Information Gathering ๐Ÿ—ฃ

Information Gathering is the act of gathering different kinds of information against the targeted victim or system.

There are two types of information gathering, passive or OSINT (Open Source INTelligence) information gathering which means gathering as much information about our target wihout exposing our presence, and active information gathering which techniques interact directly with the target system.

Passive Information Gathering (OSINT)

Is a technique to gather information without any interaction with the target. There are many tools that are listed in OSINT Framework.

OSINT Framework

The OSINT Framework includes information gathering tools and websites in one central location. Some tools listed in the framework cover more disciplines than information security.

Search Engines

Google offers the opportunity to perform advanced search queries using special operators:

AND, OR, +, -, ""

And this is some examples of queries:

Query TypeGoogle Dork

Cache

cache:www.example.com

Link

link:www.example.com

Site

site:www.website.com

Filetype

filetype:pdf

Title

intitle:index.of

Harvesting

Harversting is extract information from documents and files. We can find information such as emails, workers and so on. theHarvester is a tool that automates this working

theharvester -d example.com -b google
theharvester -d example.com -b linkedin

Social Media

The spread of social networks has made information gathering extremely important and effective. With the help of social media, a pentester can esaily gather employee's personal informacion such as phone numbers, addresses, history and CV.

We want to collect the following information about the employees:

  • Age

  • Phone Number

  • Addresses

  • Occupation

  • Business

  • Interests

  • Email Addresses

  • Website Owned

  • Related Documents

  • Financial Info

Infrastructures

The main goal here is to retrieve data such as:

  • Domains

  • Netblocks or IP addresses

  • Mail servers

  • ISP's used (Internet Server Provider)

  • Any other technical information

Domains and subdomains

Given a domain, the first source for information is WHOIS. There are a lot of online tools that allow you top use WHOIS:

There are some tools that search subdomains like amass or sublist3r:

sublist3r -d [Domain]
amass enum -d example.com

Nmmapper is an online tool that finds a lots of subdomains:

The following user guide helps us a lot to inspect some awesome queries.

Recon-ng

Recon-ng is a moduled-base framework for web-based information gathering. Recon-ng displays the results of a module to the terminal but it also stores them in a database.

Searching Modules

We can add modules from the recon-ng with marketplace.

marketplace search <MODULE>
marketplace info <MODULE>
marketplace install <MODULE>

Using Modules

We need to load the module before using it:

marketplace load <MODULE>
info
options set <OPTION> <VALUE>

Display results

We can display some different results, since hosts to vulnerabilities.

show #To see all posibilities of displaying
show <SELECTION>

Best Recon-ng Modules

recon/domains-hosts/google_site_web #Search subdomains on Google with Google Dorks
recon/hosts-hosts/resolve #Update hosts table with the DNS resolution

Shodan

As we gather information on our target, it is important to remember that traditional websites are just one part of the internet. Shodan is a search engine that crawls devices connected to the internet.

The following repository gives us some examples of what we can do with this brilliant tool

Open-Source Code

One such of interesting information are open-source projects and online code repositories, such as GitHub, GitLab and SourceForge.

GitLeaks

Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code.

gitleaks --repo-url=https://github.com/my-insecure/repo -v
PreviousWhat is this?NextHost Discovery ๐Ÿ›Ž

Last updated