Information Gathering(Reconnaissance/Footprinting)


This is the very first step for any kind of hacking(White,Grey,Black).Information Gathering as the name suggests, is gathering as much information about the target as possible.Hackers or Security Experts need to create a information database before attacking a target, it helps them to find out the technology a particular company or a simple website uses so this way they can figure out the vulnerabilities easily. Information gathering is of two types:

1.Active(When you are directly in contact with the target machine)

2.Passive(When you are not directly getting in contact with the target and target doesn’t actually know if they are the TARGET . This is done through reading about the company using search engines and Forums.The chances of  )

Reconnaissance and Footprinting are one and the same terms. But If you search the meaning for reconnaissance on Google it says “military observation of a region to locate an enemy or ascertain strategic features.”. the term Reconnaissance is used for thorough research done by certain organisation which of-course can be passive or highly active. Now lets talk about how to find information about the target.

Passive ways :-

1. Google, Facebook, twitter, tumblr, Instagram etc.

The Social network and Google itself gonna give you enough information about the target. Read their post you would know their mentality and sometimes it is helpful in easy guessing the password.

  • USENET groups on Google and Company website Forums.Forums and USENET groups provide technical details and  information about the technology used by the company. You could also know about the various technical disabilities company workers post on forums. You can grab their company email ID through these forums, which can be a great help while scanning or exploiting or just social engineering.

  • MALTEGO : The best tool to use while gathering information about the company. Give it a try it just ask for your email,you have to register yourself to the site.

  • Archive.org: This is a time machine for internet world. You can actually get a lot of information by just looking at the older version of the site. (Because some stupid worker might have provided information that should not be their on the site).

  • Search Engines: Ferretpro, Shodan, dogpile, pipl.com, yahoo questions,  Google.


  • Career Posting on company’s website can be a really great help. It shows the types of servers, OS platforms, web-application platforms etc. used by the company.


 

2. Whois lookups

  •   Use domain name whois-lookup to know about the admin and technical person details. http://www.whois.com/

  • DISCOVER Tool : you can download this tool through https://github.com/leebaird/discover. Clone it or download it. It is simple tools providing lots of stuff. You can do both active and passive recon through this tool.

  • theharvester : You can actually gather all the emails through harvester. Untitled

Active Ways:
  •   DNS Interrogation: Getting information about DNS is really important. DNS is domain name server which keeps tracks of domain names and translate them through IP address. Tools Such as NSLOOKUP, DIG, HOST ,SAMSPADE, DRT (Domain Research Tool)can be used to find information about domain names(refer the next article).

     

  • DNS zone transfers or AXFR: Zone transfers  doesn’t always work but worth a try. They provide you with all the records in the server if in-case AXFR is allowed on tat server. It can be performed using DIG,HOST, NSLOOKUP. (Explained in next article).

  • CRAWL the website: Look for juicy stuff. Download the entire website in your workstation to further find the vulnerabilities. Tools that would help are: Webcrawl,  cURL and Libcurl,HTTrack,w3mir,webcopier etc.

  • Network enumeration: Pingsweep will help you find the existing network topology of the company. Use traceroute to trace the route for specific host, ping to check for alive host. fping can also help. SMTP verification to verify origins of the emails.

  • Website and Server: http Headers would be great help to find server version,php version and other functionality. You can use netcraft.com and builtwith.com to know more about the platforms used by the company’s website. Recon-ng tool would be the best for finding information about the web. you can get it here https://bitbucket.org/LaNMaSteR53/recon-ng.

     

 

Stay Anonymous 🙂

Ciao!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.