Second step - Discovery
Discovery ποΈ, a.k.a. active recon (reconnaissance) is the second step of the pentester activities.
It involves gathering information about the target by probing their network or systems πΆοΈ, to find exploitable vulnerabilities.
- π― Host discovery (OS, version...)
- πΈοΈ Network discovery (architecture...)
- π§ Systems, services and application discovery (FTP, APIs...)
- ...
Unlike passive discovery, as you are directly interacting with the target, you are likely to be detected, and maybe caught π.
Common activities are:
- πͺ Find entry points
- running services and open ports
- web applications or APIs
- wireless network
- physical devices
- backdoors
- ...
- π₯ Find versions as there may be known vulnerabilities
- π Find usernames, backups, exposed data
- π₯ Find the network architecture (firewall/IDS...)
- π Find any social engineering indicators (contact employees...)
- πΏ Investigate if a third-party/supplier is vulnerable
Arsenal π±
- Spoof User-Agent
You can install an extension to make the target website believe that you are using another browser. Look for User-Agent Switcher extensions on Google. You can try them on whatismybrowser.
- Use a proxy
You may use a proxy as an intermediary for your requests. If you do, then you can use the FoxyProxy extension of your browser to easily swap between no proxy, and your proxies configurations.
- Devtools: by-pass HTML/JS verifications, hide/remove tags...
- Disable scripts
You may do that to bypass JavaScript verifications. You can use plugins such as noscript, or ublock by clicking on the following icon
- HTTP clients
We usually don't only rely on our web browser to recon/exploit websites, as they are unreliable. You can use Postman, curl or tools such as the Burp Suite...
Tools and methods πΊοΈ
Network mapping
- ping π₯ : check if a host respond to pings
- Packet tracing π₯ : map a network
- The TTL can be used to primitively guess the OS
Scanning and enumeration
- port scanning πͺπ₯: discover running services
- banner grabbing β οΈ: get a service banner
- brute force service credentials πͺ: try to force your way in
- The banner format may be used to primitively guess the OS
Vulnerabilities scanners
Websites
- Website mapping π§: before investing a website
- Website fingerprinting π§: understand your target
- Source code analysis πͺπ₯π: comments, hidden code...
- Account discovery π: find accounts
- Forced Browsing πͺπ: find hidden pages/folders
- IDOR πͺπ: find if you can access someone else content
- Logic flaws πͺ: find logic flaws
- Virtual hosts πͺ: find virtual hosts
- Subdomains πͺ: find subdomains
- Parameters πͺ: find hidden parameters
- Json Web Tokens πͺπ: find and exploit these
β‘οΈ You should check for signs of well-known vulnerabilities.
Additional Notes
Remediation π‘οΈ
-
π Display generic error messages, disable errors messages, and do not give much information (ex: on invalid login, display the message 'credentials invalid', instead of 'username invalid' or 'password invalid')
-
π§ Test your endpoints with invalid values: 0, -1, characters, symbols... Test your pages with/without expected parameters, especially if a hacker tries to access pages in an unexpected order.
-
π« Do not trust anything coming from the user, its browser, or even your database. In a nutshell, do not trust anyone.
OWASP Foundation
OWASP (The Open Source Foundation for Application Security Project) is a foundation that is very well-known for its resources to improve website security. The release every few years the Top 10 vulnerabilities.
- See OWASP Cheat Sheet Series (23.4k β)
- See OWASP Web Security Testing Guide (5.4k β, PDF)
Pentest Considerations β οΈ
Automated scans can impact the network.
During an assignment, ensure you know which hosts can be automatically scanned (e.g., using Nessus) and which hosts should be excluded and manually tested.
When discovering something, it's important to question why we discovered something, e.g. why is this service present/enabled.
According to the kind of business, we may be able to guess their needs, and also guess some services that should be present.
π» To-do π»
Stuff that I found, but never read/used yet.
-
sudo arp-scan -l -I eth0
- clFrex
- find S3 Buckets
awscli
(https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html, ) - S3 buckets (AWS), blobs (Azure), cloud storage (GCP): may be accessible without auth grayhatwarfare