Information Gathering in Pentration Testing is a very important step a Pen tester must follow. After the pre planning and the goal definition, the pen tester must gather as much information as possible about the target network. Important to note, this is the case when it is a black box testing and when the organization has not provided any information to the tester. Information Gathering techniques were used by consultants in conjunction with a review of application and support system documentation in order to gain a deep and thorough understanding of how the application works, what its purpose is and how it has been implemented.
Information Gathering in Pentration Testing
Information gathering is essentially using the Internet to find all the information you can about the target (company and/or person) using both technical (DNS/WHOIS) and nontechnical (search engines, news groups, mailing lists etc) methods. Whilst conducting information gathering, it is important to be as imaginative as possible. Attempt to explore every possible avenue to gain more understanding of your target and its resources. Anything you can get hold of during this stage of testing is useful: company brochures, business cards, leaflets, newspaper adverts, internal paperwork, and etc. Information gathering does not require that the assessor establishes contact with the target system. Information is collected (mainly) from public sources on the Internet and organizations that hold public information (e.g. tax agencies, libraries, etc.)
There are two ways using which you can perform information gathering:
- 1st method of information gathering is to perform information gathering techniques with a 'one to one' or 'one to many' model; i.e. a tester performs techniques in a linear way against either one target host or a logical grouping of target hosts (e.g. a subnet). This method is used to achieve immediacy of the result and is often optimized for speed, and often executed in parallel (e.g. nmap).
- Another method is to perform information gathering using a 'many to one' or 'many to many' model. The tester utilizes multiple hosts to execute information gathering techniques in a random, rate-limited, and in non-linear way. This method is used to achieve stealth. (Distributed information gathering)
In this step, the testers collect as much information about the web application as possible and gain understanding of its logic. The deeper the testers understand the test target, the more successful the penetration testing will be. The information gathered will be used to create a knowledge base to act upon in later steps. The testers should gather all information even if it seems useless and unrelated since no one knows at the outset what bits of information are needed. This step can be carried out in many different ways: by using public tools such as search engines; using scanners; sending simple HTTP requests or specially crafted requests, or walking through the application. The testers can identify the purposes of the application by browsing them. They can fingerprint the web server, spot the applications on both the client and the server side, and determine the content and functionality manually or using an automated tool. Table 2 lists some common tools that can be used in web application penetration testing. In what follows, we describe how to conduct information gathering on two example applications, BOG and TuneStore.
EmoticonEmoticon