304 North Cardinal St.
Dorchester Center, MA 02124
We started to explain passive information-gathering techniques in the previous post. Passive information gathering consists of techniques that generally leave no trace at the target about the attacker. However, these lack in collecting information about the target. In this post, we will dive into active information-gathering techniques. They provide more information about the target, including IP addresses, used technologies, and even user accounts.
The aim in active information gathering is to collect data about the network and security systems of the target as much as possible. Let’s go over common tools in this subcategory:
Sending ECHO packets is a viable technique to test target for IP address collection, detection, and testing of perimeter security devices. If there is a gateway device, then ECHO requests from the public Internet are probably filtered. Therefore, when we send an ECHO request, we will see a “Request Timed Out” reply. You see examples of PING usages below with URL, IP address, and different results from the target:
Traceroute tools use PING/UDP in the background for finding routers/GWs along the way while going to the destination IP address. There are pre-installed tools in Linux and Windows, but gsuite. tools site provides a visual HTML-based traceroute option. Traceroute (LINUX) uses UDP high ports, and tracert (WINDOWS) uses ICMP; either tool sends three packets to the targets on the way to the destination and displays the results of each probe. Traceroute tools can be used for firewall detection, we will discuss that in detail in the following posts.
Hping3 is a valuable tool for many purposes. An experienced attacker can conduct port-scan, MTU and seq# discovery, DoS, DDoS, TCP/UDP/ICMP-based traceroute, firewall detection and evasion by using hping3 tool. In addition to hping3 we can use popular NMAP for finding accessible systems.
┌──(root💀test)-[~] └─# hping3 -t -S -p 80 www.google.com --verbose ┌──(root💀test)-[~] └─# hping3 -S -c 1 -s 5151 -p 80 192.168.255.2 HPING 192.168.255.2 (eth0 192.168.255.2): S set, 40 headers + 0 data bytes len=46 ip=192.168.255.2 ttl=128 id=54179 sport=80 flags=RA seq=0 win=32767 ┌──(root💀test)-[~] └─# hping3 -A -c 1 -s 5151 -p 80 192.168.255.2 HPING 192.168.255.2 (eth0 192.168.255.2): A set, 40 headers + 0 data bytes len=46 ip=192.168.255.2 ttl=128 id=54181 sport=80 flags=R seq=0 win=32767
Defense-in-depth is a common approach for building perimeter security for an organization. We can detect firewalls, IDS/IPS, WAF, and DDoS mitigation, and collect information for mapping the target network. Each detection method is a single or multiple post by itself. Detection of perimeter security devices is so comprehensive. So, we will give concise information for each discovery and detection method in this post for the sake of the discussion here:
Domain Name System (DNS) is a vital and one of the oldest features of the Internet. It translates human-readable URL addresses to IP addresses. A nice and simple explanation of DNS from Verisign
Tools for DNS discovery are nslookup, dig, fpdns, and nmap. Here are a couple of examples:
Steps for discovering DNS with NSLOOKUP 1. elevated cmd 2. nslookup <enter> 3. server 22.214.171.124 <enter> 4. set q=mx (or A, AAAA, PTR, SOA, NS) <enter> 5. www.target.com <enter> EXAMPLE: > nslookup ... > server 126.96.36.199 Default Server: dns.google Address: 188.8.131.52 > set q=mx > www.bing.com Server: dns.google Address: 184.108.40.206 Non-authoritative answer: www.bing.com canonical name = a-0001.a-afdentry.net.trafficmanager.net a-0001.a-afdentry.net.trafficmanager.net canonical name = www-bing-com.dual-a-0001.a-msedge.net www-bing-com.dual-a-0001.a-msedge.net canonical name = dual-a-0001.a-msedge.net a-msedge.net primary name server = ns1.a-msedge.net responsible mail addr = msnhst.microsoft.com serial = 2016092901 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 2419200 (28 days) default TTL = 240 (4 mins)
Another interesting feature of a DNS server is whether it queries any DNS request from the Internet or not. To test that we can use nmap. We may need to use the DNS protocol during our pentest, so we will mention this protocol when needed. Some nmap scripts about DNS:
#recursion-enabled DNS servers in a subnet nmap -PN -n -sU -p 53 -script=dns-recursion.nse <192.168.255.0/24> #public DNS detection with dig dig www.google.com @<a DNS server> #Zone transfer check host -l domain.com ns1.domain.com nmap dns-zone-transfer.nse script
SMTP is useful for information-gathering purposes. First, send an email to a user who is not on the target domain. Inspect the returned error email. That email contains valuable information about the mail server and target domain structure. That approach may reveal an SMTP path to the target mail server (received-by details).
Banner Grabbing is an old technique, but sometimes it provides valuable information about the target domain. There are a lot of information sources and examples in the Internet about banner grabbing. Here you can find a couple of them:
HTTP server type detection can give out weaknesses about the web servers of the target. For getting HTTP server information, we can use the HTTPrint tool. HTTPrint is a cross-platform tool for collecting information about web servers of the target domain.
SNMP is an administrative tool for network devices, storage systems and so forth. SNMPENUM, SNMPWALK, NESSUS SNMP plugin, SOLARWINDS tools, and Cain & Abel SNMP are useful tools for SNMP information gathering. Similar to DNS, during the enumeration phase, we can use suitable tools for information gathering.
Backups, archive data, backup filenames, desktop, RDP, .ssh, .conf files can contain valuable information like username/password, IP addresses, special configuration, important file paths and so on.
Volatility and apptrace tools can give nice details from memory. In addition to these metagoofil and FOCA can give metadata about a target’s documents. MALTEGO provides better results and detailed information about the traget. MALTEGO is an OSINT tool and has multiple features as a complete toolset.
In this post, we give the basics of active information gathering techniques, where to look at, and with which tool is the best option for data collection. Any tool discussed here may have an alternative and be used in various steps of penetration testing. We will give more technical details and use cases for tools discussed here in the following posts. Thank you for reading.
Emre Caglar Hosgor