As I wrote this I had to laugh at the next sentence. I have hammered similar posts in the past to the point of putting an indent in the metaphoric discovery wood of thought.
However I think that, as IT professionals, the point needs a little bit more hammering.
“Discovery”. Penetration test discovery. In all seriousness, this is the first phase in hacking a business, corporation or country/nation.
What is discovery?
This is the most important phase of ethical hacking or penetration testing.
It is where you fingerprint, blueprint the dub dub dub of your client. Hacking networks is getting pas·sé. Web application security is now severely relevant.
It is where you find things that clients do not know they have. Subdomains? “What is a sub domain?” they may ask. That is not our URL! That is not our domain.
Yes. Your predecessors, former employees created these domains, URLs, subdomains. Nobody cataloged them.
If, for example, you can gain access to a server through a database or a simple URL manipulation (think …/…/…/), URL poisoning or other nefarious and malicious URL schemes you end up with the keys to the kingdom. Yes, somewhat of an archaic word but in modern terms it means you can steal things.
To not appear to be the alarmist or the naysayer, I will provide a few methods to effectively execute the Discovery phase of ethical hacking/penetration testing:
– Google/Bing Dork commands. Learn what the client uses regarding programming languages. If you are an expert you’ll use Google Dorks and find a wealth of knowledge in regards to this.
– https://www.paterva.com. Enough said on this one.
– The Web Archive (The WayBackMachine) 435 billion pages archived – nothing on the Internet goes away. Heck I have a picture of Liza Minnelli and I from the 80’s that is still archived.
– Put DirBuster on the task to see what dub dub dub (www) files you do not know about.
– Brute force subdomains. It can be done often. These are generally just folders in a hard drive that is accessible to dub dub dub.
Finally, do you:
– Catalogue your web servers?
– Know that network security is taking a second place to web application security?
– Have evidence of the two above items so that your company can survive unethical attacks when important employees are separated from your company.
Jock Pereira | jockpereira.com | email@example.com | 978-666-4000