5.2.1 Gathering Information on Your Targets

Information Gathering

Information gathering is the initial and crucial step in every penetration test, especially in black-box tests where penetration testers simulate external hacker attacks without internal knowledge. The information discovered during this phase is vital for understanding application logic and guiding subsequent attack phases. Information gathering can be categorized into two main types: passive and active.

Passive Information Gathering

It entails collecting data without directly engaging with the target.

  • Identifying IP addresses & DNS information.

  • Identifying domain names and domain ownership information.

  • Identifying email addresses and social media profiles.

  • Identifying web technologies being used on target sites.

  • Identifying subdomains

Active Information Gathering

It involves actively interacting with the target system, but it requires proper authorization before being performed.

  • Discovering open ports on target systems.

  • Learning about the internal infrastructure of a target network/organization.

  • Enumerating information from target systems.

Finding Owner, IP Addresses, and Emails

To begin, tools like WhoIs, traditionally command-line-based, now have simplified web-based versions. These tools look up domain ownership details from various databases. WhoIs runs on TCP port 43.

The Domain Name System (DNS) is then explored for further data on individual targets. DNS contains a hierarchy of names, with Top Level Domains (TLDs) divided into country-code (ccTLDs) and generic (gTLDs) categories.

Nslookup is a valuable tool for translating hostnames to IP addresses and vice versa. It can perform forward and reverse lookups, querying DNS servers for the necessary information. This tool helps gather data like A (hostname to IP), PTR (IP to hostname), and ANY (complete record) records.

Steps using Nslookup:

  1. Forward Lookup: nslookup google.com - Retrieves IP addresses for a given domain.

  2. Reverse Lookup: nslookup -type=PTR 173.194.113.224 - Retrieves the domain associated with a given IP.

  3. Records Query: nslookup -querytype=ANY google.com - Fetches the complete DNS record for a domain.

DNS "pyramid" structure:

  • Resource Record: starts with a domain name, usually a fully qualified domain name. If anything other than a fully qualified domain name is used, the name of the zone the record is in, will automatically be appended to the end of the name.

  • TTL (Time-To-Live): in seconds, defaults to the minimum value determined in the SOA record.

  • Record Class: Internet, Hesiod, or Chaos

  • SOA (State of Authority): Indicated the beginning of a zone and it should occur first in a zone file. There can be only one SOA record per zone. It defines certain values for the zone such as a serial number and various expiration timeouts.

  • NS (Name Server): Defines an authoritative name server for a zone. It defines and delegates authority to a name server for a child zone. NS Records are the GLUE that binds the distributed database together.

  • A: The A record simply maps a hostname to an IP address. Zones with A records are called 'forward' zones.

  • PTR: The PTR records maps an IP address to a Hostname. Zone with PTR records are called 'reverse' zones.

  • CNAME: The CNAME record maps an alias hostname to an A record hostname

  • MX (Mail eXchange): The MC record specifies a host that will accept email on behalf of a given host. The specifies host has an associated priority value. A single host may have multiple MX records. The records for a specific host make up a prioritized list

The DNS, a distributed database arranged hierarchically, provides a layer of abstraction between internet services and IP addresses. This abstraction allows for easier host identification using names instead of numbers.

Finding Target's ISP:

  • Step 1: Gather all IP addresses related to a domain (e.g., statcounter.com).

  • Step 2: Use nslookup to get IP addresses (e.g., nslookup statcounter.com).

  • Step 3: For each IP, perform a whois request to uncover ISPs (e.g., whois 104.20.2.47).

  • Step 4: Compile a table with IP addresses and corresponding ISPs for mapping the attack surface.

Finding Target's ISP with Netcraft:

  • Use online tools like Netcraft to quickly uncover an organization's hosting scheme and ownership.

  • Example: Visit netcraft.com, search for statcounter.com, and gather information on hosting providers and IP netblocks.

Previous5.2 - Information GatheringNext5.2.2 Infrastructure

Last updated