Information Gathering: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Information Gathering =
== Passive Reconnaissance ==


'''Information gathering''' is the initial phase of hacking and reconnaissance.
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
It focuses on collecting technical and contextual data about a target system, organization, or individual — before any exploitation is attempted.


It includes both '''passive methods''' (observing without interacting directly) and '''active methods''' (engaging with the target system to elicit responses). 
Hi there,
The purpose is to establish a baseline understanding of the digital environment, reveal potential vulnerabilities, and map the attack surface.


== Techniques ==
We run a Youtube growth service, where we can increase your subscriber count safely and practically.


Information gathering relies on a wide range of techniques and tools, depending on scope and approach:
- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos.
- Safe: All actions are done, without using any automated tasks / bots.
- Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.


=== Passive Reconnaissance ===
Our price is just $60 (USD) per month and we can start immediately.
* Monitoring public data sources (search engines, social media, company websites)
* Collecting DNS and WHOIS records
* Reviewing public repositories, job postings, and metadata leaks


=== Active Reconnaissance ===
Would a free trial be of interest?
* Performing port scans
* Fingerprinting services and operating systems
* Querying DNS servers directly
* Testing server responses to crafted inputs


== Subcategories ==
Kind regards,
* [[DNS Reconnaissance]] – Interrogate DNS to uncover subdomains, records, zones, and relationships.
Jess
* [[Network Scanning Tools]] – Use scanners like Nmap or Masscan to map open ports and services.
* [[OSINT Tools]] – Gather public data using platforms like theHarvester, SpiderFoot, and custom scripts.


== Purpose ==
=== Tools ===
* [[theHarvester]] (collects emails, subdomains, hosts, and metadata)
* [[Recon-ng]] (web reconnaissance framework)
* [[SpiderFoot]] (automated OSINT and reconnaissance tool)
* [[Maltego]] (data mining and link analysis)
* [[FOCA]] (metadata extraction from documents)
* [[GitHub Dorking Tools]] (search for leaked data on GitHub)
* [[curl]] (fetches web data and HTTP content for passive analysis)


The main objective is to reduce the unknowns in a system. 
=== Websites ===
By compiling an accurate profile of a target, security professionals and researchers can make informed decisions about how to proceed.


This process is essential in both ethical penetration testing and adversarial threat modeling.
* [https://archive.org archive.org] (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
* [https://who.is who.is] (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
* [https://pipl.com pipl.com] (search engine for people; useful for gathering names, emails, usernames, and social profiles)
* [https://toolbox.googleapps.com/apps/messageheader/ Google Admin Toolbox] (analyzes email headers to trace delivery path, delays, and authentication status)
* [https://mxtoolbox.com/EmailHeaders.aspx MXToolbox Email Header Analyzer] (visualizes full email route and identifies source IPs for investigation)
* [https://webcache.googleusercontent.com Google Cache] (view cached versions of websites indexed by Google)
* [https://cachedview.com CachedView] (aggregates cached versions from Google, Bing, and Wayback Machine)
* [https://urlscan.io urlscan.io] (analyzes and stores scans of websites, including headers, scripts, and requests)
* [https://crt.sh crt.sh] (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
* [https://publicwww.com publicwww.com] (search source code of websites for keywords, scripts, or analytics IDs)


== Common Goals ==
=== Exposed Devices & Open Feeds ===
* Discover live hosts and IP ranges 
* Identify open ports and running services 
* Map subdomains and infrastructure 
* Determine software versions and potential vulnerabilities 
* Extract metadata and leaked internal references 
* Enumerate usernames, emails, or associated accounts 


== Considerations ==
* [http://www.insecam.org insecam.org] (lists publicly accessible IP cameras with default or no credentials)
* Active scanning can generate detectable traffic; caution is advised when testing external targets.
* Passive techniques offer stealth but may return outdated or incomplete information.
* All data gathered should be documented clearly for later analysis and correlation.


