background image


Chapter 3


To get additional server information, we’ll use Back|Track to leverage 


, a 

tool built into most operating systems, to find information about




set type=mx


Non-authoritative answer:   mail exchanger = 10   mail exchanger = 0

We see in this listing that the mail servers are pointing to 



. Some quick research on these mail 

servers tells us that this website is hosted by a third party, which would not 
be within the scope of our penetration test.

At this point, we have gathered some valuable information that we might 

be able to use against the target later on. Ultimately, however, we have to 
resort to active information gathering techniques to determine the actual 
target IP, which is


Passive information gathering is an art that is not easily mastered in just a few pages 
of discussion. See the 

Penetration Testing Execution Standard (PTES; http://

 for a list of potential ways to perform additional pas-

sive intelligence gathering.

Active Information Gathering

In active information gathering, we interact directly with a system to learn 
more about it. We might, for example, conduct port scans for open ports on 
the target or conduct scans to determine what services are running. Each system 
or running service that we discover gives us another opportunity for exploita-
tion. But beware: If you get careless while active information gathering, you 
might be nabbed by an IDS or intrusion prevention system (IPS)—not a 
good outcome for the covert penetration tester.

Port Scanning with Nmap

Having identified the target IP range with passive information gathering as 
well as the

 target IP address, we can begin to scan for open ports 

on the target by 

port scanning

, a process whereby we meticulously connect to 

ports on the remote host to identify those that are active. (Obviously, in a 
larger enterprise, we would have multiple IP ranges and things to attack 
instead of only one IP.)


 is, by far, the most popular port scanning tool. It integrates with 

Metasploit quite elegantly, storing scan output in a database backend for