“Information is power,” as the saying goes. And in most scenarios it’s true: having critical information, at the right time, and especially knowing how to use it, can be a great source of power.
Good information gathering can make the difference between a successful pentest and one that has failed to provide maximum benefit to the client.
What’s information gathering?
When it comes to getting a clear information gathering concept, the simplest way to define it would be the process of collecting information about something you are interested in. A practical example: gathering information with your eyes is called visual perception. In the same way, in the digital world, a lot of information can be gathered in different ways, not with your senses, but with several methods, tools and techniques.
Information gathering is a phase of penetration testing or ethical hacking. Where hackers or attackers gather the information as much as possible elated internal and external security architecture.
They have to face a target. The details of any system help the attacker to identify the vulnerabilities within it, which can be exploited and gain access in later faces.
If you have deep knowledge about the target reduces the focus area & brings you closer to the target. More information about target more possibilities to win.
If you have enough required details about the target, you are close to getting key to hacking.
For Example, You focus the target by mean of the range of IP address you have to go through, to hack target or regarding domain information or else.
What are the objectives of information gathering in cybersecurity?
Any basic cybersecurity information gathering process often includes these two types of data collection goals:
- Collecting network data: Such as public, private and associated domain names, network hosts, public and private IP blocks, routing tables, TCP and UDP running services, SSL certificates, open ports and more.
- Collecting system-related information: This includes user enumeration, system groups, OS hostnames, OS system type (probably by fingerprinting), system banners (as seen in the banner grabbing blog post), etc.
But there’s a lot more involved. Let’s learn about it, by exploring the most popular techniques used during this phase.
Information gathering techniques and methods
Ethical hackers use a big variety of techniques and tools to get this precious information about their targets, as well as locations and data collection software they’ll be using towards the information gathering goal.
Let’s look at the top information gathering methods used to gather information about any target.
How to gather information?
- Social engineering: This includes in-person chat, phone conversations and email spoofing attacks. What all these methods have in common is the psychology of human weakness, needed to get maximum data about the target.
- Search engines: Web crawlers can be used to fetch information about anything, and this includes companies, persons, services, and even real hacks, as seen in our previous article about Google Hacking.
- Social networks: Facebook, Twitter, LinkedIn and other social networks are great sources of information to build a profile, especially when targeting individuals.
- Domain names: These are registered by organizations, governments, public and private agencies, and people. Therefore, they’re a great starting point when you want to investigate someone. Personal information, associated domains, projects, services and technologies can be found by inspecting domain name information.
- Internet servers: authoritative DNS servers are a great source of information, as they often include every single surface point exposed to the Internet—which means a direct link to related services such as HTTP, email, etc.
All these techniques are really useful when combined with enterprise security tools. Keep reading to discover how to maximize your information gathering results by using some really cool infosec utilities.
Information gathering tools
There are a lot of tools to discuss when talking about information gathering, including one particular software we can’t avoid mentioning… that’s Kali Linux, one of the most popular cyber security linux distributions around.
We’ve written about the top Kali Linux tools before, but that was a general review of the most popular tools on that Linux distro. When it comes to information gathering, Kali Linux includes one of the biggest collections ever. To be precise, exactly 67 information gathering utilities will help you get all the valuable data you need during your infosec investigations. Creating a full list of all the information gathering tools available would be monumental, not to mention difficult.
That’s why we’ve created a summary of the top 12 most popular tools that, in our experience, may help you during your information gathering process:
- Nmap: Our beloved network scanner will be always in the #1 position when it comes to data gathering tools. It can be used not only to scan ports and service fingerprinting, but also as a DNS enumeration and network mapping tool.
- Unicornscan: Combined with Nmap, it can give you the complete picture of any remote network or host, as it is able to perform asynchronous stateless TCP scanning with all variations of TCP flags, as well as TCP banner grabbing, async UDP Scanning, OS fingerprinting, and much more.
- Sublist3r: This is one of the best subdomain enumeration tools around, one that will help you create a virtual subdomain map of any website in no time. By using Google dorks and other search engines such as Baidu, Ask, Yahoo or Bing, it can also be used to perform a brute force subdomain discovery attack with wordlists, thanks to its subroute integration.
- DMitry: Its name stands for Deepmagic Information Gathering Tool, and is one of the top terminal-based tools when it comes to intel reconnaissance tasks. It will allow you to get any available data from any host, such as subdomains, email addresses, open ports, WHOIS lookups, server data, and more.
- OWASP Amass: Also known simply as ‘Amass’, this information gathering tool helps researchers and IT administrators create a full map of their digital assets by providing an easy way to perform DNS enumeration, asset location, and overall attack surface discovery.
- Axiom: This new tool is one of the best available when you need to get massive amounts of data in a limited time. It’s basically a dynamic infrastructure framework that helps system administrators and researchers build and deploy offensive and defensive security multi-cloud infrastructure in mere seconds, by using pre-installed tools based on OS images.
- Th3inspector: This infosec utility will enable you to fetch all kinds of website-related information, such as page data, phone number, ip addresses of HTTP and email server, perform a domain WHOIS lookup, bypass the Cloudflare proxy, check the age of your domain name, scan remote active services, subdomain mapping, and even work as a CMS detector.
- Devploit: This tool is used to extract DNS and domain data, including DNS lookups, WHOIS lookup information, reverse IP info, port scanning, DNS zone transfer, HTTP-headers, GEOIP lookup, subnet lookup, etc.
- Bettercap: Known as the swiss army knife for networking, it’s used mostly for network recon and information gathering, especially for WiFi, Bluetooth low energy devices and Ethernet networks.
- Traceroute: As one of the most popular network tools used to track the path of networks packets between one IP address to another, it’s a powerful recon tool that will let you gain critical network information about IP addresses and networking routes.
- WHOIS: The WHOIS command is a great source of data for fetching domain- and IP-related information, including tech and admin names, telephones, addresses, country, DNS servers, etc.
- Dig: Whenever you need to find current data about DNS records, Dig is one of the best tools there is to help you to accomplish that task, whether you want to get A, NS, TXT or CNAME records.