INFORMATION

GATHERING
COURSE CODE: CYC390

Lecture By : Kiran Kazim Khan

Lecture 05
 Tentative Course Contents
◦ Defining information gathering
◦ Passive information gathering
◦ Active information gathering
What is information gathering?
◦ Information gathering is the first step toward the actual assessment. Before targets
are scanned using vulnerability scanners, testers should know more details about
the assets in the scope of the testing.
Importance of information
gathering

This is a very old and famous quote by Abraham Lincoln. The same applies to the
amount of time spent in gathering as much information as possible prior to
performing any security assessment.
Unless, and until, you know your target inside and out, you will never succeed in
performing its security assessment.
Once you are confident that you have gathered enough information, then you can
very effectively plan the actual assessment.
Passive information gathering
◦ Passive information gathering is a technique where no direct contact with the target
is made for gathering the information.
◦ All the information is obtained through an intermediate source which may be
publicly available.
◦ The internet has many useful resources that can help us with passive information
gathering.
 Passive
information
gathering
◦ The client system first sends a request to
an intermediate system.
◦ The intermediate system probes the target
system.
◦ The target system sends the result back to
the intermediate system.
◦ The intermediate system forwards it back
to the client
◦ There's no direct contact between the
client and the target system.
◦ The client is partially anonymous to the
target system
Reverse IP
lookup
◦ Reverse IP lookup is a technique that is
used to probe any given IP address for
all the domains it hosts.
◦ Need to do is feed the target IP address
and then you'll be returned to all the
domains hosted on that IP address.
◦ Reverse IP Lookup - Find Other Web Site
s Hosted on a Web Server (yougetsigna
l.com)
◦ Reverse IP lookup works only on
Internet-facing websites and isn't
applicable for sites hosted on intranet.
NETCRAFT
◦ If You have target domain, you can get
a lot of useful information about the
domain, such as its registrar, name-
server, DNS admin, the technology
used, and so on.
◦ https://sitereport.netcraft.com/
Site archive
and way-back
◦ Website to undergo changes at regular
intervals. Normally, when a site is
updated, there's no way for the end
users to see its previous version.
◦ Wayback machine show you the past
version of a given site
◦ https://archive.org/
Active information gathering
◦ Active information gathering involves a direct connection with the target. The client
probes for information directly with the target with no intermediate system in
between.
Active information gathering
◦ While this technique may reveal much more information than passive information
gathering, there's always a chance of security alarms going off on the target
system.
◦ A direct connection with the target system, all the information requests would be
logged and can later be traced back to the source.
Active information gathering
with SPARTA
◦ SPARTA is an excellent active information gathering tool.
◦ Upon feeding the IP/host to SPARTA, it quickly gets into the action by triggering
various tools and scripts starting with Nmap.
 Dmitry
◦ Dmitry is another versatile tool in Kali Linux that is capable of both passive as well
as active information gathering.
◦ It can perform whois lookups and reverse lookups.
◦ It can also search for subdomains, email addresses, and perform port scans as well.
 Dmitry
◦ Command to Run Dmitry.
◦ root@kali:~# dmitry -wn -o output.txt
demo.testfire.ne
People
◦ To Gather information about peoples where are all lines websites available like
Spokeo, BeenVerified, Pipl, Wink, or Intelius. These sites can be used to search for
people, though searching for people may cost you money.
PeekYou
◦ There are other people search sites that
are more focused on looking at social
networking presence, and searches can
be done using usernames.
◦ The website PeekYou will do people
searches using real names.
◦ PeekYou also allows you to look for a
username.
◦ This username could be found across
multiple social network sites, as well as
other locations where a username is
exposed to the outside world.
Sherlock
◦ Credentials are often used by attackers to gain access to resources they wouldn't
otherwise have access to. Once you have identified people, getting their usernames
may end up being useful.
◦ The tool Sherlock may be beneficial to identify people and their usernames.
◦ You provide a list of usernames you want to look for and it searches across
hundreds of social networks for those usernames.
Sherlock
◦ $ sherlock --fo smithsearch jsmith smith
johnsmith
Wappalyzer
◦ Wappalyzer show’s all the technologies
that are used in website.
Mirroring Sites
with httrack
◦ HTTrack is a free and open-source Web
crawler and offline browser. HTTrack
allows users to download Web sites
from the Internet to a local computer.
◦ Download from here
https://www.httrack.com/page/2/
Enumeration
 HTTP
◦ Hypertext Transfer Protocol (HTTP) is the most common protocol used for serving
web content. By default, it runs on port 80.
◦ Enumerating HTTP can reveal a lot of interesting information, including the
applications it is serving.
◦ Nikto is a specialized tool for enumerating the HTTP service and is part of the
default Kali Linux installation.
Nikto
◦ nikto
Nikto
◦ We can enumerate an HTTP target
using the nikto -host command.
◦ nikto –host 192.168.56.102
Nikto
◦ We can enumerate an HTTP target
using the nikto -host command.
◦ nikto –host 192.168.56.102
Nmap
◦ Nmap can also be effectively used for
enumerating HTTP.
◦ HTTP enumeration performed using
Nmap script.
