Graph Area. By default, this will be populated with dummy data (usually related to Paterva). To edit the entity within the selected transform, do so by editing the entries within the property view.

We first need to determine the Internet infrastructure such as Domains. To perform this we will drag and drop the Domain transform to the graph area. Edit the transform to reflect the appropriate domain name for the client. It is possible to collect nearly all the data that we will initially require by clicking on Run All Transforms.
Screenshot Here

The data from these entities will be used to obtain additional information. Within the graph area the results will be visible as illustrated below.

Screenshot Here

Selecting the entities and choosing to run additional transforms the data collected will expand. If a particular transform has not be used that you want to collect data from, simply drag it to the graph area and make the appropriate changes within the property view.

If you are unable to utilize Maltego, it is possible to utilize various tools to search websites for email addresses.

TheHarvester

TheHarvester is a tool, written by Christian Martorella, that can be used to gather e-mail accounts and subdomain names from different public sources (search engines, pgp key servers). Is a really simple tool, but very effective.

root@pentest:/pentest/enumeration/theharvester# ./theHarvester.py

*************************************
*TheHarvester Ver. 1.6             *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
*************************************


Usage: theharvester options

       -d: domain to search or company name
       -b: data source (google,bing,pgp,linkedin)
       -s: start in result number X (default 0)
       -v: verify host name via dns resolution
       -l: limit the number of results to work with(bing goes from 50 to 50 results,
            google 100 to 100, and pgp does'nt use this option)

Examples:./theharvester.py -d microsoft.com -l 500 -b google
         ./theharvester.py -d microsoft.com -b pgp
         ./theharvester.py -d microsoft -l 200 -b linkedin

TheHarvester will search the specified data source and return the results. This should be added to the OSINT document for use at a later stage.

root@pentest:/pentest/enumeration/theharvester# ./theHarvester.py -d client.com -b google -l 500

*************************************
*TheHarvester Ver. 1.6             *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
************************************* 

Searching for client.com in google : 

====================================== 


Limit: 500 
Searching results: 0 
Searching results: 100 
Searching results: 200 
Searching results: 300 
Searching results: 400 

Accounts found: 
==================== 
admin@client.com 
nick@client.com 
jane@client.com 
sarah@client.com 

NetGlub

NetGlub is an open source tool that is very similar to Maltego. NetGlub is a data mining and information-gathering tool that presents the information gathered in a format that is easily understood. The documentation of NetGlub is nonexistent at the moment so we are including the procedures necessary to obtain the data required.

Installing NetGlub is not a trivial task, but one that can be accomplished by running the following:

apt-get install build-essential mysql-server libmysqlclient-dev zlib1g-dev libperl-dev libnet-ip-perl libopenssl-ruby ruby-dev ruby omt php5-cli nmap libnet-dns-perl libnet-ip-perl python-dev
wget http://pypi.python.org/packages/source/s/simplejson/simplejson-2.1.5.tar.gz
tar -xzvf simplejson-2.1.5.tar.gz
cd simplejson-2.1.5
python2.7 setup.py build
python2.7 setup.py install 
cd ..
wget http://sourceforge.net/projects/pyxml/files/pyxml/0.8.4/PyXML-0.8.4.tar.gz
tar -xvzf PyXML-0.8.4.tar.gz
cd PyXML-0.8.4
wget http://launchpadlibrarian.net/31786748/0001-Patch-for-Python-2.6.patch
patch -p1 < 0001-Patch-for-Python-2.6.patch
python setup.py install 
cd /pentest/enumeration

At this point we're going to use a GUI installation of the QT-SDK. The main thing to point out here is that the installation path needs to be changed during the installation to reflect /opt/qtsdk. If you use a different path, then you will need to update the paths in the script below to reflect that difference.

