Skip to content

Introduction to Information gathering

What is Information Gathering?

  • Definition:
    Information gathering is the initial and most crucial step in any penetration test or ethical hacking process. It involves collecting data about a target, such as an individual, company, website, or system, to understand its structure, weaknesses, and potential entry points for exploitation.

  • Importance:

    • A solid foundation of information improves the accuracy and effectiveness of the penetration test.
    • Reduces guesswork during later stages like vulnerability assessment and exploitation.
    • Helps identify high-value targets, potential vulnerabilities, and security misconfigurations.

Types of Information Gathering

1. Passive Information Gathering:

  • Description:
    Gathering information without interacting directly with the target system. This approach reduces the chances of detection.

  • Purpose:

    • To maintain anonymity.
    • To collect publicly available data without triggering alarms.

    • Examples:

    • OSINT (Open-Source Intelligence):

      • Searching publicly available information via search engines, forums, or blogs.
      • Tools like Maltego or OSINT Framework can be used for this purpose.
    • Social Media Analysis:
      • Checking profiles on LinkedIn, Twitter, Facebook, etc., to gather employee roles, email patterns, or organizational structure.

    • WHOIS Enumeration:

      • Retrieving domain registration information using WHOIS tools.

      • Example command:

        whois example.com

    • DNS Reconnaissance:

      • Collecting DNS records using tools like nslookup or dig.

        nslookup example.com
dig example.com

    • Google Dorking:

      • Advanced search operators to find sensitive information.

      • Example:

        site:example.com filetype:pdf confidential

2. Active Information Gathering:

  • Description:
    Involves interacting with the target system directly to gather detailed and specific information. This requires authorization as it might trigger alerts.

  • Purpose:

    • To uncover detailed technical data such as open ports, running services, or software versions.
    • Provides actionable insights for vulnerability exploitation.

    • Examples:

    • Network Scanning:

      • Tools like nmap are used to identify live hosts, open ports, and services.

      • Example command:

        nmap -sV 192.168.1.0/24

    • Banner Grabbing:

      • Retrieving information about the software and version running on a service.

      • Tools like telnet or netcat can be used:

        nc -v 192.168.1.10 80

    • Port Scanning:

      • Identifying which ports are open and listening.

      • Example with nmap:

        nmap -p 1-1000 192.168.1.10

    • Fingerprinting:

      • Determining the operating system or web server running on the target.

      • Tools like WhatWeb or Wappalyzer:

        whatweb example.com

    • Exploitation-Related Recon:

      • Tools like Metasploit and Nikto can be used to gather data during active engagement.

      • Example (Nikto for web server scanning):

        nikto -h http://example.com

What Information Are We Looking For?

During Information Gathering, the goal is to collect valuable data about the target that will help in identifying potential vulnerabilities. The process is divided into Passive and Active Information Gathering, each focusing on specific details.

1. Passive Information Gathering

  • Objective:
    Gather as much information as possible without directly interacting with the target system to avoid detection.

  • What to Look For:

    • IP Addresses and DNS Information:
      • Identify the target's IP address and its domain name system (DNS) records, including A, MX, and TXT records.
      • Tools: nslookup, dig, WHOIS lookups.
    • Domain Names and Ownership Information:
      • Find the domain's registrar, creation/expiration dates, and contact details.
      • Tools: WHOIS lookup services.
    • Email Addresses and Social Media Profiles:
      • Collect publicly available email addresses and social media details for spear-phishing or social engineering.
      • Tools: Hunter.io, Google Dorking.
    • Web Technologies Used:
      • Identify frameworks, CMS (like WordPress), and technologies powering the target website.
      • Tools: Wappalyzer, WhatWeb, BuiltWith.
    • Subdomains:
      • Discover additional subdomains that might expose less-secure entry points.
      • Tools: Sublist3r, assetfinder.

2. Active Information Gathering

  • Objective:
    Interact directly with the target to uncover deeper technical details. This requires authorization to avoid legal issues.

  • What to Look For:

    • Open Ports on Target Systems:
      • Identify open ports and running services, which could reveal potential attack vectors.
      • Tools: nmap, masscan.
    • Internal Infrastructure of the Target:
      • Map the internal network to understand its structure, devices, and configurations.
      • Tools: traceroute, netdiscover.
    • Enumerating Information from Target Systems:
      • Extract details like user accounts, shared resources, and software versions.
      • Tools: enum4linux, smbclient.

Workflow for Information Gathering

  1. Start with Passive Methods:

    • Use tools like WHOIS and Google Dorking to collect easily accessible information without alerting the target.

    • Switch to Active Methods:

    • Once authorized, employ tools like nmap or Nikto to gain more precise insights.

    • Document Findings:

    • Log all collected data, ensuring it is well-organized for analysis.

Tools for Information Gathering

Passive Tools:

  • Maltego: Visualizes relationships between people, organizations, and domains.
  • Shodan: Internet search engine for discovering connected devices.
  • OSINT Framework: A resource for open-source intelligence tools.

Active Tools:

  • Nmap: Network scanner for discovering hosts, ports, and services.
  • Wireshark: Captures and analyzes network traffic.
  • Nikto: Scans web servers for vulnerabilities.
  • Metasploit: Framework for scanning and exploiting systems.

Tools Overview

Category Tools Purpose
DNS & IP Gathering nslookup, dig, WHOIS Discover DNS records, IP mappings.
Subdomain Enumeration Sublist3r, AssetFinder Identify subdomains.
Web Technology Fingerprint WhatWeb, Wappalyzer Detect web technologies (CMS, frameworks).
Port Scanning Nmap, Masscan Discover open ports and services.
Network Analysis Traceroute, Wireshark Map the internal network and traffic.
Vulnerability Scanning Nikto, Metasploit Detect server vulnerabilities.
Enumeration Enum4Linux, SMBclient Extract user, service, and share data.

Steps to Perform Information Gathering

  1. Identify Target Scope:

    • Determine the target's domain, IP address, or infrastructure to be assessed.

    • Use Passive Methods First:

    • Perform OSINT to collect data without triggering any alarms.

    • Switch to Active Methods:

    • Use scanning tools for network and system discovery after receiving authorization.

    • Document Findings:

    • Create a detailed report with the collected data, including tools and commands used.

Ethical Considerations

  • Authorization: Always obtain explicit permission before performing active reconnaissance.
  • Anonymity: Use tools like Proxychains or VPNs to mask your identity when necessary.
  • Documentation: Ensure all steps are logged for reporting purposes and legal compliance.