There is a saying that goes “The more information you have about the target, the more is the chance of successful exploitation.” Information gathering is the first phase of hacking. In this phase, we gather as much information as possible regarding the target’s online presence, which in turn reveal useful information about the target itself. The required information will depend on whether we are doing a network pentest or a web application pentest. In the case of a network pentest, our main goal would be to gather information on the network. The same applies to web application pentests. In this module, we will discuss numerous methods of real-world information intelligence.
In general, all information gathering techniques can be classified into two main categories:
1. Active information gathering
2. Passive information gathering
In general, all information gathering techniques can be classified into two main categories:
1. Active information gathering
2. Passive information gathering
ACTIVE INFORMATION GATHERING
In active information gathering, we would directly engage with the target, for example, gathering information about what ports are open on a particular target, what services they are running, and what operating system they are using. However, the techniques involving active information gathering would be very noisy at the other end. As they are easily detected by IDS, IPS, and firewalls and generate a log of their presence, and hence are not recommended sometimes.
PASSIVE INFORMATION GATHERING
In passive information gathering, we do not directly engage with the target. Instead, we use search engines, social media, and other websites to gather information about the target. This method is recommended, since it does not generate any log of presence on the target system. A common example would be to use LinkedIn, Facebook, and other social networks to gather information about the employees and their interests. This would be very useful when we perform phishing, keylogging, browser exploitation, and other client side attacks on the employees.
Sources of Information Gathering
There are many sources of information; the most important ones are as follows:-
Social media website
Search engines
Forums
Press releases
People search
Job sites
So let’s discuss some of these sources in detail along with some tools of the trade.
Sources of Information Gathering
There are many sources of information; the most important ones are as follows:-
Social media website
Search engines
Forums
Press releases
People search
Job sites
So let’s discuss some of these sources in detail along with some tools of the trade.
COPYING WEBSITES LOCALLY
There are many tools that can be used to copy websites locally; however, one of the most comprehensive tool is httrack. It can be used to investigate the website further. For example, let’s suppose that the file permissions of a configuration file are not set properly. The configuration might reveal some important information, for example, username and password, about the target.
If you are on Linux, you can use Wget command to copy a webpage locally. Wget http://
http://www.rafayhackingarticles.net.Another great tool is Website Ripper Copier, which has a few additional functions than httrack.
http://www.rafayhackingarticles.net.Another great tool is Website Ripper Copier, which has a few additional functions than httrack.
INFORMATION GATHERING WITH WHOIS
As I have mentioned earlier, our goal in the information gathering and enumeration phase is to gather as much information as possible about the target. Whois holds a huge database that contains information regarding almost every website that is on the web, most common information are “who owns the website” and “the e-mail of the owner,” which can be used to perform social engineering attacks.
Whois database is accessible on whois.domaintools.com. It’s also available in BackTrack. but you would need to issue the following command from BackTrack to enable it:
apt-get install whois
In order to perform a Whois search on a website, you would need to type Whois <domainname>
from the command line:
whois http://www.techlotips.com
You would see the following output:
Whois database is accessible on whois.domaintools.com. It’s also available in BackTrack. but you would need to issue the following command from BackTrack to enable it:
apt-get install whois
In order to perform a Whois search on a website, you would need to type Whois <domainname>
from the command line:
whois http://www.techlotips.com
You would see the following output:
You can see that it has revealed some interesting information such as the e-mail of the owner (which I have set to private b/w) and the name servers, which shows that hostagtor.com is hosting this website
No comments:
Post a Comment