Intelligence Gathering – Penetration Testing Execution Standard: Once a plan is in place and proper preparation has been successfully completed, now you can begin the information-gathering process.
This phase basically represents the start of the actual test, even though you will not yet be engaging your target directly. However, at this step you can obtain a wealth of information.
NOTE: In the EC-Council model this step is known as Footprinting. In many case, the process is intended to be methodical and careful.
A careless or haphazard process of collection information in this step can lead to a waste of time later when moving forward o in a worst-case scenario the outright failure of an attack.
The smart and careful tester will spend a good amount of time in this phase gathering and confirming information.
How do you gain information in PTES? There is an endless sea of resource available to do this, and it is up to you to determine which are useful and which are not.
Look for ways to gain information that will help you build a picture of a target that will allow you to refine later attacks.
Information can come from anywhere, including search engines, financial disclosures, websites, job sites, and even social engineering.
Where PTES differs from the EC-Council model is that it includes three levels of information gathering, each more aggressive than the previous one:
- Level 1 is basic information gathering, which is essentially a cursory look with automated tools to see what you can find out from simple sources.
- Level 2 is executing the information-gathering process by using automated and manual tools to gain a much better understanding of the target. For example, now you are trying to understand the functioning of a business as well as other information, including physical data regarding the business such as location.
- Level 3 is the most aggressive and complete level but also the most time and resource intensive. At this level, typically teams of penetration testers are involved to find out intimate details about the target.
NOTE: In some organizations teams of pentesters are assembled into what is known as a red team. These teams work together to simulate a much more sophisticated level of attack.
In some cases these red teams take on not just the goal of assessing security but also the mannerisms and goals of a just the goal of assessing security but also the mannerisms and goals of a hostile party, such as an unfriendly foreign government or terrorist cell.
Before you start gathering information, you need to do some groundwork for the process in order to make the phase more focused and effective:
- First, define what the target actually is. This should be straightforward if you have had thorough discussions with the client.
But this is another chance for you to make sure that you fully understand what you are supposed to be targeting and have the correct information.
- Second, consider any rules of engagement that may have been put in place by the client.
Ensure that you understand the limits of what the client wishes you to do and that your activities will stay within those limits.
- Third, define the time length for the test and what you can accomplish within that timeframe.
- Fourth, and this is extremely important, determine the goal of the test. Make sure you have a clear goal from the client, and that you are pursuing activities that will get you to that goal.
What you want to have when leaving this phase is a comprehensive list of information that can be put ot use later:
Public Information: Information that may be publicly available about a target would include host and network information.
OSINT: Open-source intelligence is a vital part of the process and typically gets information from public sources. The drawback is that this information may be somewhat out of date.
Sector-Specific Data: Ascertain the operating system or systems in use in a particular environment, including web server and web application data where possible.
Network Information: Find network information via queries such as Whois, DNS, network, and organizational queries.
System Weaknesses: Locate existing or potential vulnerability or exploits in the current infrastructure that may be conductive to launching later attacks.
HUMINT: This term is shorthand for human intelligence, which sounds cool but it is just another way of saying social engineering (it does sound cooler though).
The process of gathering information in PTES is very detailed concerning the types of items you can attempt to gather to make later steps easier.
The guidelines pertain to not only technical information but physical and other information as well.
The manner in which PTES defines how to collect information and the types of information collected bears some resemblance to the EC-Council Standard, but it is not 100 percent the same.
The process is different in that it defines different levels of information gathering and the details you should expect to get.
It is the same in that it gathers much of the same information that can be obtained from the same means we discussed earlier in “Footprinting”.