First step - Investigation
Investigation π, a.k.a. passive recon (reconnaissance) is the first step of the pentester activities.
It involves gathering information about the target from afar ποΈ, meaning with no direct interaction with the target π.
π± The goal is to find as much information as possible.
πΏοΈ You can also infer data, for instance, if a company has many customers, then they may have a support page/customer service.
Common activities:
-
π§βπ» Learn more about the company (roles, services...), the technologies, programming languages and software they use...
-
π Find a potential attack vector
-
π§ Find information about their employees, their emails, their social accounts, their leaked passwords...
-
...
Tools and methods πΊοΈ
- OSINT gathering π§βπ»π§: any publicly available information
- DNS analysis π§βπ»π: DNS records, subdomains, IPs, emails...
- Google dorking π§βπ»ππ§: find anything indexed by google
- Shodan π: find exposed and potentially vulnerable IoT devices
- Maltego π§βπ» π: find websites, domains, social media accounts...
- Data leaks π§: find leaked data (passwords...)
Websites
- Wayback machine π: see previous versions of the website
Internal Assessments
- Passive Network Discovery π: map the internal network
Others
- TheHarvester (Automated OSINT+DNS checking)
π» To-do π»
Stuff that I found, but never read/used yet.
- cloud-based services and platforms investigation
- Wireless network reconnaissance