Course info
Sep 26, 2016
1h 21m

A solid understanding of external footprinting techniques is critical to being an effective penetration tester. It can be the difference between breaking into an organization and having little to show for your efforts. This course, External Footprinting: Reconnaissance and Mapping, will challenge you by starting with a real world company and enumerating 10,000+ IPv4/IPv6 addresses and domain names used by the company. You will also get to utilize 15+ techniques for identifying targets, gathering host information, hunting weak web applications, and prioritizing your efforts. When you have finished with this course, you should have a solid understanding of external footprinting, passive/active reconnaissance, and the techniques discussed in the Penetration Testing Execution Standard (PTES). Software Required: Kali Linux.

About the author
About the author

Will is a Principal penetration tester at a small consulting firm. He enjoys Web Application Security and external attack vectors. Will has previously spoken at a number of security conferences including Blackhat, DEFCON, and TROOPERS.

More from the author
Writing Penetration Testing Reports
2h 0m
Aug 15, 2017
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Will Vandevanter and welcome to my course External Footprinting: Reconnaissance and Mapping. I'm a penetration tester at Silent Robot Systems and I spend a lot of my time performing external penetration tests. External footprinting and reconnaissance are extremely important to the penetration testing process. This course will introduce you to a number of techniques to perform effective footprinting. Some of the major topics that we will cover include collecting host names and IP addresses, passive and active reconnaissance, hunting weak web applications, and mapping your hosts. When finished with this course you should have a solid understanding of external footprinting, passive and active reconnaissance, and the techniques discussed in the penetration testing execution standard or PTES. Before beginning the course you should be familiar with Kali Linux and have 1 to 2 years of experience penetration testing. I really hope you'll join me on this journey to learn external footprinting in the External Footprinting: Reconnaissance and Mapping course at Pluralsight.

Welcome to External Footprinting
Hi, welcome to External Footprinting. In this course you'll learn techniques for gathering hosts, weak services, hackable web applications, usernames and another useful information you can on a target customer from an external perspective. Great external footprinting and a solid reconnaissance process is critically important because it serves as a foundation for the rest of the assessment. As discussed in the overview, much of the course is going to focus on the external footprinting of a real company, Facebook, but before I get there, there's a couple things you should know. First, this course is designed for those who have some experience performing pen tests, 1 to 2 years is great. If you've never done any assessment work at all, I'd encourage you to check out Dale Meredith's course on Pluralsight, which lays the foundation for this course. If you do have some experience in the security space you should pick everything up quickly, and if you're already on the master path, I think you'll still find some tricks to add to the arsenal. In this course I'm going to follow the Pen Testing Execution Standard on external footprinting for many of the techniques. I have a link in the show notes to this section of the PTES, I'll also be adding in other techniques that aren't discussed in PTES, but that work really well for me. And the reason is, I want to emphasize techniques that get me into organizations over just the theory. With that said, here's your planned agenda for the course broken down into five modules. In the first module I'm going to talk about work that can be done before even beginning the assessment. There's a lot of what I like to call nontechnical opportunity when working with your client in the real world. In module 2 you'll learn techniques for passive footprinting, which will kick off the technical testing components. I'll use Kali Linux beginning at this point, so you'll want to have a Kali VM set up before starting module 2. In module 3 and 4 you'll learn targeted techniques to gather host information, usernames and other data used to break into the organization. Finally in module 5 I'll wrap up outline and countermeasures for your customers and tips for easy reporting on your efforts. So let's get started.

Passive Reconnaissance
In this module I want to talk about footprinting using passive reconnaissance. Passive reconnaissance is collecting host information about a target company without communicating with any of their systems. And it's critically important to the external footprinting process because it serves as a foundation on which we build the rest of the course. And so in the module I'm going to issue you a challenge similar to one you might find in a real penetration test. You will start with a company name and one URL, facebook. com. Using the techniques in the module you should end with greater than 100, 000 IPv4 addresses, greater than 100 IPv6 ranges, and much greater than 5000 hostnames. And so this will be the baseline for the rest of the course. And here's the planned agenda to get there. We'll start with WHOIS and BGP, both protocols that can be used together, IPv4 and IPv6 ranges. Next, we'll discuss internet scanning projects. We'll grab our first list of hostnames and cloud systems. After that we'll cover DNS bruteforcing, one my favorite topics and a very valuable technique. Lastly, you will end with third party sites where company employees might post hostnames, IPs, and source code sharing sites like GitHub and Bitbucket. So let's get started.

Active Reconnaissance
In this module I want to talk about footprinting using active reconnaissance. Active reconnaissance primarily involves probing and scanning services discovered from other techniques in an effort to prioritize the results. It's extremely valuable to our process because as a penetration tester I need to gather service and device information about my host list to prioritize my time. And so I have to identify the hosts that will give me the best opportunity to compromise the network. And so the theme for this module and the next is taking the large unruly dataset which you obtained through passive reconnaissance and trimming it down into more actionable pieces through active techniques. And here's the planned agenda to get there. You'll start by performing targeted Nmap scanning on IPs discovered in the previous module. I'll then have you apply the Nmap scan engine and automation techniques to gather event better data. With that data in hand, I'll discuss one of my favorite visualization techniques, screenshooting. Finally, I'll wrap up talking about DNS bruteforcing in active reconnaissance and valuable UDP services to target. One last thing I want to mention is though I'll refer to the IPs and hosts discovered in the previous module, I myself will not be using these for the demos or scanning. If you want to perform scanning against these hosts you discovered I highly recommend you review the Facebook bug bounding terms of service and verify you're meeting their requirements. With that said, let's get started.

Prioritizing External Target List
In this module we will learn techniques to further prioritize the target and service list that you've been working on in the assessment. Again, as a penetration tester I operate in a time boxed manner. This module is really valuable because at this point I'm taking the prioritized service list and really driving down into which hosts I want to target. So the theme for this module is taking the large host and service dataset, which you obtained through passive and active methods and focusing on a subset of hosts. And so you might ask, what's the difference from the previous module? This module is less about removing hosts and more about hosts that are susceptible to certain techniques and get bumped up the list. You will also be gathering usernames, which can, in some cases, be used across the enterprise, further prioritizing certain hosts and services. And here's your planned agenda to get there. You'll start by performing banner grabs from the service set, I'll move on to one of my favorite techniques and one of the most effective, hunting weak web applications. In SMTP bounceback attacks, you'll grab internal information about the SMTP servers. Finally in the last two sections I'll focus on username enumeration techniques, first through web app specific username enumeration techniques, and finally closing with timing attacks. All of these techniques will help you to prioritize your hosts and may even get you a shell on a real assessment. So let's get started.

Countermeasures and Reporting
As a penetration tester you are a consultant first and foremost so I'm going to wrap up the course discussing recommendations you can provide to clients and outline a path to creating a create report. I want to emphasize this part of your assessment process because it can be a clear dividing line between just performing an assessment and delivering excellent work. And here's the planned agenda for this module. First I'll discuss two countermeasure topics, one in introducing some countermeasure discussions you can have with your client and two, active defense countermeasures. Next I want to talk about your operational security in the reconnaissance process. Finally I'll wrap up with reporting on your results from the course and telling the story of your assessment. So let's get started.