As a hacker, intelligence will be the bread and butter of your power
Before I ever even considered pursuing a career in penetration testing, I use to snuggle up in bed breathlessly reading The Art of War by Sun Tzu, just wondering how it was going to end. Yes, I took a novel approach to the book but that isn’t the point. The point is , who’d of predicted that a career change and many centuries since that book was written, it’d today coincidentally bear a striking relevance to what a pen tester goes through during the hacking process? Because a hacker’s chosen field in information technology is, indeed, a battlefield.
Many moons ago before warfare became cyber, to maneuver an army of troops around great distances would require a lot of time and money. In addition to the strain placed upon the resources, once time and distance was factored in, there stood the risk that the squad would be too fatigued from the journey to even have a dog in the fight. So Sun Tzu, being the master that he was, made artful use of spies to remedy such an unbalanced situation. Master Tzu believed that the more you knew about your enemy the better your chances were of defeating him.
Such a belief in knowing your enemy coincides perfectly with the reconnaissance phase of penetration testing. Reconnaissance is defined by the military as,
a mission to obtain information by visual observation or other detection methods, about the activities and resources of an enemy or potential enemy.
Now, let’s put this in the context of a hacking engagement. If your goal is to successfully penetrate a target, doesn’t it make sense that the first thing you should do is gather as much information about that target as possible? Of course it does! Intelligence will be, ultimately, how you gain access into an entity; ultimately, it will be how you maintain access within said entity’s systems after a successful infiltration.
“An eye to every keyhole, an ear to every crack”
It’s important to note that your objective in the reconnaissance phase is nothing more than mapping a real world target to a cyber-world target. A real world target being a person, company, corporation, government, other organization, etc. A cyber-world target is a reachable and relevant set of IP addresses that are directly or indirectly associated with your defined real world target. And since this isn’t a “how-to” post I’m not going to go into some of the many technical means of carrying out this task. (Although I do intend to in subsequent post. Stand by. 🙂 ). What I will do is lay out the skeleton of a methodology that’s commonly followed by penetration testers while carrying out this phase.
The 5 Phases of Reconnaissance
- Intelligence Gathering: in this phase time is spent learning as much as possible about your target. What type of business is this? How much can you find out about the organizational structure of the business? Are there any partners?
- Footprinting: Your objective here is to translate all of that intelligence gathered from phase one such as domains and company names into IP addresses or IP address ranges.
- Human Recon: Assuming that your target is a business and not an individual itself, your goal here is to gain as much intelligence as possible about the people associated with the organization that you’re targeting. Remember, at the end of the day, ultimately there’s always a person behind every computer system. The better you understand the person, the better your chances are at a successful exploitation.
- Verification: This is straight forward. Here you just want to confirm the validity of all the information collected in the prior phases before moving forward.
- Vitality: This is sorta like the previous step with an emphasis on whether or not the intelligence gained in prior phases is still valid or put another way- is this intelligence alive and able to be interacted with in real time. Which, in doing so, actually leads to another phase within itself called enumeration. (<– we’ll get into a more in depth discussion of that phase at a later date and time).
Wow, right? A lot of information was covered here. I hope I didn’t bore you to death. If so, I apologize. It was not intentional. However, a great part of the reconnaissance phase will be pretty boring. (Although the Human Recon phase has the tendency and potential to get pretty exciting!) But if you truly intend to be a successful hacker then you better get into the habit of gathering as much information about your target before you ever even attempt to attack them. In the famous words of Master Tzu:
What enables one to overcome others and achieve extraordinary accomplishments is foreknowledge
As always…Hack On, gents!