Note that during the QT-SDK installation we are reminded for external dependencies, so make sure we run "apt-get install libglib2.0-dev libSM-dev libxrender-dev libfontconfig1-dev libxext-dev".

wget http://blog.hynesim.org/ressources/install/qt-sdk-linux-x86-opensource-2010.03.bin
chmod +x qt-sdk-linux-x86-opensource-2010.03.bin
./qt-sdk-linux-x86-opensource-2010.03.bin
wget http://www.graphviz.org/pub/graphviz/stable/SOURCES/graphviz-2.26.3.tar.gz
tar -xzvf graphviz-2.26.3.tar.gz
cd graphviz-2.26.3
./configure
make
make install
cd /pentest/enumeration 
wget http://redmine.lab.diateam.net/attachments/download/1/netglub-1.0.tar.gz
tar -xzvf netglub-1.0.tar.gz 
mv netglub-1.0 netglub
cd /pentest/enumeration/netglub/qng/
/opt/qtsdk/qt/bin/qmake
make

Now we need to start MySQL and create the netglub database

start mysql 
mysql -u root -ptoor

create database netglub;
use netglub;
create user "netglub"@"localhost";
set password for "netglub"@"localhost" = password("netglub");
GRANT ALL ON netglub.* TO "netglub"@"localhost";
quit

mysql -u root -ptoor netglub < /pentest/enumeration/netglub/master/tools/sql/netglub.sql  

cd /opt/qtsdk/qt/src/plugins/sqldrivers/mysql/
/opt/qtsdk/qt/bin/qmake INCLUDEPATH+=/usr/include/mysql/
make
cp /opt/qtsdk/qt/src/plugins/sqldrivers/mysql/libqsqlmysql.so /opt/qtsdk/qt/plugins/sqldrivers/.
cd /pentest/enumeration/netglub/master
/opt/qtsdk/qt/bin/qmake
make
cd tools/
./install.sh
cd /pentest/enumeration/netglub/slave
/opt/qtsdk/qt/bin/qmake
make
cd tools/
./install.sh
wget http://sourceforge.net/projects/xmlrpc-c/files/Xmlrpc-c%20Super%20Stable/1.16.34/xmlrpc-c-1.16.34.tgz/download
tar -zxvf xmlrpc-c-1.16.34.tgz
cd xmlrpc-c-1.16.34
./configure
make 
make install

Once you have installed NetGlub, you'll probably be interested in running it. This is really a four step process: Ensure that MySQL is running:

start mysql

Start the NetGlub Master:

/pentest/enumeration/netglub/master/master

Start the NetGlub Slave:

/pentest/enumeration/netglub/slave/slave

Start the NetGlub GUI:

/pentest/enumeration/netglub/qng/bin/unix-debug/netglub

Now the main interface should be visible. If you are familiar with Maltego, then you will feel right at home with the interface. The six main areas of the interface are the toolbar, the Palette, graph, (or view) area, details, and the property area.

Screenshot Here

A complete list of all the transforms that are available (or activated) for use. As of this writing, there are approximately 33 transforms. A transform is script that will actually perform the action against a given site.

Screenshot Here

The graph area allows you to process the transforms as well as view the data in either the mining view, dynamic view, edge weighted view as well as the entity list. The overview area provides a mini-map of the entities discovered based upon the transforms. The detail area is where it is possible to drill into the specifics of the entity. It is possible to view such things as the relationships, as well as details of how the information was generated. The property area allows you to see the specific properties of the transform populated with the results specific to the entity. To begin using NetGlub we need to drag and drop a transform from the Palette to the Graph Area. By default, this will be populated with dummy data. To edit the entity within the selected transform, do so by editing the entries within the property view.

We first need to determine the Internet infrastructure such as Domains. To perform this we will drag and drop the Domain transform to the graph area. Edit the transform to reflect the appropriate domain name for the client. It is possible to collect nearly all the data that we will initially require by clicking on Run All Transforms.

The data from these entities will be used to obtain additional information. Within the graph area the results will be visible as illustrated below.

Screenshot Here

Selecting the entities and choosing to run additional transforms the data collected will expand. If a particular transform has not be used that you want to collect data from, simply drag it to the graph area and make the appropriate changes within the property view.

There will be some information that you will need to enter to ensure that NetGlub functions properly. For example, you will need to enter in DNS servers which to query. In addition, you will be asked to provide your Alchemy and Open calais API keys.

