Information Gathering: Difference between revisions

From HackOps
Jump to navigation Jump to search
VisualWikitext
Created page with "[title]Information Gathering[/title] [txt] Information gathering is the initial phase of hacking and reconnaissance. It involves discovering the attack surface, identifying reachable hosts, and understanding the target environment — all without yet exploiting anything. This phase includes both passive and active techniques, using tools to enumerate DNS, scan ports, and harvest open data. Explore the key categories below: [/txt] [list] [li]DNS Reconnaissance..."
 
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[title]Information Gathering[/title]
== Passive Reconnaissance ==


[txt]
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
Information gathering is the initial phase of hacking and reconnaissance.


It involves discovering the attack surface, identifying reachable hosts, and understanding the target environment — all without yet exploiting anything.
Hi there,


This phase includes both passive and active techniques, using tools to enumerate DNS, scan ports, and harvest open data.
We run a Youtube growth service, where we can increase your subscriber count safely and practically.  


Explore the key categories below:
- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos.
[/txt]
- Safe: All actions are done, without using any automated tasks / bots.
- Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.


[list]
Our price is just $60 (USD) per month and we can start immediately.
[li][[DNS Reconnaissance]] – Interrogate DNS to uncover subdomains, records, zones, and relationships.[/li]
[li][[Network Scanning Tools]] – Use scanners like Nmap or Masscan to map open ports and services.[/li]
[li][[OSINT Tools]] – Gather public data using platforms like theHarvester, SpiderFoot, and custom scripts.[/li]
[/list]


[box]
Would a free trial be of interest?
[box-title]Purpose[/box-title]
[txt]
Gain visibility into the target system's structure without triggering alerts.


Every successful attack starts with knowing where to look — information gathering makes exploitation possible.
Kind regards,
[/txt]
Jess
[/box]


[box]
=== Tools ===
[box-title]Common Goals[/box-title]
* [[theHarvester]] (collects emails, subdomains, hosts, and metadata)
[txt]
* [[Recon-ng]] (web reconnaissance framework)
• Discover live hosts 
* [[SpiderFoot]] (automated OSINT and reconnaissance tool)
• Map open ports 
* [[Maltego]] (data mining and link analysis)
• Identify subdomains 
* [[FOCA]] (metadata extraction from documents)
• Learn about operating systems 
* [[GitHub Dorking Tools]] (search for leaked data on GitHub)
• Uncover public data on individuals and infrastructure
* [[curl]] (fetches web data and HTTP content for passive analysis)
[/txt]
 
[/box]
=== Websites ===
 
* [https://archive.org archive.org] (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
* [https://who.is who.is] (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
* [https://pipl.com pipl.com] (search engine for people; useful for gathering names, emails, usernames, and social profiles)
* [https://toolbox.googleapps.com/apps/messageheader/ Google Admin Toolbox] (analyzes email headers to trace delivery path, delays, and authentication status)
* [https://mxtoolbox.com/EmailHeaders.aspx MXToolbox Email Header Analyzer] (visualizes full email route and identifies source IPs for investigation)
* [https://webcache.googleusercontent.com Google Cache] (view cached versions of websites indexed by Google)
* [https://cachedview.com CachedView] (aggregates cached versions from Google, Bing, and Wayback Machine)
* [https://urlscan.io urlscan.io] (analyzes and stores scans of websites, including headers, scripts, and requests)
* [https://crt.sh crt.sh] (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
* [https://publicwww.com publicwww.com] (search source code of websites for keywords, scripts, or analytics IDs)
 
=== Exposed Devices & Open Feeds ===
 
* [http://www.insecam.org insecam.org] (lists publicly accessible IP cameras with default or no credentials)
 
 
== Active Reconnaissance ==
 
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.
 
