Penetration testing, or pentesting, is the process of attacking a system in an attempt to find flaws or vulnerabilities in the system. Pentesters are almost always sanctioned by companies to find these flaws, so they can be patched before they are discovered by malicious threat actors.
Open source intelligence, or OSINT, is a very useful skill for penetration testers. It allows one to look at the publicly available resources and information associated with a target. OSINT relies on gathering information that is available to the open internet. One reason why it is so useful is because it usually is much less invasive and much harder to detect than scans run by automated tools.
Google and other similar search engines are some of the most powerful tools for any penetration tester. Google dorking is a way to tailor search results to include or exclude specific information. One can use Google dorking to search for specific strings, domains, or file types on websites. Usually documents are one of the most useful file types to pull from a website because they contain useful metadata which provides information about when the document was created, software versions, and more. There are websites that can pull metadata from documents, but it is typically safer to use a local tool, of which many free useful ones are available.
Domain names are a simple way to resolve IP addresses so they are easily recognizable by people. One can use domain names to find out information about a website such as what servers it is running on, who made the website, and IP addresses. Additionally, websites can have subdomains which partition the functionality of a website. These can be used for testing purposes, or to provide functionality to a specific group and this makes them very valuable targets.
Social media is a massive source of information for a penetration tester. Common social media sites that are good for gaining information about a target are Twitter, LinkedIn, and Facebook. People searching is another good way to collect information, and it is even more beneficial if some basic information about them is known.
Fingerprinting is part of the initial recon of a target where a pentester gets information about the target’s network. This is an incredibly important step, because it allows one to see vulnerable services that could then be later exploited to gain access to the system. The process of scanning and mapping a network is usually noticed by a defensive team, but sometimes this can be leveraged to see how they respond to it. Nmap is a very common tool for network scanning that has many different useful options available to get information about a network.
Exploiting a Vulnerable Service
In order to exploit a service, there are many different tools available, but one of the most common pentesting tools is Metasploit. It is a collection of exploits, reverse shells, and other post-exploitation tools. If you know of a service on a particular host, you can search the available exploits for that service and then use either the actual path of the exploit or the number of the exploit. Most of these exploits require additional options to function correctly. Using the correct exploit with the correct options will typically get you a reverse shell. When you have a shell, your next step is usually to attempt to gain persistence, or some way to maintain a connection to that host. With this, you can find out a lot of information about the machine and potentially even search for a way to pivot to other systems on the network.