Footprinting

Now, assuming all went well in the pre-engagement meeting we should have our scope defined so we can get to work.

The first phase of any pen test is to footprint, or learn about your target.  Depending on the level of testing the client is requesting this could be quick or a quite extensive endeavor.  We'll assume the client has given us little information so we discuss footprinting in a bit more detail.

The easiest way to start would be to do online searching with Google.  Although not directly related to penetration testing, the book "Google Hacking" offers many great examples of how to utilize Google for in depth information gathering.  Other good places to search would be; DNS records, Whois, social media sites, archive sites, career sites, blogs & forums, government sites, and Internet Authority sites.  Each one of these yields different information that could be useful in a pen test.  I don't have time to cover each of these, so I would recommend exploring a few of them on your own.  It should also be noted that this is by no means an exhaustive list of places to look, but it should give you a good starting point.

Other techniques that would fall into the category of footprinting would be; assessing a physical location, dumpster diving for information, and social engineering of employees. Again, I don't have time to cover these at this point (maybe later).

Now, depending on what you find from all your searching you may go down very different paths.  To keep it somewhat simple we'll pick an easier scenario.

Let's say we've been asked to footprint the Acme Corporation to see what information they might have online.  First let's take a look at their corporate site and see what we can find.  Although websites are designed to be viewed online it would be a good idea to pull a copy down to your local system so we can take a closer look at it.  This can be done with a tool or something as simple as utilizing wget from a Linux terminal.

Why pull down the site you ask?  So we can review the code of course.  Like all of us coders have a lot of work to do so they forget things from time to time.  The developer may have left useful comments or other goodies in the code that will give us some insight.

While examining the Acme site we notice there is a careers section.  We see there are a few openings in IT, one of which is for a web developer.  In the posting they are looking for someone with ASP.NET and SharePoint knowledge.  This tells of a few things about their environment right off.  First, it sounds like they're heavy into Microsoft and second they either host or at minimum develop their own sites for internal and external use.  This is important because if we find useful information during our code review of their external site, some of that information could be helpful once we're inside.

Along with the career section on the corporate site we also find several openings listed on other job sites.  This helps us paint a picture of what type of technology they are using.  This may not help us at this point, but will become crucial later when we get inside.

This is an over simplified example, but I hope it helps get the point across.  Footprinting is often over looked or done to quickly.  There is a lot of information out there that people may not be aware of.  This is by no means an all encompassing guide to footprinting a company, this is just the tip of the iceberg.  Having good information will make the testing good better and quicker.  As they say, a little pre planning pays dividends later.