◦ nmap --script http-enum
192.168.56.102
◦ The output of the http-enum Nmap
script shows server information along
with various interesting directories that
can be further explored.
FTP
◦ The File Transfer Protocol (FTP) is a
commonly used protocol for transferring
files across systems.
◦ The FTP service runs by default on port
21. Enumerating FTP can reveal
interesting information such as the server
versionand if it allows for anonymous
logins.
◦ use Nmap to enumerate FTP service.
◦ nmap -p 21 -T4 -A -v 192.168.57.102
◦ It reveals that the FTP server is vsftpd
2.3.4, and it allows for anonymous logins
SMTP
◦ The Simple Mail Transfer Protocol (SMTP) is
the service responsible for transmission of
electronic mail.
◦ The service by default runs on port 25.
◦ It is useful to enumerate the SMTP service
in order to know the server version along
with the command it accepts.
◦ We can use the Nmap command
◦ nmap -p 25 -T4 -A -v 192.168.28.102
◦ It tells us that the SMTP server is of type
Postfix and also gives us the list of
commands it is accepting
SMB
◦ Server Message Block (SMB) is a very
commonly used service for sharing files,
printers, serial ports, and so on.
◦ it has been vulnerable to various attacks.
Hence, enumerating SMB can provide useful
information for planning further precise
attacks.
◦ In order to enumerate SMB, we would use
the following syntax and scan ports 139 and
445:
◦ nmap -p 139,445 -T4 -A -v 192.169.56.102.
◦ It tells us the version of SMB in use and the
workgroup details:
DNS
◦ The Domain Name System (DNS) is the
most widely used service for
translating domain names into IP
addresses and vice versa.
◦ The DNS service by default runs on
port 53. We can use the Nmap syntax,
as follows, to enumerate the DNS
service.
◦ nmap -p 53 -T4 -A -v 192.168.57.102.
◦ type of DNS server on the target
system is ISC bind version 9.4.2
SSH
◦ Secure Shell (SSH) is a protocol used
for transmitting data securely
between two systems. It is an
effective and secure alternative to
Telnet.
◦ The SSH service by default runs on
port 22.
◦ nmap -p 22 -T4- A -v
192.168.56.102.
◦ It tells us that the target is running
OpenSSH 4.7p1.
VNC
◦ Virtual Network Computing (VNC) is
a protocol used mainly for remote
access and administration.
◦ The VNC service by default runs on
port 5900.
◦ We can use the Nmap syntax, as
follows, to enumerate VNC
service:nmap -p 5900 -T4 -A -v
192.168.56.102.
◦ It tells us that the target is running
VNC with protocol version 3.3
http-methods
◦ The http-methods script will help us
enumerate various methods that are
allowed on the target web server.
◦ The syntax for using this script is as
follows: nmap --script http-methods
192.168.57.102
◦ It tells us that the target web server
is allowing the GET, HEAD, POST,
and OPTIONS methods.
smb-os-
discovery
◦ The smb-os-discovery script will
help us enumerate the OS version
based on the SMB protocol.
◦ The syntax for using this script is as
follows: nmap --script smb-os-
discovery 192.168.57.102
◦ the enumeration output telling us
that the target system is running a
Debian-based OS.
http-sitemap-
generator
◦ The http-sitemap-generator script
will help us create a hierarchical
sitemap of the application hosted on
the target web server.
◦ The syntax for using this script is as
follows: nmap --script http-sitemap-
generator 192.168.57.102
mysql-infoy
◦ The mysql-info script will help us
enumerate the MySQL server and
possibly gather information such as
the server version, protocol, and
salt.
◦ The syntax for using this script is as
follows: nmap --script mysql-info
192.168.57.102.
◦ It tells us that the target MySQL
server version is 5.0.51a-3ubuntu5
and also the value for salt
Vulnerability assessments using
OpenVAS
◦ Now that we have got familiar with enumeration, the next logical step is performing
vulnerability assessments. This includes probing each service for possible open
vulnerabilities. There are many tools, both commercial as well as open source,
available for performing vulnerability assessments. Some of the most popular tools
are Nessus, Nexpose, and OpenVAS
◦ OpenVAS is a framework consisting of several tools and services that provide an
effective and powerful vulnerability management solution.
◦ More detailed information on the OpenVAS framework is available at
http://www.openvas.org/.
◦ The latest Kali Linux distribution doesn't come with OpenVAS by default. Hence, you
need to manually install and set up the OpenVAS framework.
◦ Following is the set of commands that you can use to set up the OpenVAS
framework on Kali Linux or any Debian-based Linux distribution.
◦ root@kali:~#apt-get update
◦ root@kali:~#apt-get install openvas
◦ root@kali:~#openvas-setup
◦ After running the preceding commands in the Terminal, the OpenVAS framework
should be installed and ready for use.
◦ You can access it through the browser at the https://localhost:9392/login/login.html
URL, as shown in the following screenshot:
◦ Once you enter the credentials, you can see the initial Dashboard as shown in the
following screenshot:
◦ Now it's time to get started with the first vulnerability scan. In order to initiate a
vulnerability scan, open the Task Wizard, as shown in the following screenshot, and
enter the IP address of the target to be scanned.
◦ Once the target IP address is entered in the Task Wizard, the scan gets triggered
and progress can be tracked as shown in the following screenshot:
◦ While the scan is in progress, you can view the Dashboard to get a summary of
vulnerabilities found during the scan as shown in the following screenshot:
◦ Once the scan is complete, you can check the result to see all the detailed findings
along with severity levels. You can individually click on each vulnerability to find out
more details, as shown in the following screenshot: