Information Gathering: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
No edit summary
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
= Information Gathering =
== Passive Reconnaissance ==


'''Information gathering''' is the initial phase of hacking and reconnaissance.
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
It focuses on collecting technical and contextual data about a target system, organization, or individual — before any exploitation is attempted.


It includes both '''passive methods''' (observing without interacting directly) and '''active methods''' (engaging with the target system to elicit responses)
=== Common Techniques ===
The purpose is to establish a baseline understanding of the digital environment, reveal potential vulnerabilities, and map the attack surface.
* Monitoring public websites and content (company pages, blogs, changelogs)
* Analyzing social media presence of employees or departments
* Querying DNS and WHOIS records using tools like [[whois]], [[dnsdumpster]], [[crt.sh]]
* Reviewing pastebin dumps and breach databases
* Harvesting metadata from exposed documents and images
* Searching public repositories (GitHub leaks, internal code or config files)
* Mapping infrastructure using [[Shodan]] and [[Censys]]


== Techniques ==
=== Tools ===
* [[theHarvester]] (collects emails, subdomains, hosts, and metadata)
* [[Recon-ng]] (web reconnaissance framework)
* [[SpiderFoot]] (automated OSINT and reconnaissance tool)
* [[Maltego]] (data mining and link analysis)
* [[FOCA]] (metadata extraction from documents)
* [[GitHub Dorking Tools]] (search for leaked data on GitHub)
* [[curl]] (fetches web data and HTTP content for passive analysis)


Information gathering relies on a wide range of techniques and tools, depending on scope and approach:
== Active Reconnaissance ==


=== Passive Reconnaissance ===
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.
* Monitoring public data sources (search engines, social media, company websites)
* Collecting DNS and WHOIS records
* Reviewing public repositories, job postings, and metadata leaks


=== Active Reconnaissance ===
=== Common Techniques ===
* Performing port scans
* Scanning open ports using [[Nmap]] or [[Masscan]]
* Fingerprinting services and operating systems
* Banner grabbing to identify services
* Querying DNS servers directly
* OS fingerprinting using TCP/IP stack behavior
* Testing server responses to crafted inputs
* DNS zone transfers and brute-forcing with [[dnsrecon]] or [[dnsenum]]
* Detecting WAFs, proxies, or CDNs
* Enumerating services like SMB, FTP, HTTP, SNMP
* Fuzzing web directories and parameters to discover hidden content
* DNS queries using tools like `dig` and `host`
* Subdomain enumeration with tools such as [[Amass]] and [[Sublist3r]]


== Subcategories ==
=== Tools ===
* [[DNS Reconnaissance]] – Interrogate DNS to uncover subdomains, records, zones, and relationships.
* [[Nmap]] (network scanner for port and service discovery)
* [[Network Scanning Tools]] – Use scanners like Nmap or Masscan to map open ports and services.
* [[Masscan]] (high-speed port scanner)
* [[OSINT Tools]] – Gather public data using platforms like theHarvester, SpiderFoot, and custom scripts.
* [[Amass]] (subdomain enumeration and attack surface mapping)
 
* [[dnsenum]] (DNS enumeration tool)
== Purpose ==
* [[dnsrecon]] (DNS reconnaissance tool)
 
* [[dig]] (DNS lookup utility)
The main objective is to reduce the unknowns in a system. 
* [[host]] (DNS lookup utility)
By compiling an accurate profile of a target, security professionals and researchers can make informed decisions about how to proceed.
* [[whatweb]] (web technology fingerprinting)
 
* [[Netcat]] (network utility for reading/writing data over connections)
This process is essential in both ethical penetration testing and adversarial threat modeling.
* [[Nikto]] (web server scanner for vulnerabilities)
 
* [[Wappalyzer]] (detects technologies used on websites)
== Common Goals ==
* [[ffuf]] (web fuzzing tool for content discovery)
* Discover live hosts and IP ranges 
* [[Sublist3r]] (active subdomain enumeration via multiple services)
* Identify open ports and running services 
* Map subdomains and infrastructure 
* Determine software versions and potential vulnerabilities 
* Extract metadata and leaked internal references 
* Enumerate usernames, emails, or associated accounts 
 
== Considerations ==
* Active scanning can generate detectable traffic; caution is advised when testing external targets.
* Passive techniques offer stealth but may return outdated or incomplete information.
* All data gathered should be documented clearly for later analysis and correlation.
 
== Related Concepts ==
* [[Footprinting]]
* [[Enumeration]]
* [[Recon-ng]]
* [[Threat Modeling]]

Latest revision as of 23:07, 16 May 2025

Passive Reconnaissance

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Common Techniques

  • Monitoring public websites and content (company pages, blogs, changelogs)
  • Analyzing social media presence of employees or departments
  • Querying DNS and WHOIS records using tools like whois, dnsdumpster, crt.sh
  • Reviewing pastebin dumps and breach databases
  • Harvesting metadata from exposed documents and images
  • Searching public repositories (GitHub leaks, internal code or config files)
  • Mapping infrastructure using Shodan and Censys

Tools

  • theHarvester (collects emails, subdomains, hosts, and metadata)
  • Recon-ng (web reconnaissance framework)
  • SpiderFoot (automated OSINT and reconnaissance tool)
  • Maltego (data mining and link analysis)
  • FOCA (metadata extraction from documents)
  • GitHub Dorking Tools (search for leaked data on GitHub)
  • curl (fetches web data and HTTP content for passive analysis)

Active Reconnaissance

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques

  • Scanning open ports using Nmap or Masscan
  • Banner grabbing to identify services
  • OS fingerprinting using TCP/IP stack behavior
  • DNS zone transfers and brute-forcing with dnsrecon or dnsenum
  • Detecting WAFs, proxies, or CDNs
  • Enumerating services like SMB, FTP, HTTP, SNMP
  • Fuzzing web directories and parameters to discover hidden content
  • DNS queries using tools like `dig` and `host`
  • Subdomain enumeration with tools such as Amass and Sublist3r

Tools

  • Nmap (network scanner for port and service discovery)
  • Masscan (high-speed port scanner)
  • Amass (subdomain enumeration and attack surface mapping)
  • dnsenum (DNS enumeration tool)
  • dnsrecon (DNS reconnaissance tool)
  • dig (DNS lookup utility)
  • host (DNS lookup utility)
  • whatweb (web technology fingerprinting)
  • Netcat (network utility for reading/writing data over connections)
  • Nikto (web server scanner for vulnerabilities)
  • Wappalyzer (detects technologies used on websites)
  • ffuf (web fuzzing tool for content discovery)
  • Sublist3r (active subdomain enumeration via multiple services)
Retrieved from "https://hackops.wiki/index.php?title=Information_Gathering&oldid=77"