INFORMATION GATHERING
This article is for newbies:
There is a saying that goes “The more information you have about the target, the more is the chance of successful exploitation.” Information gathering is the first phase of hacking. In this phase, we gather as much information as possible regarding the target’s online presence, which in turn reveal useful information about the target itself. The required information will depend on whether we are doing a network pentest or a web application pentest. In the case of a network pentest, our main goal would be to gather information on the network. The same applies to web application pentests.
In general, all information gathering techniques can be classified into two main categories:
1. Active information gathering
2. Passive information gathering
Active Information Gathering:
In active information gathering, we would directly engage with the target, for example, gathering
information about what ports are open on a particular target, what services they are running, and
what operating system they are using. However, the techniques involving active information gath-
ering would be very noisy at the other end. As they are easily detected by IDS, IPS, and firewalls
and generate a log of their presence, and hence are not recommended sometimes.
Passive Information Gathering:
In passive information gathering, we do not directly engage with the target. Instead, we use search
engines, social media, and other websites to gather information about the target.
Techniques of Information Gathering :
Copying Websites Locally:
There are many tools that can be used to copy websites locally; however, one of the most compre-
hensive tool is httrack. It can be used to investigate the website further. For example, let’s suppose
that the file permissions of a configuration file are not set properly. The configuration might reveal
some important information, for example, username and password, about the target.
Another great tool is Website Ripper Copier, which has a few additional functions than
httrack.
If you are on Linux, you can use Wget command to copy a webpage locally.
E.g. https://www.example.com
Information Gathering with Whois :
Whois holds a huge database that con-
tains information regarding almost every website that is on the web, most common information are “who owns the website” and “the e-mail of the owner,” which can be used to perform social engineering attacks.
Whois database is accessible on whois.domaintools.com.
Traceroute
Traceroute is a very popular utility available in both Windows and Linux. It is used for network
orientation. By network orientation I don’t mean scanning a host for open ports or scanning for
services running on a port. It means to figure out how the network topology, firewalls, load bal-
ancers, and control points, etc. are implemented on the network.
A traceroute uses a TTL (time to live) field from the IP header, and it increments the IP packet
in order to determine where the system is. The time to live value decreases every time it reaches a
hop on the network (i.e. router to server is one hop).
There are three different types of traceroutes:
1. ICMP traceroute (which is used in Windows by default)
2. TCP traceroute
3. UDP traceroute
ICMP Traceroute
Microsoft Windows by default uses ICMP traceroute; however, after a few hops, you will get a
timeout, which indicates that there might be a device like IDS or firewall that is blocking ICMP
echo requests.
TCP Traceroute
Many devices are configured to block ICMP traceroutes. This is where we try TCP or UDP trac-
eroutes, also known as layer 4 traceroutes. TCP traceroute is by default available in BackTrack. If
you can’t find it, just use the following command:
apt-get install tcptraceroute
Usage
From the command line, you would need to issue the following command:
tcptraceroute www.google.com
UDP Traceroute
Linux also has a traceroute utility, but unlike Windows, it uses UDP protocol for the traceroute.
In Windows, the command for traceroute is “tracrt”. In, Linux, it’s “tracroute”.
Google Hacking Database
Google hacking database is set up by the offensive security guys, the ones behind the famous
BackTrack distro. Google hacking database has a list of many Google dorks that could be used to
find usernames, passwords, e-mail list, password hashes, and other important information.
0 Comments