For Alchemy, you will need to go to http://www.alchemyapi.com/api/register.html to receive your own API key. For Open calais, you will need to go to http://www.opencalais.com/APIkey to receive your own API key.

Usernames/Handles

Identifying usernames and handles that are associated with a particular email is useful as this might provide several key pieces of information. For instance, it could provide a significant clue for username and passwords. In addition, it can also indicate a particular individual's interest outside of work. A good place to location this type of information is within discussion groups (Newsgroups, Mailing lists, forums, chat rooms, etc.).

Social Networks

• Check Usernames - Useful for checking the existence of a given username across 160 Social Networks.

Newsgroups

• Google - http://www.google.com
• Yahoo Groups - http://groups.yahoo.com
• Delphi Forums  - http://www.delphiforums.com
• Big Boards - http://www.big-boards.com

Mailing Lists

• TILE.Net - http://tile.net/lists
• Topica - http://lists.topica.com
• L-Soft CataList, the Official Catalog of LISTSERV lists - http://www.lsoft.com/lists/listref.html
• The Mail Archive - http://www.mail-archive.com

Chat Rooms

• SearchIRC - http://searchirc.com
• Gogloom - http://www.gogloom.com

Forums Search

• BoardReader - http://boardreader.com
• Omgili - http://www.omgili.com

Personal Domain Names

The ability to locate personal domains that belong to target employees can yield additional information such as potential usernames and passwords. In addition, it can also indicate a particular individual's interest outside of work.

Personal Activities

It is not uncommon for individuals to create and publish audio files and videos. While these may be seem insignificant, they can yield additional information about a particular individual's interest outside of work.

Audio

• iTunes - http://www.apple.com/itunes
• Podcast.com - http://podcast.com
• Podcast Directory - http://www.podcastdirectory.com
• Yahoo! Audio Search - http://audio.search.yahoo.com

Video

• YouTube - http://youtube.com
• Yahoo Video - http://video.search.yahoo.com
• Google Video - http://video.google.com
• Bing Video - http://www.bing.com/videos

Archived Information

There are times when we will be unable to access web site information due to the fact that the content may no longer be available from the original source. Being able to access archived copies of this information allows access to past information. There are several ways to access this archived information. The primary means is to utilize the cached results under Google's cached results. As part of an NVA, it is not uncommon to perform Google searches using specially targeted search strings:
cache:<site.com>

Note: Replace <site.com> with the name of the domain that you wish to perform the search on.

An additional resource for archived information is the Wayback Machine (http://www.archive.org).

Screenshot Here

Electronic Data

Collection of electronic data in direct response to reconnaissance and intelligence gathering should be focused on the target business or individual.

Document leakage

Publicly available documents should be gathered for essential data (date, time, location specific information, language, and author). Data collected could provide insight into the current environment, operational procedures, employee training, and human resources.

Metadata leakage

Identifying Metadata is possible using specialized search engine. The goal is to identify data that is relevant to the target corporation. It may be possible to identify locations, hardware, software and other relevant data from Social Networking posts. Some search engines that provide the ability to search for Metadata are as follows:

• ixquick - http://ixquick.com
• MetaCrawler - http://metacrawler.com
• Dogpile  - http://www.dogpile.com
• Search.com - http://www.search.com
• Jeffery's Exif Viewer - http://regex.info/exif.cgi

In addition to search engines, several tools exist to collect files and gather information from various documents.

FOCA (Windows)

FOCA is a tool that reads metadata from a wide range of document and media formats. FOCA pulls the relevant usernames, paths, software versions, printer details, and email addresses. This can all be performed without the need to individually download files.

Foundstone SiteDigger (Windows)

Foundstone has a tool, named SiteDigger, which allows us to search a domain using specially strings from both the Google Hacking Database (GHDB) and Foundstone Database (FSDB). This allows for slightly over 1640 potential queries available to discover additional information.
Screenshot Here

The specific queries scanned as well as the results of the queries are shown. To access the results of a query, simply double-click on the link provided to open in a browser.

