Introduction
Information gathering is the first basic step towards penetration testing. This step is carried out to find out as much information about the target machine as possible. The more information we have, the better will be our chances of exploiting the target. During the information gathering phase, our main focus is to collect facts about the target machine, such as the IP address, available services, open ports. This information plays a vital role in the process of penetration testing. There are basically three types of techniques used in information gathering.
- Passive information gathering
- Active information gathering
- Social engineering
Let us take a quick look at these processes:
- Passive information gathering: This technique is used to gain information about the target without having any physical connectivity or access to it. This means that we use other sources to gain information about the target like using the
whoisquery,Nslookup, and so on. Suppose our target is an online web application then a simplewhoislookup can provide us a lot of information about the web application, like its IP address, its domains, and sub-domains, location of server, hosting server, and so on. This information can be very useful during penetration testing as it can widen our track of exploiting the target. - Active information gathering: In this technique, a logical connection is set up with the target in order to gain information. This technique provides us with the next level of information which can directly supplement us in understanding the target security. Port scanning; the target is the most widely used active scanning technique in which we focus on the open ports and available services running on the target.
- Social engineering: This type of information gathering is similar to passive information gathering, but relies on human error and the information leaked out in the form of printouts, telephone conversations, or incorrect e-mail Ids, and so on. The techniques for utilizing this method are numerous and the ethos of information gathering is very different, hence, social engineering is a category in-itself. For example, hackers register domain-names that sound similar with spelling mistakes, and set up a mail server to receive such erroneous e-mails. Such domains are known as Doppelganger Domains, that is, the evil twin.
In this chapter, we will analyze the various passive and active techniques of information gathering in detail. In the starting two recipes, we will analyze the most commonly used and most commonly neglected techniques of passive information gathering, and then in later recipes we will focus on gaining information through port scanning. Metasploit has several built in scanning capabilities, as well as some third-party tools integrated with it to further enhance the process of port scanning. We will analyze both the inbuilt scanners, as well as some of the popular third-party scanners which work over the Metasploit framework. Let us move on to the recipes and start our process of gaining information about our target.