== Related Concepts ==
 
* [[Footprinting]]
== Active Reconnaissance ==
* [[Enumeration]]
 
* [[Recon-ng]]
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.
* [[Threat Modeling]]
 
=== Common Techniques ===
* Scanning open ports using [[Nmap]] or [[Masscan]]
* Banner grabbing to identify services
* OS fingerprinting using TCP/IP stack behavior
* DNS zone transfers and brute-forcing with [[dnsrecon]] or [[dnsenum]]
* Detecting WAFs, proxies, or CDNs
* Enumerating services like SMB, FTP, HTTP, SNMP
* Fuzzing web directories and parameters to discover hidden content
* DNS queries using tools like `dig` and `host`
* Subdomain enumeration with tools such as [[Amass]] and [[Sublist3r]]
 
=== Tools ===
* [[Nmap]] (network scanner for port and service discovery)
* [[Masscan]] (high-speed port scanner)
* [[Amass]] (subdomain enumeration and attack surface mapping)
* [[dnsenum]] (DNS enumeration tool)
* [[dnsmap]] (brute-force subdomain enumeration tool)
* [[dnsrecon]] (DNS reconnaissance tool)
* [[dig]] (DNS lookup utility)
* [[host]] (DNS lookup utility)
* [[whatweb]] (web technology fingerprinting)
* [[Netcat]] (network utility for reading/writing data over connections)
* [[Nikto]] (web server scanner for vulnerabilities)
* [[Wappalyzer]] (detects technologies used on websites)
* [[ffuf]] (web fuzzing tool for content discovery)
* [[Sublist3r]] (active subdomain enumeration via multiple services)

Latest revision as of 04:24, 3 June 2025

Passive Reconnaissance[edit | edit source]

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Hi there,

We run a Youtube growth service, where we can increase your subscriber count safely and practically.

- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. - Safe: All actions are done, without using any automated tasks / bots. - Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.

Our price is just $60 (USD) per month and we can start immediately.

Would a free trial be of interest?

Kind regards, Jess

Tools[edit | edit source]

  • theHarvester (collects emails, subdomains, hosts, and metadata)
  • Recon-ng (web reconnaissance framework)
  • SpiderFoot (automated OSINT and reconnaissance tool)
  • Maltego (data mining and link analysis)
  • FOCA (metadata extraction from documents)
  • GitHub Dorking Tools (search for leaked data on GitHub)
  • curl (fetches web data and HTTP content for passive analysis)

Websites[edit | edit source]

  • archive.org (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
  • who.is (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
  • pipl.com (search engine for people; useful for gathering names, emails, usernames, and social profiles)
  • Google Admin Toolbox (analyzes email headers to trace delivery path, delays, and authentication status)
  • MXToolbox Email Header Analyzer (visualizes full email route and identifies source IPs for investigation)
  • Google Cache (view cached versions of websites indexed by Google)
  • CachedView (aggregates cached versions from Google, Bing, and Wayback Machine)
  • urlscan.io (analyzes and stores scans of websites, including headers, scripts, and requests)
  • crt.sh (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
  • publicwww.com (search source code of websites for keywords, scripts, or analytics IDs)

Exposed Devices & Open Feeds[edit | edit source]

  • insecam.org (lists publicly accessible IP cameras with default or no credentials)


Active Reconnaissance[edit | edit source]

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques[edit | edit source]

  • Scanning open ports using Nmap or Masscan
  • Banner grabbing to identify services
  • OS fingerprinting using TCP/IP stack behavior
  • DNS zone transfers and brute-forcing with dnsrecon or dnsenum
  • Detecting WAFs, proxies, or CDNs
  • Enumerating services like SMB, FTP, HTTP, SNMP
  • Fuzzing web directories and parameters to discover hidden content
  • DNS queries using tools like `dig` and `host`
  • Subdomain enumeration with tools such as Amass and Sublist3r

Tools[edit | edit source]

  • Nmap (network scanner for port and service discovery)
  • Masscan (high-speed port scanner)
  • Amass (subdomain enumeration and attack surface mapping)
  • dnsenum (DNS enumeration tool)
  • dnsmap (brute-force subdomain enumeration tool)
  • dnsrecon (DNS reconnaissance tool)
  • dig (DNS lookup utility)
  • host (DNS lookup utility)
  • whatweb (web technology fingerprinting)
  • Netcat (network utility for reading/writing data over connections)
  • Nikto (web server scanner for vulnerabilities)
  • Wappalyzer (detects technologies used on websites)
  • ffuf (web fuzzing tool for content discovery)
  • Sublist3r (active subdomain enumeration via multiple services)
Retrieved from "https://hackops.wiki/index.php?title=Information_Gathering&oldid=164"