Skip to main content

Information Gathering and Its Techniques

Information Gathering is a phase in which we attempt to gather information regarding the target we are attempting to break into. The information can be open ports, services running, applications like unauthenticated administrative consoles or those with default passwords. I did like to quote Abraham Lincoln - "Give me 6 hours to chop down the tree and I will spend the first four sharpening the axe".


In simple words, the more information we gather about the target, the more it will be beneficial to us, as there will be more attack surface available to us. Assume that you want to break into your neighbour's house. You will probably inspect the varied locks they use before breaking-in, this will ensure that you an check the ways to break that lock beforehand. Similarly, when doing a web application assessment, we need to explore all the possibilities of breaking into the web application, because the more information we can gather about the target, the greater chance we can penetrate it.

Here I will cover the following topics:
  • Types of information gathering
  • Enumerating domains, files, and resources

Information Gathering Techniques

Classically speaking, information gathering techniques consist of the following two classes:
  • Active techniques
  • Passive techniques

Active techniques

Typically, an active technique is connecting to our target for gaining information.This may include running port scans, enumerating files, and so on. Active techniques can be detected by the target, so care must be taken to ensure that we don't perform unnecessary techniques that generate a lot of noise. They could be picked up by the firewall of the target, and prolonged scans to enumerate information can even slow down the target for regular users.

Passive techniques

 Using passive techniques, we make use of third party websites and tools that don't contact the target for harvesting data for our reconnaissance purposes. Websites like shodan and Google can purge a lot of data for a website, properly utilizing these can be extremely beneficial for getting information that can be later used in exploiting the target. The best part of passive techniques is the fact that the target never gets a hint that we are actually performing any reconnaisance. Since we don't connect to the website, no server logs are generated.

Enumerating Domain, Files, and Resources

In this section we'll try to use of different kinds of recon.. techniques to do domain enumeration. Finding subdomains of a website can land us in surprising places. I remember a talk by Israeli security researcher, Nir Goldshlager, in which he performed a subdomain enumeration scan on a Google service, out of the bunch of subdomains he found there was one which ran a web application with a publicly disclosed local file inclusion vulnerability. Nir then used this to gain a shell on Google's server. Nir's intention wasn't evil, he reported this vulnerability responsively to Google's security team.

The following recon tools are majorly used:
  • Fierce
  • theHarvester
  • SubBrute
  • CeWL - Custom Word List Generator
  • DirBuster
  • WhatWeb
  • Maltego
The following websites will be used for passive enumeration:
  • Wolfram Alpha
  • Shodan
  • DNSdumpster
  • Reverse IP Lookup using YouGetSignal
  • Pentest-Tools
  • Google Advanced Search
Note: The recon tools mentioned above are preinstalled in Kali linux operating system 

Also Read,

Comments

Post a Comment

Popular posts from this blog

Top 10 Free Web Hosting Provider 2019

The Dark Web

What is Wireshark?