Metagoofil (Linux/Windows)

Metagoofil is a Linux based information gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .odp, .ods) available on the client's websites.

Metagoofil generates an html results page with the results of the metadata extracted, plus a list of potential usernames that could prove useful for brute force attacks. It also extracts paths and MAC address information from the metadata.

Metagoofil has a few options available, but most are related to what specifically you want to target as well the number of results desired.

Screenshot Here

The command to run metagoofil is as follows:

metagoofil.py -d <client domain> -l 100 -f all -o <client domain>.html -t micro-files

Exif Reader (Windows)

Exif Reader is image file analysis software for Windows. It analyzes and displays the shutter speed, flash condition, focal length, and other image information included in the Exif image format which is supported by almost all the latest digital cameras. Exif image files with an extension of JPG can be treated in the same manner as conventional JPEG files. This software analyzes JPEG files created by digital cameras and can be downloaded from http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english.

ExifTool (Windows/ OS X)

Exif Tool is a Windows and OS X tool for reading Meta information. ExifTool supports a wide range of file formats. ExifTool can be downloaded from http://www.sno.phy.queensu.ca/~phil/exiftool.

Image Search

While not directly related to metadata, Tineye is also useful: http://www.tineye.com/ If a profile is found that includes a picture, but not a real name, Tineye can sometimes be used to find other profiles on the Internet that may have more information about a person (including personals sites).

Covert gathering

On-location gathering

On-Site visits also allow assessment personnel to observe and gather information about the physical, environmental, and operational security of the target.

Adjacent Facilities

Once the physical locations have been identified, it is useful to identify the adjacent facilities. Adjacent facilities should be documented and if possible, include any observed shared facilities or services.

Physical security inspections

Covert Physical security inspections are used to ascertain the security posture of the target. These are conducted covertly, clandestinely and without any party knowing they are being inspected. Observation is the key component of this activity. Physical security measures that should be observed include physical security equipment, procedures, or devices used to protect from possible threats. A physical security inspection should include, but is not limited to the following:

Security guards

Observing security guards (or security officer) is often the first step in assessing the most visible deterrence. Security guards are uniformed and act to protect property by maintaining a high visibility presence to deter illegal and inappropriate actions. By observing security guard movements directly it is possible to determine procedures in use or establish movement patterns. You will need to observe what the security guards are protecting. It is possible to utilize binoculars to observe any movement from a safe distance.

Some security guards are trained and licensed to carry firearms for their own safety and for personnel they are entrusted to protect. The use of firearms by security guards should not be a surprise, if noted. This should be documented prior to beginning the engagement. If firearms are observed, ensure that precaution is taken not to take any further action unless specifically authorized and trained to do so.

Badge Usage

Badge usage refers to a physical security method that involves the use of identification badges as a form of access control. Badging systems may be tied to a physical access control system or simply used as a visual validation mechanism. Observing individual badge usage is important to document. By observing, badge usage it may be possible to actually duplicate the specific badge being utilized. The specific items that should be noted are if the badge is required to be visible or shown to gain physical access to the property or facility. Badge usage should be documented and if possible, include observed validation procedures.

Locking devices

A locking device is a mechanical or electronic mechanism often implemented to prevent unauthorized ingress or egress. These can be as simple as a door lock, dead-bolt, or complex as a cipher lock. Observing the type and placement location of the locking devices on doors it is possible to determine if the door in primarily used for ingress or egress. You will need to observe what the locking devices are protecting. All observations should be documented prior, and if possible photographs taken.

Intrusion detection systems (IDS)/Alarms

Observing security guards (or security officer) is often the first step in assessing the most visible deterrence. Security guards are uniformed and act to protect property by maintaining a high visibility presence to deter illegal and inappropriate actions. By observing security guard movements directly it is possible to determine procedures in use or establish movement patterns. You will need to observe what the security guards are protecting. It is possible to utilize binoculars to observe any movement from a safe distance.

