Active and Passive Information Gathering Techniques — Part 3
Active Information Gathering
Active Information Gathering we can gather more information about targets by actively interacting with them. However, unlike passive information gathering, doing this without authorization can be illegal. Can be use DNS Enumeration, Port Scanning, OS Fingerprinting techniques. Similar to passive information gathering, goal of active information gathering is to gather information as much as possible.
Port scanning- Nmap/Zenmap
Nmap is the most popular port scanner available. It offers many different scanning techniques including:
Host Discovery
TCP ports
UDP ports
Other IP Protocols
Due to the firewall actions and security measures on operating systems, some of the scan results might not be accurate.
Scan for TCP Ports
SYN Scan: root@kali:~#nmap -sS 192.168.1.0/28
FIN Scan: root@kali:~#nmap -sF 192.168.1.0/28
ACK Scan: root@kali:~#nmap -sA 192.168.1.0/28
TCP connect () scan: root@kali:~#nmap -sT 192.168.1.0/28
Scan for UDP Ports
The –sU option sends empty UDP packet and waits to receive ICMP “port unreachable” message in return.
root@kali:~#nmap -sU 192.168.1.1/28
Scan for Protocols
root@kali:~#nmap -sO 192.168.1.1
Determine Service applications
Nmap provides a simple method for identifying RPC services (-sR) and a more complex method that can identify a much greater number of services (-sV) version information.
root@kali:~#nmap -sR 192.168.1.1
root@kali:~#nmap -sV 192.168.1.1
Identify a host’s OS (OS Fingerprinting)
root@kali:~#nmap -O 192.168.1.1
DNS Enumeration - dnsenum
DNSenum is a tool that it was designed with the purpose of enumerating DNS information about a domain.
Get the host’s addresses
Get the namservers
Get the MX record
Trying Zone Transfers
BIND Version
Get extra names and subdomains via google scraping
Brute force subdomains from file, can also perform recursion on subdomain that have NS records
Perform reverse lookups on netranges
Write to domain_ips.txt file ip-blocks
dnsenum -enum google.com
NetCat
Netcat is considered the Swiss-army knife in information security. Basically, it’s capable of numerous additional tasks like chatting, file transfer, port scanning, banner grabbing, opening remote shells to even setting up a honey pot.
Banner Grabbing
Service banners are often used by system administrators for inventory taking of systems and services on the network. The service banners identify the running service and often the version number too. Banner grabbing is a technique to retrieve this information about a particular service on an open port and can be used during a penetration test for performing a vulnerability assessment. When using Netcat for banner grabbing we can actually make a raw connection to the specified host on the specified port. When a banner is available, it is printed to the console.
nc [ip address] [port]
nc 192.168.100.100 21
Web server interaction
Netcat can also be used to interact with web servers by issuing HTTP requests.
nc 192.168.100.108 80
HEAD / HTTP/1.0
To retrieve the top-level page on the web server we can issue.
nc 192.168.100.108 80
GET / HTTP/1.0
File transfers with Netcat
nc –lvp 8080 > receive.txt
nc -lvp 8080 > /root/Desktop/transfer.txt
nc 192.168.100.107 8080 < /root/Desktop/transfer.txt
The Harvester
The objective of this tool is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
Metagoofil
Metagoofil is an excellent Information gathering tool that can be used for extracting tons of Information from Word Documents, PDF’s, Excel Sheets , .jpg Images and lots of other formats . Metagoofil therefore can provide a lots of fruitful information during the penetration testing just by scanning the files gathered.
Scan for documents from a domain (-d kali.org) that are PDF files (-t pdf), searching 100 results (-l 100), download 25 files (-n 25), saving the downloads to a directory (-o kalipdf), and saving the output to a file (-f kalipdf.html):
metagoofil -d kali.org -t pdf -l 100 -n 25 -o kalipdf -f kalipdf.html
