We started to explain passive information-gathering techniques in the previous post. Passive information gathering consists of techniques that generally leave no trace at the target about the attacker. However, these lack in collecting information about the target. In this post, we will dive into active information-gathering techniques. They provide more information about the target, including IP addresses, used technologies, and even user accounts.

Active Information Gathering

The aim in active information gathering is to collect data about the network and security systems of the target as much as possible. Let’s go over common tools in this subcategory:

Traceroute, tracert, ICMP Tools

Sending ECHO packets is a viable technique to test target for IP address collection, detection, and testing of perimeter security devices. If there is a gateway device, then ECHO requests from the public Internet are probably filtered. Therefore, when we send an ECHO request, we will see a “Request Timed Out” reply. You see examples of PING usages below with URL, IP address, and different results from the target:

Traceroute tools use PING/UDP in the background for finding routers/GWs along the way while going to the destination IP address. There are pre-installed tools in Linux and Windows, but gsuite. tools site provides a visual HTML-based traceroute option. Traceroute (LINUX) uses UDP high ports, and tracert (WINDOWS) uses ICMP; either tool sends three packets to the targets on the way to the destination and displays the results of each probe. Traceroute tools can be used for firewall detection, we will discuss that in detail in the following posts.

Hping3 is a valuable tool for many purposes. An experienced attacker can conduct port-scan, MTU and seq# discovery, DoS, DDoS, TCP/UDP/ICMP-based traceroute, firewall detection and evasion by using hping3 tool. In addition to hping3 we can use popular NMAP for finding accessible systems.

┌──(root💀test)-[~]
└─# hping3 -t -S -p 80 www.google.com --verbose 

┌──(root💀test)-[~]
└─# hping3 -S -c 1 -s 5151 -p 80 192.168.255.2
HPING 192.168.255.2 (eth0 192.168.255.2): S set, 40 headers + 0 data bytes
len=46 ip=192.168.255.2 ttl=128 id=54179 sport=80 flags=RA seq=0 win=32767 

┌──(root💀test)-[~]
└─# hping3 -A -c 1 -s 5151 -p 80 192.168.255.2
HPING 192.168.255.2 (eth0 192.168.255.2): A set, 40 headers + 0 data bytes
len=46 ip=192.168.255.2 ttl=128 id=54181 sport=80 flags=R seq=0 win=32767 

Discovering the Perimeter Security Systems

Defense-in-depth is a common approach for building perimeter security for an organization. We can detect firewalls, IDS/IPS, WAF, and DDoS mitigation, and collect information for mapping the target network. Each detection method is a single or multiple post by itself. Detection of perimeter security devices is so comprehensive. So, we will give concise information for each discovery and detection method in this post for the sake of the discussion here:

• Firewall Detection: When we send a TCP-SYN packet to a port, the reply is a TCP-ACK (SNYACK) or TCP-RST. If there isn’t a response, then there is a device that filters our packet, and most probably, it is a GW or a FW. Then the port is filtered.
• IPS Detection: Following signatures are 99% enabled by default on any IPS.
  • …. cmd.exe (in the payload, request, parameter like …?id=”cmd.exe”)
  • ../../ at the trailing of a valid URL
  • /ect/passwd
  • we send these values at the HTTP request, then we need to inspect the HTTP reply. If we get 404 or not found type errors then there isn’t an IPS. But if we get a connection RST, Timeout or such then there is an IPS protecting that site.
• Web Application Firewall (WAF) Detection: Common approach is to use WafW00f or similar tools, common XSS/sqli attacks and response inspection ( like: <script>alert(‘W00f’)</script>, php?id=1’UNION+ALL+SELECT+1,2,3,LOAD_VERSION– )
• DDoS Mitigation Detection: Some DDoS mitigation systems use SYN cookies to defend against SYN flood attacks. To test whether a site is protected against DDoS with SYN cookie we can replay a request, send multiple SYN requests and inspect the reply. Another way to protect a site against a DDoS is rate limiting. For detection use “hping -S -p 80 -flood <IP address>”, then test with “hping -udp -p 53 <IP address>”. If there is no response, the IP address we are using is quarantined.
• Detection of Spam Protection and Mail Gateway: There are a couple of steps for detection. First create a malicious payload (exe, pdf, docx) with Msfvenom. Second, inspect the header information of the reply email. Related for tracing and header information: How to trace an email with its full headers. Google Admin Toolbox Messageheader.