Some security guards are trained and licensed to carry firearms for their own safety and for personnel they are entrusted to protect. The use of firearms by security guards should not be a surprise, if noted. This should be documented prior to beginning the engagement. If firearms are observed, ensure that precaution is taken not to take any further action unless specifically authorized and trained to do so.

Security lighting

Security lighting is often used as a preventative and corrective measure on a physical piece of property. Security lighting may aid in the detection of intruders, act as deterrence to intruders, or in some cases simply to increase the feeling of safety. Security lighting is often an integral component to the environmental design of a facility. Security lighting includes floodlights and low pressure sodium vapor lights. Most Security lighting that is intended to be left on all night is of the high-intensity discharge lamp variety. Other lights may be activated by sensors such as passive infrared sensors (PIRs), turning on only when a person (or other mammal) approaches. PIR activated lamps will usually be incandescent bulbs so that they can activate instantly; energy saving is less important since they will not be on all the time. PIR sensor activation can increase both the deterrent effect (since the intruder knows that he has been detected) and the detection effect (since a person will be attracted to the sudden increase in light). Some PIR units can be set up to sound a chime as well as turn on the light. Most modern units have a photocell so that they only turn on when it is dark.

While adequate lighting around a physical structure is deployed to reduce the risk of an intrusion, it is critical that the lighting be implemented properly as poorly arranged lighting can actually obstruct viewing the facility they're designed to protect.

Security lighting may be subject to vandalism, possibly to reduce its effectiveness for a subsequent intrusion attempt. Thus security lights should either be mounted very high, or else protected by wire mesh or tough polycarbonate shields. Other lamps may be completely recessed from view and access, with the light directed out through a light pipe, or reflected from a polished aluminum or stainless steel mirror. For similar reasons high security installations may provide a stand-by power supply for their security lighting. Observe and document the type, number, and locations of security lighting in use.

Surveillance /CCTV systems

Surveillance/CCTV systems may be used to observe activities in and around a facility from a centralized area. Surveillance/CCTV systems may operate continuously or only when activated as required to monitor a particular event. More advanced Surveillance/CCTV systems utilize motion-detection devices to activate the system. IP-based Surveillance/CCTV cameras may be implemented for a more decentralized operation.

Surveillance/CCTV cameras can be of a conspicuous nature, which are used as a visible deterrence, as well as an inconspicuous nature. Surveillance/CCTV cameras are generally small high definition color cameras that can not only focus to resolve minute detail, but by linking the control of the cameras to a computer, objects can be tracked semi-automatically. Observing and documenting the Surveillance/CCTV system is critical for identifying the areas of coverage. While it might not be possible to determine the specific camera type being utilized or even the area of coverage it is possible to identify areas with or without limited coverage. It should be noted if the Surveillance/CCTV system is physically protected. If not, then it needs to be documented if the Surveillance/CCTV camera is vulnerable to someone deliberately destroying it. Additionally, a physically unprotected camera may be subject to blurring or blocking the image by spraying substances or obstructing the lens. Lasers can be used to blind or damage Surveillance/CCTV cameras. For wireless Surveillance/CCTV systems, broadcasting a signal at the same frequency as the wireless equipment could make it subject to jamming.

Access control devices

Access control devices enable access control to areas and/or resources in a given facility. Access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Access control can be achieved by a human (a security guard, or receptionist), through mechanical means such as locks and keys, or through technological means such as access control systems like the Access control vestibule.

Access control devices historically were accomplished through keys and locks. Electronic access control use is widely being implemented to replace mechanical keys. Access control readers are generally classified as Basic, Semi-intelligent, and Intelligent. A basic access control reader simply reads a card number or PIN and forward it to a control panel. The most popular type of access control readers are RF Tiny by RFLOGICS, ProxPoint by HID, and P300 by Farpointe Data. Semi-intelligent readers have inputs and outputs necessary to control door hardware (lock, door contact, exit button), but do not make any access decisions. Common Semi-intelligent readers are InfoProx Lite IPL200 by CEM Systems and AP-510 by Apollo. Intelligent readers have all the inputs and outputs necessary to control door hardware while having the memory and the processing power necessary to make access decisions independently of each other. Common Intelligent readers are the InfoProx IPO200 by CEM Systems, AP-500 by Apollo, PowerNet IP Reader by Isonas Security Systems, ID08 by Solus has the built in web service to make it user friendly, Edge ER40 reader by HID Global, LogLock and UNiLOCK by ASPiSYS Ltd, and BioEntry Plus reader by Suprema Inc.

