Sifting Through the Intel to Find Attackable Targets: Once you have completed the steps in previously articles, you need to schedule some time to closely review all the reconnaissance and information you have gathered.
In most cases, even light reconnaissance should produce a mountain of data. Once the reconnaissance step is completed, you should have a solid understanding of your target including the organization, structure, and even technologies deployed inside the company.
While conducting the review process, it is good idea to create a single list that can be used as central repository for recording IP addresses.
You should also keep separate lists that are dedicated to e-mail addresses, host names, and URLs.
Unfortunately, most of the data you collected will not be directly attackable. During the process of reviewing your findings, be sure to transform any relevant, non-IP-based information, into an IP address.
Using Google and the host command, you should be able to extract additional IPs that relate to your target add these to the IP list.
After we have thoroughly reviewed the collected reconnaissance and transformed the data into attackable targets, we should have a list of IPs that belong to, serve, or are related to the target.
As always, it is important to remember your authorized scope because not all the IPs we collect will be within that range.
As a result, the final step in reconnaissance is to review the IP list you just created and either contacts the company to determine if you can increase the scope of the pen test or remove the IP address from your list.
At this point, you will left with a list of IP addresses that you are authorized to attack. Do not discard or underestimate all the nonattackable information you have gathered.
In each of the remaining step, we will be reviewing and extracting information from Step 1.