Information Gathering with DNS Protocol

Domain Name System (DNS) is a vital and one of the oldest features of the Internet. It translates human-readable URL addresses to IP addresses. A nice and simple explanation of DNS from Verisign

https://www.verisign.com/en_US/website-presence/online/how-dns-works/index.xhtml

Tools for DNS discovery are nslookup, dig, fpdns, and nmap. Here are a couple of examples:

Steps for discovering DNS with NSLOOKUP
1. elevated cmd 
2. nslookup <enter>
3. server 8.8.8.8 <enter>
4. set q=mx (or A, AAAA, PTR, SOA, NS) <enter>
5. www.target.com <enter>
EXAMPLE:
> nslookup
...
> server 8.8.8.8
Default Server:  dns.google
Address:  8.8.8.8

> set q=mx
> www.bing.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
www.bing.com    canonical name = a-0001.a-afdentry.net.trafficmanager.net
a-0001.a-afdentry.net.trafficmanager.net        canonical name = www-bing-com.dual-a-0001.a-msedge.net
www-bing-com.dual-a-0001.a-msedge.net   canonical name = dual-a-0001.a-msedge.net

a-msedge.net
        primary name server = ns1.a-msedge.net
        responsible mail addr = msnhst.microsoft.com
        serial  = 2016092901
        refresh = 1800 (30 mins)
        retry   = 900 (15 mins)
        expire  = 2419200 (28 days)
        default TTL = 240 (4 mins)

Another interesting feature of a DNS server is whether it queries any DNS request from the Internet or not. To test that we can use nmap. We may need to use the DNS protocol during our pentest, so we will mention this protocol when needed. Some nmap scripts about DNS:

#recursion-enabled DNS servers in a subnet
nmap -PN -n -sU -p 53 -script=dns-recursion.nse <192.168.255.0/24> 
#public DNS detection with dig
dig www.google.com @<a DNS server>
#Zone transfer check
   host -l domain.com ns1.domain.com
   nmap dns-zone-transfer.nse script

SMTP, HTTP, Banner Grabbing, SNMP for Information Gathering

SMTP is useful for information-gathering purposes. First, send an email to a user who is not on the target domain. Inspect the returned error email. That email contains valuable information about the mail server and target domain structure. That approach may reveal an SMTP path to the target mail server (received-by details).

Banner Grabbing is an old technique, but sometimes it provides valuable information about the target domain. There are a lot of information sources and examples in the Internet about banner grabbing. Here you can find a couple of them:

• telnet www.domain.com 80
• HEAD / HTTP/1.1
• dig MX domain.com
• telnet mail.domain.com 25 and many more

HTTP server type detection can give out weaknesses about the web servers of the target. For getting HTTP server information, we can use the HTTPrint tool. HTTPrint is a cross-platform tool for collecting information about web servers of the target domain.

SNMP is an administrative tool for network devices, storage systems and so forth. SNMPENUM, SNMPWALK, NESSUS SNMP plugin, SOLARWINDS tools, and Cain & Abel SNMP are useful tools for SNMP information gathering. Similar to DNS, during the enumeration phase, we can use suitable tools for information gathering.

Backups, archive data, backup filenames, desktop, RDP, .ssh, .conf files can contain valuable information like username/password, IP addresses, special configuration, important file paths and so on.

Volatility and apptrace tools can give nice details from memory. In addition to these metagoofil and FOCA can give metadata about a target’s documents. MALTEGO provides better results and detailed information about the traget. MALTEGO is an OSINT tool and has multiple features as a complete toolset.

In this post, we give the basics of active information gathering techniques, where to look at, and with which tool is the best option for data collection. Any tool discussed here may have an alternative and be used in various steps of penetration testing. We will give more technical details and use cases for tools discussed here in the following posts. Thank you for reading.

Emre Caglar Hosgor