Some readers may have additional features such as an LCD and function buttons for data collection purposes (i.e. clock-in/clock-out events for attendance reports), camera/speaker/microphone for intercom, and smart card read/write support. Observe and document the type, number, and locations of access control devices in use.

Environmental Design

Environmental design involves the surrounding environmental of a building, or facility. In the scope of Physical security, environmental design includes facilities geography, landscape, architecture, and exterior design.

Observing the facilities and surrounding areas can highlight potential areas of concern such as potential obscured areas due to geography and landscaping. Architecture and exterior design can impact the ability of security guards to protect property by creating areas of low or no-visibility. In addition, the placement of fences, storage containers, security guard shacks, barricades and maintenance areas could also prove useful in the ability move around a facility in a covert manner.

Employee Behavior

Observing employees is often the one of the easier steps to perform. Employee actions generally provide insight into any corporate behaviors or acceptable norms. By observing, employees it is possible to determine procedures in use or establish ingress and egress traffic patterns. It is possible to utilize binoculars to observe any movement from a safe distance.

Dumpster diving

Traditionally, most targets dispose of their trash in either garbage cans or dumpsters. These may or may not be separated based upon the recyclability of the material. The act of dumpster diving is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful. This is often times an extremely dirty process that can yield significant results. Dumpsters are usually located on private premises and therefore may subject the assessment team to potentially trespassing on property not owned by the target. Though the law is enforced with varying degrees of rigor, ensure that this is authorized as part of the engagement. Dumpster diving per se is often legal when not specifically prohibited by law. Rather than take the refuse from the area, it is commonly accepted to simply photograph the obtained material and then return it to the original dumpster.

RF / Wireless Frequency scanning

A band is a section of the spectrum of radio communication frequencies, in which channels are usually used or set aside for the same purpose. To prevent interference and allow for efficient use of the radio spectrum, similar services are allocated in bands of non-overlapping ranges of frequencies.

As a matter of convention, bands are divided at wavelengths of 10ⁿ meters, or frequencies of 3?10ⁿ hertz. For example, 30 MHz or 10 m divides shortwave (lower and longer) from VHF (shorter and higher). These are the parts of the radio spectrum, and not its frequency allocation.

Each of these bands has a basic band plan which dictates how it is to be used and shared, to avoid interference, and to set protocol for the compatibility of transmitters and receivers. Within the US, band plans are allocated and controlled by the Federal Communications Commission (FCC). The chart below illustrates the current band plans.

Screenshot Here

To avoid confusion, there are two bands that we could focus on our efforts on. The band plans that would in of interest to an attacker are indicated in the following chart.

A Radio Frequency (RF) site survey or wireless survey, sometimes called a wireless site survey, is the process of determining the frequencies in use within a given environment. When conducting a RF site survey, it's very important to identify an effective range boundary, which involves determining the SNR at various points around a facility.

To expedite the process, all frequencies in use should be determined prior to arrival. Particular attention should be paid to security guards, and frequencies that the target is licensed to use. Several resources exist to assist in acquiring this information:

Screenshot Here

At a minimum a search engine (Google, Bing, and Yahoo!) should be utilized to conduct the following searches:

• "Target Company" scanner
• "Target Company" frequency
• "Target Company" guard frequency
• "Target Company" MHz
• Press releases from radio manufactures and reseller regarding the target
• Press releases from guard outsourcing companies talking about contracts with the target company

Frequency Usage

A frequency counter is an electronic instrument that is used for measuring the number of oscillations or pulses per second in a repetitive electronic signal. Using a Frequency counter or spectrum analyzer it is possible to identify the transmitting frequencies in use around the target facility. Common frequencies include the following:

A spectrum analyzer can be used to visually illustrate the frequencies in use. These are usually targeting specific ranges that are generally more focused than a frequency counter. Below is an output from a spectrum analyzer that can clearly illustrate the frequencies in use. The sweep range for this analyzer is 2399-2485 MHz.

