In this chapter, we will begin the process of gathering information on our target. This begins with utilizing passive information-gathering techniques using public sources and moves into the active scanning of our target. At this point, it makes sense for us to discuss what our strategy is. Once the targets are determined, we will want to start collecting information on them. One of the key pieces of information is their domain. The Domain Name System (DNS) is a system of databases used to look up IP address(es) for a domain or, given an IP address, provide the domain name associated with it. Identifying the domains and subdomains associated with the target will provide us with a better idea of the targets assets and organization. We start by using Google and other public sources to reveal what we can. This is called reconnaissance or passive information gathering.

When we have completed finding what we can using public sources, we move into the active information-gathering phase. The delineation here is that moving forward, we will be physically interacting with the target's assets. We begin by actively querying the target's DNS servers to uncover more information. Using this information, we can begin to narrow in on our target. The goal of this exercise is to uncover networks of the target suitable for further investigation.

Next, in Chapter 3, Discovery, we perform discovery scanning to identify live hosts on the network(s). In the context of penetration testing, this is usually performed to identify potential targets for attack. The objective here is not to exhaust resources in gathering information about targets, but instead to merely find out where the targets are logically located. The final product of our discovery should be a list of IP addresses that we can then use for further analysis.

After identifying IP addresses, we will then identify the open ports on these machines; this is covered in Chapter 4, Port Scanning.  After identifying the open ports, we then want to identify the services and as many details about the service version, OS, and other details as we can; this is covered in Chapter 5, Fingerprinting.  Using the information found here, we will look to uncover specific vulnerabilities on the target's assets; this is covered in Chapter 6, Vulnerability Scanning. The following diagram summarizes the aforementioned methodology: