304 North Cardinal St.
Dorchester Center, MA 02124
Our previous post discussed critical steps in hacking/penetration testing. The first step is the information-gathering step. Information gathering is essential for a tester because initial data about the target(s), perimeter security details, public-facing services, and many more used technology details can be gathered at this step. We will explain important sub-steps and valuable information in this post, but detailed information about the techniques is left to the keen reader.
Information gathering has two sub-categories: Passive information-gathering tools and techniques and active information-gathering tools and techniques. In passive methods, there are a lot of tools and techniques. In this post, we try to explain the most popular ones.
If a technique is considered passive in cyber security, it (most probably) doesn’t leave log data, trace, and origin of the request. Tools and techniques used in this sub-category contain publicly available services such as search engines, whois, DNS, e-mail, web pages, etc.
Public-facing, internal IP addresses are the prime candidates for an attack. There are a lot of tools for finding IP address details. Nmap can be considered for this category, but the approach Nmap uses mainly fits into the active information-gathering scope. Other than directly accessing the websites or sending packets there are online tools that can provide IP address information about the target. Couple of examples are:
Domain name refers to our target organization. For instance, our target is example corp. Then, by just gathering information about target.com we can collect a lot of valuable information. However, companies and hosting firms collect access information and in the event of a cyber attack, they provide this information to investigation entities. We need to leave no trace while we collect information about our target. One valuable tool is Whois information about the domain. Information that can be collected by Whois queries are:
# installing whois in Kali Linux sudo apt-get update && sudo apt-get upgrade -y sudo apt-get install whois
After installing ( in Kali Linux, it is already installed ), by just typing “Whois” to the terminal, you can query Whois information on any website.
There are valuable websites that can be used to collect Whois information about the target. A couple of them are:
In Whois scenario, we have a known domain name and we tried to collect information about that domain name without directly accessing that target. If we have a public IP address, than we want to collect whether there is a domain associated with it or not we can use dig tool in Kali Linux, and nslookup in Windows.
dig -x <ip address>
robtex.com provides a piece of detailed information about a domain, IP address. It is useful to use it for gathering information about a target during the pen-testing.
Another important data about our target is the e-mail addresses associated with it. An e-mail address is important for understanding account names of the Active Directory, guessing other employees’ e-mail address, and (obviously) sending phishing e-mails. The most prominent tool is theharvester. Theharvester provides detailed information about target, including DNS, SHODAN results, search engines and even port scans.
# an example command theHarvester -d <targetDomain.com> -l 100 -v -e 220.127.116.11 -b google
Aside from theHarvester there are tools and websites that are developed to collect valid email addresses from the HTML content and domain data.
If we can collect third-party and client-side tools that are used in our target, then we can search for known vulnerabilities for exploitation purposes. One way to do that is to collect e-mails that have attachments, trying to grab banner information of enterprise systems. During the active scanning and enumeration, we can populate this bullet better. But this is worth a try if we can by using passive information gathering.
Search engines are the perfect source for information gathering. We can use Shodan, pastebin, archive.org, Bing, Google, Yandex, Pipl, tineye and many more.
We will continue the information-gathering discussion with active tools and techniques. Keep in mind that there are couple of paid options for information gathering such as netcraft, hackertarget, etc. I hope this post helps you for your pen-testing journey.
Emre Caglar Hosgor