Information Gathering Techniques

information gathering techniques

1. Active information gathering

2. Passive information gathering
Active Information Gathering
 In active information gathering, we would directly engage with the
target,.
 for example, gathering information about what ports are open on a
particular target, what services they are running, and what operating
system they are using.
 It may easily detected by IDS, IPS, and firewalls and generate a log of
their presence, and hence are not recommended sometimes
 Tools Eg:
 NMAP,NSLOOKUP..
Passive Information Gathering

 In passive information gathering, we do not directly engage with

the target.
 Instead, we use search engines, social media, and other websites
to gather information about the target.
 it does not generate any log of presence on the target system. So
it is recommended.
Sources of Information Gathering
 There are many sources of information; the most important
ones are as follows:
 Social media
 website Search engines
 Forums
 Press releases
 People search
 Job sites
Copying Websites Local systems

There are many tools that can be used to copy websites locally.
Httrack.
Website Ripper Copier
 HTTrack
 It downloads the contents of entire Web sites from the Internet
to a local directory for offline viewing.
 It allows you to download a World Wide Web site from the
Internet to a local directory, building recursively all directories,
getting HTML, images, and other files from the server to your
computer.
Website Ripper Copier tool

 One more great tool is Website Ripper Copier, which has a few
additional functions than httrack.
information Gathering with Whois
Command :
 Whois holds a huge database that contains information
regarding almost every website that is on the web.
 most common information are “who owns the website” and “the
e-mail of the owner,” which can be used to perform social
engineering attacks
whois
 apt-get install whois

 In order to perform a Whois search on a website,

 Eg:

 $ whois www.cvr.ac.in

 $whois www.techlotips.com
Intercepting a Response
Burp Suite

 One of Burp Suite’s main features is its ability to intercept HTTP

requests.
 Normally HTTP requests go from your browser straight to a web
server and then the web server response is sent back to your
browser.
 With Burp Suite, however, HTTP requests go from your browser
straight to Burp Suite, which intercepts the traffic.
 Step 1—First, download the free version of Burp Suite from the following
website: http:// portswigger.net/burp/

 Step 2—Next, install the Burp Suite and launch it.

 Step 3—Next, open Firefox. Note: You can use any browser, but I would
recommend Firefox. Go to Tools → Options → Advanced → Network →
Settings.

 Step 4—Click on the “Manual Proxy configuration” and insert the information
given in following screenshot and click “Ok
 Step 5—Next, open up Burp Suite again, navigate to the “proxy”
tab and click on the “intercept” tab and click on “intercept is off”
to turn it on.
 Step 6—Next, from your Firefox browser, send an http request
by refreshing the page. Make sure the intercept is turned on.
 Step 7—Next, we would need to capture the http response in
order to view the banner information. Intercepting the response
is turned off by default, so we need to turn it on. For that
purpose, select the http request and then right click on it, and
under “do intercept”, click on “response to this request.
 Step 8—Next, click on the “Forward” button to forward the http
request to the server. In a few seconds, we will receive an http
response, revealing the http server and its version.
 Eg:
Tracing the Location

 Tracing the Location You would need to know the IP address of

the webserver in order to trace the exact location
NeoTrace
 NeoTrace is a graphical networking tool that allows you to trace
the source of any IP address or website automatically, as well as
pull important data like domain registrar information.
 The graphical display reveals you the path between you and the
target site, revealing all intermediary nodes and their associated
registrant details.
 It basically performs what’s known as a “traceroute” on IP
addresses and websites.
 for website searches NeoTrace just “translates” a domain name
into an IP address that can be traced.
 Trace Websites and IP Addresses
 View Where Sites and IPs are Located on the World Map
Cheops-ng(next genaeration)

 Cheops-ng is another remarkable tool for tracing and

fingerprinting a network
 Cheops-ng is a Network management tool for mapping and
monitoring your network.
 It has host/network discovery functionality as well as OS
detection of hosts.
 Cheops-ng has the ability to probe hosts to see what services
they are running.
Cheops-ng features:

