Touring the target environment

Local copies allow us to scope out the site in a safe manner, but where do we start? Manual hands-on scanning will help us understand the flow and give us some hints as to the next steps. I would first recommend getting a feel for the site's hierarchy and where various dynamic content portals may reside. Where can users log into the applications hosted there, query for information, or provide or view feedback? We should also be making note of entity information that we can use later to enumerate names, e-mail addresses, and organization information, and better understand inter-entity relationships. If we are repurposing this mirror for MITM or honeypot duties, we'll want to be able to replicate not only the look and feel, but also the workflow.

Several tools exist that can assist with these walk-throughs, such as those that reveal the underlying HTML and JavaScript elements. Viewing the page source through the Developer Tools in Firefox, using a plugin from the OWASP Mantra add-on bundle, HackBar, or another HTML viewer. To save time, I would recommend that anything more than initial familiarization with the application or website be done with the use of a full proxy toolset such as Burp or Firebug. Using a web application testing suite (covered in the next couple of chapters) helps you to efficiently pivot from the Recon stage to activities in the weaponize, exploit, or install stages.