The purpose of this article is to describe some tools and techniques in
performing the planning, scoping, and recon portion of a penetration test. In
covering these tools and techniques the reader will learn how to use them to
find vulnerabilities in their organization and help improve security posture.
Some other names for this first phase of penetration testing are; OSINT (Open
Source Intelligence), Footprinting, Discovery, and Cyberstalking.
During reconnaissance we'll gather information from public sources to learn
about the target and try to find what is important to the target. How they do
business, technical infrastructure, architecture, products, and configuration
information. These actions may seem harmless at the time and may be
overlooked by security administrators as "network noise", but don't count on
it. A target with well funded resources ... (more)
Shell access on a Unix-type server is access to send commands to a target as
a user of the system and get a response back (standard input to a shell and
standard output from that shell). This shell service is limited and some
commands will work and other will not. Window shell access has a similar
limited command structure and this article will explore how to navigate and
give some interesting tips hopefully as well.
A tool that can demonstrate this is netcat as I will illustrate below using
netcat for shell access on a windows target. On a windows machine open up a
command prom... (more)
The Microsoft Remote Desktop Protocol (RDP) provides remote display and input
capabilities over network connections for Windows-based applications running
on a server. RDP is designed to support different types of network
topologies and multiple LAN protocols. Remote Desktop Services formerly
know as Terminal Services on Windows 2000 Server allow a server to host
multiple, simultaneous client sessions. Remote Desktop uses Remote Desktop
Services technology to allow a single session to run remotely. Thus a user
can connect to a Remote Desktop Session Host server by using Remot... (more)
To capture, parse, and analyze traffic tcpdump is a very powerful tool. To
begin a basic capture uses the following syntax.
tcpdump -n –i -s
-n tells tcpdump to not resolve IP addresses to domain names and
port numbers to service names.
-I tells tcpdump which interface to use.
-s tells tcpdump how much of the packet to record. I used
1515 but 1514 is sufficient for most cases. If you don’t specify a size
then it will only capture the first 68 bytes of each packet. A snaplen value
of 0 which will use the required length to ... (more)
Intrusion detection tools that use the libpcap C/ C++ library  for network
traffic capture (such as Snort  and Tcpdump ) can output packet capture
information to a file for later reference. The format of this capture file is
known as pcap. By capturing packet data to a file, an investigator can return
later to study the history of an intrusion attempt – or to turn up other
important clues about clandestine activity on the network.
Of course, the traffic history data stored in a pcap file is much too vast to
study by just viewing the file manually. Security experts use spe... (more)