Intelligence Gathering

From Vectivus
Jump to: navigation, search


This page provides a summary of testing activities that can be executed during the Intelligence Gathering portion as identified by the PTES. It is not meant to replace the information contained in the standard, but rather to augment that.

Level 1

This is considered to be automated testing only. The tools and techniques here represent what a script kiddie might use.

Level 1 Tools

Level 1 Information Checklist

  • Have you identified domains related to the target?
    • Have you checked for other domains associated with the email addresses associated with any found domains?
    • Have you checked for other domains associated with the owner associated with any found domains?
  • For each found domain:
    • Have you attempted a DNS zone transfer?
    • Have you performed bruteforce subdomain enumeration?
    • Have you performed a port scan (or checked repositories like Shodan?
  • Have you reviewed LinkedIn to identify current and former employees/associates of the target?
  • Have you retrieved any documents released to government agencies for public use (e.g. SEC filings)?

Level 1 Physical Checklist

  • TBD

Level 2

This is manual analysis and further expansion of the information recovered. This is what an individual threat actor with expertise in information security and penetration testing could accomplish. For most engagements, this is the expected level of execution for penetration testing teams.

Level 3

This includes long lead time activities such as developing relationships with key individuals or infiltrating social events/circles. This is what a professional organization with dedicated resources can accomplish. This is not usually the scope for most engagements, and as such is not further developed here.