background image


Chapter 3

as many details of your penetration test as possible. Most security professionals 
quickly learn that detailed notes can mean the difference between a successful 
and a failed penetration test. Just as a scientist needs to achieve reproducible 
results, other experienced penetration testers should be able to reproduce 
your work using your documentation alone.

Intelligence gathering is arguably the most important aspect of a pene-

tration test, because it provides the foundation for all work that follows. When 
recording your work, be methodical, accurate, and precise. And, as stated 
earlier, be sure that before you fire off your exploits, you have learned all 
that you can about your target.

The excitement for most people comes in exploiting systems and getting 

to root, but you need to learn to walk before you can run.


If you follow the procedures in this chapter, you can actually damage your system and 
your target’s system, so be sure to set up your test environment now. (For help, see 
Appendix A.) Many of the examples in these chapters can be destructive and make a 
target system unusable. The activities discussed in this chapter could be considered 
illegal if they are undertaken by someone with bad intentions, so follow the rules and 
don’t be stupid.

Passive Information Gathering

By using 




 information gathering, you can discover informa-

tion about targets without touching their systems. For example, you can use 
these techniques to identify network boundaries, identify the network main-
tainers, and even learn what operating system and web server software is in 
use on the target network.

Open source intelligence (OSINT)

 is a form of intelligence collection that 

uses open or readily available information to find, select, and acquire infor-
mation about a target. Several tools make passive information gathering 
almost painless, including complex tools such as Yeti and the humble 


In this section, we’ll explore the process of passive information gathering 
and the tools that you might use for this step.

Imagine, for example, an attack against

. Our 

goal is to determine, as a part of a penetration test, what systems the com-
pany owns and what systems we can attack. Some systems may not be owned 
by the company and could be considered out of scope and unavailable for 

whois Lookups

Let’s begin by using Back|Track’s 


 lookup to find the names of

’s domain servers.

msf > 


[*] exec: whois

. . . SNIP . . .