=== Common Techniques ===
* Scanning open ports using [[Nmap]] or [[Masscan]]
* Banner grabbing to identify services
* OS fingerprinting using TCP/IP stack behavior
* DNS zone transfers and brute-forcing with [[dnsrecon]] or [[dnsenum]]
* Detecting WAFs, proxies, or CDNs
* Enumerating services like SMB, FTP, HTTP, SNMP
* Fuzzing web directories and parameters to discover hidden content
* DNS queries using tools like `dig` and `host`
* Subdomain enumeration with tools such as [[Amass]] and [[Sublist3r]]
 
=== Tools ===
* [[Nmap]] (network scanner for port and service discovery)
* [[Masscan]] (high-speed port scanner)
* [[Amass]] (subdomain enumeration and attack surface mapping)
* [[dnsenum]] (DNS enumeration tool)
* [[dnsmap]] (brute-force subdomain enumeration tool)
* [[dnsrecon]] (DNS reconnaissance tool)
* [[dig]] (DNS lookup utility)
* [[host]] (DNS lookup utility)
* [[whatweb]] (web technology fingerprinting)
* [[Netcat]] (network utility for reading/writing data over connections)
* [[Nikto]] (web server scanner for vulnerabilities)
* [[Wappalyzer]] (detects technologies used on websites)
* [[ffuf]] (web fuzzing tool for content discovery)
* [[Sublist3r]] (active subdomain enumeration via multiple services)

Latest revision as of 04:24, 3 June 2025

Passive Reconnaissance[edit | edit source]

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Hi there,

We run a Youtube growth service, where we can increase your subscriber count safely and practically.

- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. - Safe: All actions are done, without using any automated tasks / bots. - Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.

Our price is just $60 (USD) per month and we can start immediately.

Would a free trial be of interest?

Kind regards, Jess

Tools[edit | edit source]

  • theHarvester (collects emails, subdomains, hosts, and metadata)
  • Recon-ng (web reconnaissance framework)
  • SpiderFoot (automated OSINT and reconnaissance tool)
  • Maltego (data mining and link analysis)
  • FOCA (metadata extraction from documents)
  • GitHub Dorking Tools (search for leaked data on GitHub)
  • curl (fetches web data and HTTP content for passive analysis)

Websites[edit | edit source]

  • archive.org (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
  • who.is (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
  • pipl.com (search engine for people; useful for gathering names, emails, usernames, and social profiles)
  • Google Admin Toolbox (analyzes email headers to trace delivery path, delays, and authentication status)
  • MXToolbox Email Header Analyzer (visualizes full email route and identifies source IPs for investigation)
  • Google Cache (view cached versions of websites indexed by Google)
  • CachedView (aggregates cached versions from Google, Bing, and Wayback Machine)
  • urlscan.io (analyzes and stores scans of websites, including headers, scripts, and requests)
  • crt.sh (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
  • publicwww.com (search source code of websites for keywords, scripts, or analytics IDs)

Exposed Devices & Open Feeds[edit | edit source]

  • insecam.org (lists publicly accessible IP cameras with default or no credentials)


Active Reconnaissance[edit | edit source]

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques[edit | edit source]

  • Scanning open ports using Nmap or Masscan
  • Banner grabbing to identify services
  • OS fingerprinting using TCP/IP stack behavior
  • DNS zone transfers and brute-forcing with dnsrecon or dnsenum
  • Detecting WAFs, proxies, or CDNs
  • Enumerating services like SMB, FTP, HTTP, SNMP
  • Fuzzing web directories and parameters to discover hidden content
  • DNS queries using tools like `dig` and `host`
  • Subdomain enumeration with tools such as Amass and Sublist3r

Tools[edit | edit source]

  • Nmap (network scanner for port and service discovery)
  • Masscan (high-speed port scanner)
  • Amass (subdomain enumeration and attack surface mapping)
  • dnsenum (DNS enumeration tool)
  • dnsmap (brute-force subdomain enumeration tool)
  • dnsrecon (DNS reconnaissance tool)
  • dig (DNS lookup utility)
  • host (DNS lookup utility)
  • whatweb (web technology fingerprinting)
  • Netcat (network utility for reading/writing data over connections)
  • Nikto (web server scanner for vulnerabilities)
  • Wappalyzer (detects technologies used on websites)
  • ffuf (web fuzzing tool for content discovery)
  • Sublist3r (active subdomain enumeration via multiple services)
Retrieved from "https://hackops.wiki/index.php?title=Information_Gathering&oldid=164"