Screenshot Here

All frequency ranges in use in and around the target should be documented.

Equipment Identification

As part of the on-site survey, all radios and antennas in use should be identified. Including radio make and model as well as the length and type of antennas utilized. A few good resources are available to help you identify radio equipment:

Identifying 802.11 equipment is usually much easier to accomplish, if not visually, then via RF emissions. For visual identification, most vendor websites can be searched to identify the specific make and model of the equipment in use.

In a passive manner, it is possible to identify at the manufacturer based upon data collected from RF emissions.

Wireless Local Area Network (WLAN) discovery consists of enumerating the type of WLAN that is currently deployed. This can be one of the following: Unencrypted WLAN, WEP encrypted WLAN, WPA / WPA2 encrypted WLAN, LEAP encrypted WLAN, or 802.1x WLAN. The tools required to enumerate this information are highlighted as follows.

Airmon-ng

Airmon-ng is used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. It is important to determine if our USB devices are properly detected. For this we can use lsusb, to list the currently detected USB devices.

Screenshot Here

As the figure illustrates, our distribution has detected not only the Prolific PL2303 Serial Port, where we have our USB GPS connected, but also the Realtek RTL8187 Wireless Adapter. Now that we have determined that our distribution recognizes the installed devices, we need to determine if the wireless adapter is already in monitor mode by running.

Entering the airmon-ng command without parameters will show the interfaces status.

Screenshot Here

To use one interface simply use airmon-ng to put your card in monitor mode by running:

airmon-ng start wlan0

Screenshot Here

If there's an existing mon0, destroy it prior to issuing the previous command:

airmon-ng stop mon0

Once again, entering the airmon-ng command without parameters will show the interfaces status.

Screenshot Here

Airodump-ng

Airodump-ng is part of the Aircrack-ng is a network software suite. Specifically, Airodump-ng is a packet sniffer that places air traffic into Packet Capture (PCAP) files or Initialization Vectors (IVS) files and shows information about wireless networks.

Airodump-ng is used for packet capture of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vectors) for later use with Aircrack-ng. If you have a GPS receiver connected to the computer, Airodump-ng is capable of logging the coordinates of the found APs. Before running Airodump-ng, start the Airmon-ng script to list the detected wireless interfaces.

Usage:

airodump-ng <options> <interface> [, <interface>...]

Options:

--ivs               : Save only captured IVs

--gpsd              : Use GPSd

--write    <prefix>: Dump file prefix

-w                  : same as --write

--beacons           : Record all beacons in dump file

--update     <secs>: Display update delay in seconds

--showack           : Prints ack/cts/rts statistics

-h                  : Hides known stations for --showack

-f          <msecs>: Time in ms between hopping channels

--berlin     <secs>: Time before removing the AP/client

from the screen when no more packets

are received (Default: 120 seconds)

-r           <file>: Read packets from that file

-x          <msecs>: Active Scanning Simulation

--output-format

<formats>: Output format.  Possible values:

pcap, ivs, csv, gps, kismet, netxml

Short format "-o"

The option can be specified multiple   times.  In this case, each file format specified will be output.  Only ivs or pcap can be used, not both.

Airodump-ng will display a list of detected APs and a list of connected clients ("stations").

Screenshot Here

Screenshot Here

The first line shows the current channel, elapsed running time, current date and optionally if a WPA/WPA2 handshake was detected.

Kismet-Newcore

Kismet-newcore is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.

Kismet is composed of 3 parts:

• Drones: Capture the wireless traffic to report it to the server; they have to be started manually.
• Server: Central place that connects to the drones and accepts client connections. It can also capture wireless traffic.
• Client: The GUI part that will connect to the server.

