Practical Ethical Hacking by TCM Sec: Recon & Enumerate The Victim . . .
Weekly Update #3:
Greetings, Everyone! 🌟
I’m back after a long break. Yes, I know, I promised to post weekly updates on my journey to becoming a Web Penetration Tester from my post in the the first week. However, a series of unexpected events put my lessons on hold for a bit. That said, I haven’t been idle — I shifted my focus to keeping up with Cyber Security News and Podcasts during this time.
Now that I’m back on track, let’s dive into the topic of the week: RECONNAISSANCE & ENUMERATION the first two stages of Ethical Hacking. Admittedly, this summary encompasses two weeks of learning rather than just one. I wasn’t quite ready to blog about my progress last week. As you already know, I’m studying Practical Ethical Hacking by TCM Security in preparation for their Practical Junior Penetration Testing (PJPT) exam later this year. However, there’s some exciting news — I received a significant “bonus” to further expand my knowledge, which I’ll share at the end. Stay tuned for that! It’s great to be back, and I’m eager to share my ongoing journey with you all.
Following my refresh on the foundations of Networking, Linux, and Python, which I mentioned in my previous post, I delved into the 5 Stages of Ethical Hacking. These stages are Information Gathering through Reconnaissance or Footprinting, Scanning & Enumeration, Gaining Access through Exploitation, Maintaining Access, and Clearing Tracks.
I began by understanding the basics of each stage, including their definitions, importance, the tools used, and the skills needed. After grasping these fundamentals, I started learning each stage in depth. As of now, I have completed the Reconnaissance and Enumeration phases
First and foremost, who are we going to hack? How are we going to do that? Should we attempt a physical breach or target their network? What or whom should we focus on? These are the primary questions that reconnaissance seeks to answer.
Reconnaissance is the act of gathering information about a victim before launching an attack. It plays a crucial role in understanding a victim’s culture, and security posture, and identifying any weaknesses, vulnerabilities, holes, activities, and nodes that attackers can exploit to gain access. Reconnaissance is conducted both passively and actively.
Passive reconnaissance involves gathering information about the victim without actively engaging with their network or system, thus avoiding alerting the victim. This method is also known as OSINT (Open Source Intelligence). The best way to gather information passively is by surfing the internet. You can Google the victim’s information and check their social media pages such as Facebook, LinkedIn, Instagram, YouTube, and TikTok. Focus on gathering details like employee ID numbers, bank information, account usernames and passwords, favorite dog breeds, car names, registration numbers, first cars, device models, software versions, favorite colors, and personal details about their loved ones. Sometimes, a tagged post from a friend, family member, or colleague can reveal valuable information because they overlooked privacy settings by mistake.
Remember, all of this should be done passively, without alerting the victim. It’s also crucial to follow the rules of engagement, adhering to program details and scope. Mr. Adams’ course recommended several tools, websites, and plugins for passive reconnaissance, including Hunter.io, and Phonebook.cz, Emailhippo, Emailfinder, Dehashed, Sublist3r, Wappalyzer, Google Dorking, and social media platforms. These tools help find victims, verify emails, identify technologies used on webpages, determine technology versions, hunt subdomains, and find breached credentials.
Once passive reconnaissance is complete, we can move on to active reconnaissance.
Active reconnaissance is where skills start to play a critical role. Also known as scanning and enumeration, active reconnaissance involves direct interaction with the victim’s systems. While passive reconnaissance relies on the victim’s careless mistakes or sloppy behaviors, active reconnaissance requires a strong reliance on our skills and tools. This is because we now interact directly with the targets, which include servers, databases, personal computers, mobile devices, web pages, networks, and more.
For demonstration purposes, we used a VM image called Kioptrix. Active reconnaissance involves using tools and techniques to scan and enumerate the victim’s systems to gather detailed information. This might include identifying open ports, services running on those ports, system architecture, and any vulnerabilities that can be exploited. The goal is to gather as much actionable information as possible to facilitate subsequent stages of ethical hacking, such as gaining access, maintaining access, and covering tracks.
Active reconnaissance is a more intrusive process and therefore carries a higher risk of detection. This stage demands a thorough understanding of the tools and techniques used, including Nmap, Nessus, OpenVAS, and other network scanning tools. Properly executing this phase is essential to the success of an ethical hacking engagement.
Kioptrix is a downloadable VM image file available on Vulnhub. It serves as a challenge to gain root access by any means possible, aiming to teach the basic tools and techniques in vulnerability assessment and exploitation. For this phase, we used the Level 1 Kioptrix machine. Once the download, installation, and setup were complete, the challenge began.
The first step was to obtain the IP address of the Kioptrix machine using tools like arp-scan and NetDiscover. With the IP address in hand, we utilized a range of tools, including Google, Nessus, Nmap, BurpSuite, Metasploitable, and more, to gather comprehensive data. All gathered information was meticulously recorded in a notepad application (we used CherryTree for this purpose).
The data collected included the IP address, website version, technologies used to create the website, server and database types and versions, SSH and SSL versions, and open ports. As a diligent pentester, noting every detail is crucial for achieving better results in subsequent phases. Each version of the technologies used could potentially expose significant vulnerabilities. Therefore, the more information gathered, the easier the exploitation phase becomes.
Simultaneously, maintaining stealth to avoid detection or alerts is critical for successful reconnaissance and enumeration. If the victim is alerted, the difficulty level can increase dramatically. Thus, being silent and stealthy is the key to effective reconnaissance.
And yeah, almost forgot. In the beginning, I mentioned a “bonus,” right? Well, the EC-Council, in association with NACSA, has provided Cybersecurity Scholarships worth 1 million USD exclusively for Malaysian citizens. Long story short, I signed up and was granted a scholarship. I chose the “Pentesting Agent” bundle as it aligns with my goal of becoming a VAPT (Vulnerability Assessment and Penetration Testing) professional. This bundle consists of 19 courses relevant to this profession. Each course completion grants a certificate of completion.
So far, I have finished one course: Getting Started with Kali Linux Penetration Testing. It was a smart move to take this course alongside Practical Ethical Hacking (PEH), as the content in both courses has been complementary until now. There’s another Kali Linux course in the bundle, Mastering Pentesting Using Kali Linux, which I plan to tackle next. Once I’ve completed both courses, I’ll share my experiences and insights.
The urgency to complete these courses stems from the fact that my access to the program is limited to six months. This means I need to finish as many courses as possible by October, about four months from now. So, I have to hurry to complete the ones I need ASAP.
So, this is how far I’ve come on my journey so far. There’s still a long road ahead to reach my destination, but these small steps are crucial milestones along the way. That’s all for this week. Over the next few days, I’ll be revising my lessons and practicing with all the tools and sites covered in the course.
Remember, studying alone won’t get you anywhere without the effort you put into learning. True mastery comes through intense practice and training. Keep in mind, STUDYING ≠ LEARNING. Merely studying something without focus or practice won’t lead to true understanding. Learning, on the other hand, requires intense focus and consistent practice. Until next time, keep learning, keep practicing, and keep moving forward on your journey.
For now, It’s time for me to sign off 😉.
Till then, Peace Out! ✌🏼