 Host discovery
 Machine fingerprinting to determine OS (using Nmap)
 Use of DNS and ICMP to detect network hosts
 Network monitors
 Cheops-ng Cheops-ng is another remarkable tool for tracing and
fingerprinting a network
 WhatWeb
 WhatWeb is an all-an-one package for performing active
footprinting on a website.
 It has more than 900 plug-ins capable of identifying server version,
e-mail addresses, and SQL errors.
 This tool can identify and recognize all the web technologies
available on the target website.
 This tool can identify technologies used by websites such as
blogging, content management system, all JavaScript libraries.
 The usage is pretty simple:
 you need to type ./whatweb followed by the website name.
 Command: ./whatweb flipcart.com
Example
Netcraft

 Netcraft contains a huge online database with useful

information on websites and can be used for passive
observation against the target.
 It is also capable of fingerprinting the webservers.
Example
Interacting with DNS Server

We can interact with DNS servers by using DNS clients.

Tools :
 Nslookup(nameserver look up)
 DIG(Domain Information Groper)
Nslookup
 Nslookup is available in both Windows and Linux OS.
 if we want the DNS servers to return all the mail server records of an
organization.
 We would do the following:

 Step 1—Issue the nslookup command from the command prompt.

 Step 2—Issue the following command:
 set type = mx
 Step 3—Next, we would enter the domain. www.msn.com
 We can also ask for all the DNS servers for that domain by using
the set type = ns command.

The query has returned all the name servers associated with ifixit.com
DIG

 It stands for Domain Information Groper, and it collects data

about Domain Name Servers.
 The dig command is helpful for troubleshooting DNS problems,
but is also used to display DNS information.
Example :
Reverse DNS
 In a reverse DNS attack, we do the opposite. With the help of the IP ranges, we try to
guess valid hostnames.
 Reverse DNS Lookup with Dig
 For performing a reverse DNS lookup, we would need to first write an IP address in
the reverse order.
 For example:
 208.80.152.201 (Wikipedia’s IP)
 201.152.80.208 (reverse order)
 Next, we would append “.in-addr.arpa” to it, so it would become 201.152.80.208.in-
addr.arpa and finally make a DNS PTR query in dig.
 So the whole command will look like this:
 Eg: dig 201.152.80.208.in-addr.arpa PTR
 Zone Transfer

 A DNS server contains information such as host name and the IP

address associated with it.
 A zone file is a plain text file stored in a DNS server that contains an
actual representation of the zone and contains all the records for
every domain within the zone.
 Zone transfer is the process of copying the contents of the zone file
on a primary DNS server to a secondary DNS server.
 A zone transfer is used for replication of record
Zone Transfer with Host Command

 Follow the steps to perform a zone transfer request on a server.

 Suppose our target is msn.com.
 We would issue the following command:
 Step 1—We will gather a list of all the name servers associated
with our target.
 host www.msn.com ns
 To initiate a zone transfer request, issue the following command:
 host –l www.msn.com ns5.msft.net
 host –l www.msn.com ns1.msft.net
 host –l www.msn.com ns2.msft.net
 host –l www.msn.com ns3.msft.net
 host –l www.msn.com ns4.msft.net

Unfortunately, all the queries will fail and it will give us a

“transfer failed error” as the server doesn’t allow zone
transfers
 try it on zonetransfer.me, a server that we know is vulnerable to
DNS zone transfer. On running the same host command, we will
come to know that it has two name servers.
 Now let’s try a zone transfer
 host –l zonetransfer.me ns12.zoneedit.com

 host –l zonetransfer.me ns12.zoneedit.com

 You would notice that the zone transfer would be successful and
it would return the full list of subdomains that normally cannot
be discovered with other techniques.
 Example dig axfr @ns12.zoneedit.com zonetransfer.me
Automating Zone Transfer

 DNSenum is capable of performing forward lookup, reverse

lookup, and also zone transfer and is very simple to use.
 All you need to do is issue the following command from the
/pentest/ enumeration/dns/dnsenum directory.
 ./dnsenum.pl
 ./dnsenum.pl zonetransfer.me
DNS cache snooping
DNS cache snooping

 A DNS cache snooping attack is a process of querying DNS

server to determine if it has a resource that is cached.
 This would help the attacker determine what websites a user
has recently visited.
DNS cache snooping
 A DNS cache snooping attack is a process of querying DNS
server to determine if it has a resource that is cached. This
would help the attacker determine what websites a user has
recently visited

