                      Open Source Penetration Testing Tools Manual(OSPTTM)



OSSTMM is a very comprehensive penetration testing manual. It has gained wide spread acceptance in the community. As 
a penetration tester myself, I found the methodology to be very much professional. But in my endeavours as a 
tester, there was a difficulty in choosing the right tools for the right task. I knew to abide by the methodology, 
but knew little of the tools used to assist me in my processes. I decided therefore to set on a project to make a 
penetration testing tools methodology, which i have tentatively called ospttm(open source penetration testing
tools manual). Now with the help of the community, and  my professional experiences this project has reached its 
first version. It is hoped that ospttm can make life easier(a little bit) for the penetration tester.

Any good penetration tester knows that before using the tools he/she must have a minimum required knowledge of its
functionality. Tools are always meant to assist in his/her professionalism, not replace it. Tools only serve as good
as the person who uses it. To become a good penetration tester a competent knowledge of networking and a good
programming(scripting) background is essential. OSPTTM is not another methodology, we have the very good osstmm for 
that. If at all ospttm has any similarity it must be with the "best 10 tools", "most used security tools"..etc. Of 
course ospttm is not limited to providing the listings of "toolkit", but also on best practises of using them. With 
the above points in mind, let us proceed into this tools manual.


1) MAIN-OBJECTIVE: Network reconnaisance and mapping 

        The first part of pen-testing is 'reconnaisance of the target'. In this phase we try to gather as much details about the target networks as possible. This is a time-consuming and very important phase. The success and effectiveness of this phase will have a direct effect on the whole process.


 
a) SUB-OBJECTIVE: Get as much target network address details as possible.(ip address range, dns entries, potential network entry points..etc)


#1 whois

DESCRIPTION: 

A Whois is a network query service, that is provided by the Registrar who provided the domain/ip. It can be used to get information on the target such as, the ip address range allotted, the physical address of the target company, contact informations..etc. Moreover it can also be used to find "subdomains" of the target.

HOWTO: 

Use the online service http://www.betterwhois.com. Go to the site using any browser(firefox) and enter the domain name of the target. Follow any on-screen instructions(like, enter the activation code to proceed) and come to the page with the results. Here you will find the domain registrar's name, status of the registration(reserved or not). Take note of the results(copy it down). Take a note in particular of the whois server(of the target, who was actually querried for the result) given.

Goto the target's domain registrar's site(http://www.internic.net/origin.html). Use the whois service provided in their site. More information will be available. take a note of those new informations(like, type of server of target(apache,iis..)..etc)

To find subdomains, let us use this service http://www.alexa.com/data/details/traffic_details?q=&url=yourdomain.com. Enter the target's domain instead of "yourdomain.com" and get to the results page. check out the "where do people go on yourdomain.com" section. It will contain the subdomains of the target network, publically accessible. Not all domains have their traffic information in this service(especially the less known ones). But most of the popular networks are listed.



#2 dnsquery

DESCRIPTION:

It is  used to query the public dns servers for the nameserver(and other systems like mail servers) ip's of the target network. Moreover it can also be used to communicate with the target's  nameserver(eg. for a zonetransfer).  The logic is that, if the target's network is publically accessible then it must have a valid entry in one of the publically accessible dns servers.

HOWTO: 

lets make use of the online service http://www.dnsstuff.com/ it has a lot of intresting services.  Since this is the dnsquery objective we will stick to just the dnsquery, other services will be taken in order.  to do a dns lookup to get the nameserver ip's and mail server ip's of the target domain, use the dns lookup service. Enter the domain "yourdomain.com" (*not* www.yourdomain.com!) and select "all/any" as the query type. Now you will get the results. Take a note of the results(copy it down). Next for a zone transfer request and specific host queries we use a tool called "dig". please refer the man page of dig for an exhaustive coverage of its uses. the command for zone transfer is "dig @nameservername yourdomain axfr" using the nameservers we obtained from our whois query, we can *try* for zonetransfer. Mostly it would be blocked form unauthorized ip's (like ours).. but if the configuration is not proper, we could get lucky( i have at times;)). It is important to try out all the nameservers we got from the whois, because may be  one of the servers listed is not properly configured(it does happen in large networks). Take a note of the zonetransfer if it succeeded.


b) SUB-SUBJECTIVE: Try to perform a series of network tests, whereby the target's network topology can  *intelligently guessed*.

#1 traceroute