1 |
Active Scanning |
Scanning IP Blocks |
single source multiple dests |
nmap, netdiscover or other tools |
2 |
Vulnerability Scanning |
malicious user-agents |
openvas, nessus, nmap, acunetix, ... |
3 |
Gather Victim Host Information |
Hardware |
Not possible |
active direct scan or phishing |
4 |
Software |
Not possible |
active direct scan or phishing |
5 |
Firmware |
Not possible |
active direct scan or phishing |
6 |
Client Configurations |
Not possible |
active direct scan or phishing |
7 |
Gather Victim Identity Information |
Credentials |
Not possible |
Leaked DBs, phishing, compromise sites, keyloggers, ... |
8 |
Email Addresses |
Not Possible |
OSINT, Leaked DBs, Social Medias |
9 |
Employee Names |
Not Possible |
OSINT, Leaked DBs, Social Medias |
10 |
Gather Victim Network Information |
Domain Properties |
Not Possible |
|
11 |
DNS |
Not Possible |
|
12 |
Network Trust Dependencies |
Not Possible |
|
13 |
Network Topology |
Not Possible |
|
14 |
IP Addresses |
Not Possible |
|
15 |
Network Security Appliances |
Not Possible |
|
16 |
Gather Victim Org Information |
Business Relationships |
Not Possible |
|
17 |
Determine Physical Locations |
Not Possible |
|
18 |
Identify Business Tempo |
Not Possible |
|
19 |
Identify Roles |
Not Possible |
|
20 |
Phishing for Information |
Spearphishing Service |
Not Possible |
|
21 |
Spearphishing Attachment |
Check emails / attachments |
|
22 |
Spearphishing Link |
Check emails / links |
|
23 |
Search Closed Sources |
Threat Intel Vendors |
Not Possible |
|
24 |
Purchase Technical Data |
Not Possible |
|
25 |
Search Open Technical Databases |
WHOIS |
Not Possible |
|
26 |
DNS/Passive DNS |
Not Possible |
|
27 |
Digital Certificates |
Not Possible |
|
28 |
CDNs |
Not Possible |
|
29 |
Scan Databases |
Not Possible |
|
30 |
Search Open Websites/Domains |
Social Media |
Not Possible |
|
31 |
Search Engines |
Not Possible |
|
32 |
Search Victim-Owned Websites |
- |
Not Possible |
|