Important Things To Keep In Mind

We should use always IP addresses rather than domain names because it's possible a round-robin DNS service may alter a target system while the test is going on and half our packets will go to one system and half to the other, and we may end up exploiting some system which is not in our scope.
Also, a single IP addresses might be load balanced across multiple targets

<aside> 👉 Limiting The Scope

</aside>

Instead of checking all the hosts, we scan a subset of them
Has a downside: How representative is the subset really, of the total hosts that are in our scope

<aside> 👉 Faster Tools

</aside>

massscan instead of nmap and stuff.

<aside> 👉 Scanning All The Systems But Limited Ports

</aside>

It's all about scanning only the mainstream ports such as Telnet, SSH, HTTP, MYSQL etc
Downside: What if we miss some non-standardised ports which have some critical servers running over

<aside> 👉 Reviewing network firewall rule-set and test only those ports who that could make it through the firewadll

</aside>

<aside> 👉 Running a sniffer when scanning

</aside>

We should do it for tools we're not familiar with
We don't have to capture all the packets in a system, instead visualise them on the screen to understand what is happening
Some organisations do mandate full packet captures for penetration tests

War Dialling

We dial a sequence of telephone numbers, attempting to locate modem carriers, voicemails or secondary dial tone
Very useful for attacking out-of-band communications such as voicemail systems of our target
Demon diallers dial a single number to conduct a bruteforce atack against passwords.
Often unprotected modems provide easy methods for accessing routing and switching infrastructure, because as a backup option, dial-ups are piggybacked with networking infrastructure so that network administrators can log in and fix issues through a dial up, in extreme scenarios.

Conducts war dialling using multiple VoIP accounts instead of dialling phone numbers, without any hardware requirement
Offers fast speed and much more flexibility.
For this tool to work, the VoIP provider must support IAX and IAX2 protocols (Inter Asterisk eXchange Protocol)
Support caller ID spoofing (support for self which lets the message go to voicemails) and also bypass PIN authentication
For each answer, WarVOX records an MP3 audio file associated with each number dialled and answered, and the results are stored in the PostgreSQL database. We can apply a series of signature detection techniques to determine what kind of response we got from the phone number.