 DNS cache snooping can be performed using two methods:

 1. Nonrecursive method
 2. Recursive method
Nonrecursive Method

 The first step would be to ask the DNS cache for any given
resource record,
 If the response is cached, that is, if it finds the record you asked
for, the response would be valid and would return an answer,
indicating that someone on that system visited that particular
website.
 If the response is not cached, it will return a reply about another
server that can answer the query better or it will send the
root.hints DNS file contents, which contain the name and
addresses of all root DNS servers
 Command:
 dig @ns1.jpd.com javapoint.com A +norecurse
Recursive method

 1. The first step would be to ask the DNS cache for any given resource
record
 2. Next, we would set the query to be recursive instead of
nonrecursive.
 3. Next, we would examine the TTL field, which will tell us how long
the DNS record stays inside the cache. So we would examine the TTL
in the answer section and compare it with the TTL that was initially
set. If the TTL field in the answer section is less than the initially set
TTL field, the record is most likely cached and someone on that
domain name server visited that website.
 4. Now, if the record is not present in the cache, it will be present after
the first query is made.
 Command:
 dig @ns2694.hostgator.com www.techlotips.com A +recurse
 SNMP

Simple Network Management Protocol

SNMP PROBLEM

 SNMP stands for Simple Network Mapping Protocol;

 it is widely used for the purpose of management and remote
configurations of the devices.
 The problem with this protocol was that there was no
authentication system of any kind, so anyone could access the
SNMP server and gain access to the details present on it, as at
that time in older versions.
SNMP Versions

 SNMPv1 – SNMPv1, the first SNMP version to be released, uses

community strings to restrict access. SNMPv1 utilized read-write and
read-only community strings, but the data transmitted was
unencrypted. This meant it was vulnerable to attacks and exploitation.
 SNMPv2c – SNMPv2c also delivers data encryptions, it’s slightly more
secure than SNMPv1, but not as secure as SNMPv3. SNMPv2c uses two
types of community strings: read-write and read-only.
 Read write strings make you vulnerable because they allow attackers
to remotely interfere with your system.
 SNMPv3: SNMPv3 is the most secure version of SNMP, allowing users
to fully encrypt transmissions, so they can’t be accessed or exploited
by external attackers.
Sniffing SNMP Passwords tools

OneSixtyOne tool
 Onesixtyone is an all-in-one tool for scanning and brute-forcing
SNMP community string.
 $apt –get install onesixtyone
 Onesixtyone <ipaddress> -c/dictionary.txt
OneSixtyOne…
 The usage is very simple. We need to do is to enter the IP
address followed by the path to the dictionary, and it will
attempt to connect to the SNMP service by using the community
strings you have defined in the dictionary
Snmpenum

 It’s available in BackTrack in the /pentest/ enumeration/snmp

directory.
 It can also be used for enumerating SNMP services.
 Usage snmpenum.pl public windows.txt
 SolarWinds Toolset
 This toolset was made for network administration and
monitoring purposes.
 There are lots of tools that are found in the solarwinds toolset,
which are much simpler than tools found in BackTrack.
 it has many tools related to network discovery, monitoring, and
SNMP, which a hacker can use to his advantage.
SNMP Sweep
This tool could be used to gather information about the devices
running on your network.
• SNMP Brute Force and Dictionary
 Under the “Security” tab, it also has SNMP brute force and SNMP
dictionary attack tools to guess weak passwords.
 it tries all possible combinations, which takes a long time. However, an
SNMP dictionary tool allows you to specify a dictionary, which will be
used against an SNMP server in order to guess valid credentials.
• SNMP Brute Force Tool
 SNMP Brute Force Tool This tool is very simple to use. Just enter the
host, and it will try to brute-force the passwords with all possible
combinations. The problem with the brute force tool is that it is both
time- and resource consuming if the password is long.
SNMP Brute Force Tool
SNMP Dictionary Attack Tool
The SNMP dictionary tool allows you to specify a dictionary, which will be used
against the SNMP server.
This is faster than brute force and does not consume as much resources.