Information Gathering: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (2 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
= | == Passive Reconnaissance == | ||
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms. | |||
=== Common Techniques === | |||
* Monitoring public websites and content (company pages, blogs, changelogs) | |||
* Analyzing social media presence of employees or departments | |||
* Querying DNS and WHOIS records using tools like [[whois]], [[dnsdumpster]], [[crt.sh]] | |||
* Reviewing pastebin dumps and breach databases | |||
* Harvesting metadata from exposed documents and images | |||
* Searching public repositories (GitHub leaks, internal code or config files) | |||
* Mapping infrastructure using [[Shodan]] and [[Censys]] | |||
=== Tools === | |||
* [[theHarvester]] (collects emails, subdomains, hosts, and metadata) | |||
* [[Recon-ng]] (web reconnaissance framework) | |||
* [[SpiderFoot]] (automated OSINT and reconnaissance tool) | |||
* [[Maltego]] (data mining and link analysis) | |||
* [[FOCA]] (metadata extraction from documents) | |||
* [[GitHub Dorking Tools]] (search for leaked data on GitHub) | |||
* [[curl]] (fetches web data and HTTP content for passive analysis) | |||
== | == Active Reconnaissance == | ||
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts. | |||
=== Common Techniques === | |||
* Scanning open ports using [[Nmap]] or [[Masscan]] | |||
* Banner grabbing to identify services | |||
* OS fingerprinting using TCP/IP stack behavior | |||
* DNS zone transfers and brute-forcing with [[dnsrecon]] or [[dnsenum]] | |||
* Detecting WAFs, proxies, or CDNs | |||
* Enumerating services like SMB, FTP, HTTP, SNMP | |||
* Fuzzing web directories and parameters to discover hidden content | |||
* DNS queries using tools like `dig` and `host` | |||
* Subdomain enumeration with tools such as [[Amass]] and [[Sublist3r]] | |||
== | === Tools === | ||
* | * [[Nmap]] (network scanner for port and service discovery) | ||
* | * [[Masscan]] (high-speed port scanner) | ||
* | * [[Amass]] (subdomain enumeration and attack surface mapping) | ||
* | * [[dnsenum]] (DNS enumeration tool) | ||
* | * [[dnsrecon]] (DNS reconnaissance tool) | ||
* [[dig]] (DNS lookup utility) | |||
* [[host]] (DNS lookup utility) | |||
* [[whatweb]] (web technology fingerprinting) | |||
* [[Netcat]] (network utility for reading/writing data over connections) | |||
* [[Nikto]] (web server scanner for vulnerabilities) | |||
* [[Wappalyzer]] (detects technologies used on websites) | |||
* [[ffuf]] (web fuzzing tool for content discovery) | |||
* [[Sublist3r]] (active subdomain enumeration via multiple services) | |||
Latest revision as of 23:07, 16 May 2025
Passive Reconnaissance
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
Common Techniques
- Monitoring public websites and content (company pages, blogs, changelogs)
- Analyzing social media presence of employees or departments
- Querying DNS and WHOIS records using tools like whois, dnsdumpster, crt.sh
- Reviewing pastebin dumps and breach databases
- Harvesting metadata from exposed documents and images
- Searching public repositories (GitHub leaks, internal code or config files)
- Mapping infrastructure using Shodan and Censys
Tools
- theHarvester (collects emails, subdomains, hosts, and metadata)
- Recon-ng (web reconnaissance framework)
- SpiderFoot (automated OSINT and reconnaissance tool)
- Maltego (data mining and link analysis)
- FOCA (metadata extraction from documents)
- GitHub Dorking Tools (search for leaked data on GitHub)
- curl (fetches web data and HTTP content for passive analysis)
Active Reconnaissance
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.
Common Techniques
- Scanning open ports using Nmap or Masscan
- Banner grabbing to identify services
- OS fingerprinting using TCP/IP stack behavior
- DNS zone transfers and brute-forcing with dnsrecon or dnsenum
- Detecting WAFs, proxies, or CDNs
- Enumerating services like SMB, FTP, HTTP, SNMP
- Fuzzing web directories and parameters to discover hidden content
- DNS queries using tools like `dig` and `host`
- Subdomain enumeration with tools such as Amass and Sublist3r
Tools
- Nmap (network scanner for port and service discovery)
- Masscan (high-speed port scanner)
- Amass (subdomain enumeration and attack surface mapping)
- dnsenum (DNS enumeration tool)
- dnsrecon (DNS reconnaissance tool)
- dig (DNS lookup utility)
- host (DNS lookup utility)
- whatweb (web technology fingerprinting)
- Netcat (network utility for reading/writing data over connections)
- Nikto (web server scanner for vulnerabilities)
- Wappalyzer (detects technologies used on websites)
- ffuf (web fuzzing tool for content discovery)
- Sublist3r (active subdomain enumeration via multiple services)