Does the CEO reveal way too much on Twitter?
Is the system administrator writing to archived listservs, asking
about how to secure a Drupal install?
What software are their web servers running?
These are the questions, a penetration tester asks before himself/herself getting engaged in some attack.
So now, let’s gather information about Information Gathering.
What is Information Gathering?
I know, that you guys are already aware of Information Gathering?
You may also assert that this is not possible to write a complete blog just to give an introduction about it.
But I try my best to give you as much information as I can give.
So, now let’s dive into the ocean of Information,
Basically, it’s a pretty straight forward term.
Information Gathering is the process of gathering relevant (and sometimes not seem too relevant) information about our target.
Having a good intel of your target is always beneficial, It makes you feel highest in the room.
Type of reconnaissance
Information Gathering/Reconnaissance can be divided into two categories:
- Passive Recon
- Active Recon
1. Passive Recon
“The quieter you will be, the more you’ll listen.”
This is what Passive Recon is based on.
It is an art of gathering information of our target more actively from perspective to an attacker but from the target’s view, you’re in passive mode.
Though, it is a fun process but it is very crucial as well as sometimes, most time consuming phase of Hacking.
So, Here I’m enlisting a few important tools and websites from a plethora of sources available for passive reconnaissance but these tools form a pretty good appetizer.
This is the first resource that comes to my mind, whenever I start my recon against any type of target.
Shodan is a search engine for internet-connected devices.
VirusTotal is a website designed to help with the analysis of potentially malicious files.
Maltego is application software used for open-source intelligence and forensics.
5. OSINT Framework
OSINT framework focused on gathering information from free tools or resources.
The intention is to help people find free OSINT resources.
2. Active Recon
Active Reconnaissance is a more direct method of gathering information.
In this we directly interact with target but here it is difficult to maintain anonymity.
The attacker’s activity can be traced as it leaves trails after this type of recon.
Though this method is less stealthy the result from active recon is much more accurate in comparison to passive recon.
Basic objective of Active recon is to gather information which is more relevant from attack perspective.
This recon is faster and more accurate, however it is noisy.
Since the attacker has to interact with the target to gain information,
there’s an increased chance that the recon will get caught by a firewall or one of the network security devices.
These tools can be classified into three broad categories:
- Port Scanning Tools
- Web Services Review Tools
- Network Vulnerability Scanning Tools
1. Port Scanning Tools
Port scanning is a method of identifying open ports by connecting each port of a target system.
Assume port scanner tool identifies open port 22, which is related to secure shell ssh.
An attacker might try SSH-related attacks on the target system.
This is like an open window in a host where a thief may try to enter by using that open window.
Major Port Scanners are :
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
2. Angry IP scanner
A free network utility that includes IP management functions and a port scanning service.
2. Web Services Review Tools
These tools check web for the services provided by a particular website or web server.
So, it helps attacker to search for any exploit available for a particular service.
Popular web services Review Tools are :
Quick, open-source terminal-based web vulnerability scanner which gives basic security issues.
Commercial web application security scanning tool used by security auditing agencies.
3. Network Vulnerability Scanning Tools
These are the tools used to scan websites or web servers for possible vulnerabilities.
From an attacker’s or a defender’s perspective it is crucial to have intel about vulnerabilities.
So, that they can craft a good exploit for particular vulnerability and defender’s can defend against them.
Popular Vulnerability scanners are:
Nessus scans a computer and raises an alert if it discovers any vulnerabilities.
OpenVAS is a software framework of several services and tools offering vulnerability scanning.
This is it for this post, hope you found value in this guide.
Wanna learn how to use all these tools. Keep coming back I’ll cover all these tools and many more till then check out my other cool posts.😊
Do let me know on which tool you want me to make my new post in this Recon series.