Kismet has to be configured to work properly. First, we need to determine if it is already in monitor mode by running:

airmon-ng

Screenshot Here

To use one interface simply use airmon-ng to put your card in monitor mode by running:

airmon-ng start wlan0

Screenshot Here

If there's an existing mon0, destroy it prior to issuing the previous command:

airmon-ng stop mon0

Kismet is able to use more than one interface like Airodump-ng. To use that feature, /etc/kismet/kismet.conf has to be edited manually as airmon-ng cannot configure more than one interface for kismet. For each adapter, add a source line into kismet.conf.

Note: By default kismet stores its capture files in the directory where it is started. These captures can be used with Aircrack-ng.

Typing, "kismet" in a console and hitting "Enter" will start up Kismet.

Screenshot Here

As described earlier Kismet consists of three components and the initial screen informs us that we need to either start the Kismet server or choose to use a server that has been started elsewhere. For our purposes. we will click "Yes" to start the Kismet server locally.

Screenshot Here

Kismet presents us with the options to choose as part of the server startup process.

Screenshot Here

Unless we configured a source in /etc/kismet/kismet.conf then we will need to specify a source from where we want to capture packets.

Screenshot Here

As referenced earlier, we created a monitor sub-interface from our wireless interface. For our purposes, we will enter "mon0", though your interface may have a completely different name.

Screenshot Here

When Kismet server and client are running properly then wireless networks should start to show up. We have highlighted a WEP enabled network. There are numerous sorting options that you can choose from. We will not cover all the functionality of Kismet at this point, but if you're not familiar with the interface you should play with it until you get comfortable.

inSSIDer

If you are used to using Netstumbler you may be disappointed to hear that it doesn't function properly with Windows Vista and 7 (64-bit). That being said, all is not lost as there is an alternative that is compatible with Windows XP, Vista and 7 (32 and 64-bit). It makes use of the native Wi-Fi API and is compatible with most GPS devices (NMEA v2.3 and higher). InSSIDer has some features that make it the tool of choice if you're using Windows. InSSIDer can track the strength of received signal in dBi over time, filter access points, and also export Wi-Fi and GPS data to a KML file to view in Google Earth.

Screenshot Here

External Footprinting

The External Footprinting phase of Intelligence Gathering involves collecting response results from a target based upon direct interaction from an external perspective. The goal is to gather as much information about the target as possible.

Identifying IP Ranges

For external footprinting, we first need to determine which one of the WHOIS servers contains the information we're after. Given that we should know the TLD for the target domain, we simply have to locate the Registrar that the target domain is registered with.

WHOIS information is based upon a tree hierarchy. ICANN (IANA) is the authoritative registry for all of the TLDs and is a great starting point for all manual WHOIS queries.

WHOIS lookup

• ICANN - http://www.icann.org
• IANA - http://www.iana.com
• NRO - http://www.nro.net
• AFRINIC - http://www.afrinic.net
• APNIC - http://www.apnic.net
• ARIN - http://ws.arin.net
• LACNIC - http://www.lacnic.net
• RIPE - http://www.ripe.net

Once the appropriate Registrar was queried we can obtain the Registrant information. There are numerous sites that offer WHOIS information; however for accuracy in documentation, you need to use only the appropriate Registrar.

• InterNIC - http://www.internic.net/ http://www.internic.net]

BGP looking glasses

It is possible to identify the Autonomous System Number (ASN) for networks that participate in Border Gateway Protocol (BGP). Since BGP route paths are advertised throughout the world we can find these by using a BGP4 and BGP6 looking glass.

• BGP4 - http://www.bgp4.as/looking-glasses
• BPG6 - http://lg.he.net/

Active Reconnaissance

• Manual browsing
• Google Hacking - http://www.exploit-db.com/google-dorks

Passive Reconnaissance

• Google Hacking - http://www.exploit-db.com/google-dorks

Active Footprinting

The active footprinting phase of Intelligence Gathering involves gathering response results from a target based upon direct interaction.

Zone Transfers

DNS zone transfer, also known as AXFR, is a type of DNS transaction. It is a mechanism designed to replicate the databases containing the DNS data a