So what? we all have eyes.

Yea I guess thats true.  Maybe I should of called it the mind.  Anyway it will make more sense as I explain it. This will be a multi-part blog. If this is your first post your reading I would recommend reading my Hacker Roadmap.  If you think your ready or your just too lazy to read the other one then continue on. Before you read on please read the disclaimer. 

What you may need to understand this:

Basic knowledge of how a website is built.

How to view source-code of a webpage.

Some basic HTML knowledge.

 

So this guy Doug Hotz asked me how I would go about hardening a network. Well Doug the most effective way is not the fastest.  It will take much time.  Best way to do it is to find the area that is the weakest. You will have to think like someone who wants to break into it, not someone who wants to protect it. Most of the time the weakest link of a network are the people who run it.  Remember there is no patch for human stupidity.  Now I can’t stress this enough.  If you haven’t practiced this and/or your just getting into the trade do not think for a second that since you couldn’t trick some guy into giving you his password that it can’t be done.

 

Information Gathering

So should I bring a bucket?

Information gathering is probably one of the most important steps when doing penetration testing. The more information you have, the more you can get.  The more information you get, the easier it is to get in. i.e. passwords anyone?.  The information gathering step never stops even when you have moved on from this step you will still be gathering information just not so aggressively. Best way to get information is physically. Yes that means getting out of the house and off the computer.

Where should I start?

Right there in front of your Internet capable device.

I know I said the best way is to be there in person. However you can just walk in a place and expect them to trust you.  Actually you do, but you need some stuff first.  Find out who your target is.  Is it a person or a company or a company personnel. Do a google search, facebook search, domain name search, find out who owns the domain, find out the bosses names, the names of anyone important and there spouses or pets. Use all this information.  

Also a really good way is if it is a company set up an appointment with someone in the building just so you can walk around.  If possible get lost. Take pictures. Take video. Try and find there network room. Look at much of the network. 

Need more information? Dumpster diving for trashbags of paper is an old school, but still in some cases effective.  Mainly on smaller companies. Next lets go with people.  People are really handy since the brain can store more information than anything we have.

Now lets go over each one of these individually. 

Searching…Searching…

404 error rhetorical question not found.

So the web to search.  I can’t help much here since it is self explainitory.  I will just go over some sites you can use and what to look for. Start at the website if they have one available.  What do you see? Nice pictures? Pretty colors? What else? 

Lets talk about pictures.  Well if you look at each one they have to be stored somewhere right? Now you have a directory or two that you know of.  Does the directory say anything specific? For instance if you saw templates/rt_chromatophore/images/someimage.gif what would that say.  It should say “rt_chromatophore?” thats unique. Now you found something that may give you some info.  Lets google “rt_chromatophore”.  Before I even finish typing it the helpful google already gave me the answer.  I now know its a joomla site.  The images is not the only thing that would give you information.  What about the directory of the stylesheets, javascript files.

What else can I look for?

Everything and anything means something….but here is a couple of tips

When you see a form such as enter your username and password or even just a contact form. What is the submit button doing? Is it a post? Where is the post going? what page is the form is posting too.  Look if there are any hidden form elements.  Look in the source code are there any comments in the code that will give you any information or meta tags people forget to change often provide you with very good info.  These are all things the attacker will use when profiling the target. What if you find an email address.  Doesn’t seem like a big deal right? Well is the email going to the same domain as the site. Then you may have just found yourself a username.

Did you find these things when you first looked? 

Even after all those little tips we have barely hit the tip of the metaphorical iceberg. So try and find a site that your interested in.  It is not illegal to read source code.  Although it is to try and break into a site without permission so I do not condone that.

Now Part 2 will also be on information gathering.  I will finish up the web aspect of it and move on to the physical side of gathering information.