Information Gathering

Introduction

Information gathering is an essential part of any security assessment.
This is the phase in which we gather all available information about the company, its employees and infrastructure, and how they are organized.
Information gathering is the most frequent and vital phase throughout the penetration testing process, to which we will return again and again.
All the steps we take to exploit the vulnerabilities are based on the information we enumerate about our targets.
We can obtain the necessary information relevant to us in many different ways. However, we can divide them into the following categories:
- Open-Source Intelligence (OSINT)
- Infrastructure Enumeration
- Service Enumeration
- Host Enumeration
All four categories should and must be performed by us for each penetration test.

Open-Source Intelligence (OSINT)

OSINT is a process for finding publicly available information on a target company or individuals that allows the identification of events (i.e., public and private meetings), external and internal dependencies, and connections.
OSINT uses public (Open-Source) information from freely available sources to obtain the desired results.
It is possible to find highly sensitive information such as passwords, hashes, keys, tokens, and much more that can give us access to the network within just a few minutes.

Infrastructure Enumeration

During the infrastructure enumeration, we try to overview the company's position on the internet and intranet.
We use services such as DNS to create a map of the client's servers and hosts and develop an understanding of how their infrastructure is structured.
This includes name servers, mail servers, web servers, cloud instances, and more. We make an accurate list of hosts and their IP addresses and compare them to our scope to see if they are included and listed.
In this phase, we also try to determine the company's security measures.
Here, it also does not matter "where" we are positioned, whether we are trying to gain an overview of the infrastructure from the outside (external) or examining the infrastructure from the inside (internal) of the network.

Service Enumeration

In service enumeration, we identify services that allow us to interact with the host or server over the network (or locally, from an internal perspective).
It is crucial to find out about the service, what version it is, what information it provides us, and the reason it can be used.
Many services have a version history that allows us to identify whether the installed version on the host or server is actually up to date or not. This will also help us find security vulnerabilities that remain with older versions in most cases.

Host Enumeration

Once we have a detailed list of the customer's infrastructure, we examine every single host listed in the scoping document.
We try to identify which operating system is running on the host or server, which services it uses, which versions of the services, and much more.
It does not matter here whether we examine each host or server externally or internally.
During host enumeration, we try to determine what role this host or server plays and what network components it communicates with. In addition, we must also identify which services it uses for this purpose and on which ports they are located.
During internal host enumeration, which in most cases comes after the successful Exploitation of one or more vulnerabilities, we also examine the host or server from the inside. This means we look for sensitive files, local services, scripts, applications, information, and other things that could be stored on the host.

Pillaging

After hitting the Post-Exploitation stage, pillaging is performed to collect sensitive information locally on the already exploited host, such as employee names, customer data, and much more. However, this information gathering only occurs after exploiting the target host and gaining access to it.
Pillaging alone is not a stage or a subcategory as many often describe but an integral part of the information gathering and privilege escalation stages that is inevitably performed locally on target systems.

PreviousPre-Engagement NextVulnerability Assessment

Last updated 3 months ago

Introduction

Information gathering is an essential part of any security assessment.

This is the phase in which we gather all available information about the company, its employees and infrastructure, and how they are organized.

Information gathering is the most frequent and vital phase throughout the penetration testing process, to which we will return again and again.

All the steps we take to exploit the vulnerabilities are based on the information we enumerate about our targets.

We can obtain the necessary information relevant to us in many different ways. However, we can divide them into the following categories:

Open-Source Intelligence (OSINT)
Infrastructure Enumeration
Service Enumeration
Host Enumeration

All four categories should and must be performed by us for each penetration test.

Open-Source Intelligence (OSINT)

OSINT is a process for finding publicly available information on a target company or individuals that allows the identification of events (i.e., public and private meetings), external and internal dependencies, and connections.

OSINT uses public (Open-Source) information from freely available sources to obtain the desired results.

It is possible to find highly sensitive information such as passwords, hashes, keys, tokens, and much more that can give us access to the network within just a few minutes.

Infrastructure Enumeration

During the infrastructure enumeration, we try to overview the company's position on the internet and intranet.

We use services such as DNS to create a map of the client's servers and hosts and develop an understanding of how their infrastructure is structured.

This includes name servers, mail servers, web servers, cloud instances, and more. We make an accurate list of hosts and their IP addresses and compare them to our scope to see if they are included and listed.

In this phase, we also try to determine the company's security measures.

Here, it also does not matter "where" we are positioned, whether we are trying to gain an overview of the infrastructure from the outside (external) or examining the infrastructure from the inside (internal) of the network.

Service Enumeration

In service enumeration, we identify services that allow us to interact with the host or server over the network (or locally, from an internal perspective).

It is crucial to find out about the service, what version it is, what information it provides us, and the reason it can be used.

Many services have a version history that allows us to identify whether the installed version on the host or server is actually up to date or not. This will also help us find security vulnerabilities that remain with older versions in most cases.

Host Enumeration

Once we have a detailed list of the customer's infrastructure, we examine every single host listed in the scoping document.

We try to identify which operating system is running on the host or server, which services it uses, which versions of the services, and much more.

It does not matter here whether we examine each host or server externally or internally.

During host enumeration, we try to determine what role this host or server plays and what network components it communicates with. In addition, we must also identify which services it uses for this purpose and on which ports they are located.

During internal host enumeration, which in most cases comes after the successful Exploitation of one or more vulnerabilities, we also examine the host or server from the inside. This means we look for sensitive files, local services, scripts, applications, information, and other things that could be stored on the host.

Pillaging

After hitting the Post-Exploitation stage, pillaging is performed to collect sensitive information locally on the already exploited host, such as employee names, customer data, and much more. However, this information gathering only occurs after exploiting the target host and gaining access to it.

Pillaging alone is not a stage or a subcategory as many often describe but an integral part of the information gathering and privilege escalation stages that is inevitably performed locally on target systems.