Ethical Hacking Lecture 2: Information Gathering

Questions and Answers

Which of the following is NOT a type of information gathering mentioned in the content?

• Information Warfare
• Corporate Espionage
• Competitive Intelligence
• Social Engineering (correct)

Penetration testing frameworks often include a step for information gathering. What is the primary purpose of this step?

• To gather information about the target's security posture and potential attack vectors. (correct)
• To identify and exploit vulnerabilities in the target's system.
• To test the effectiveness of the target's security controls.
• To develop a detailed report of the target's security weaknesses.

What is a key difference between 'Competitive Intelligence' and 'Corporate Espionage'?

• Competitive Intelligence aims to understand the target's strengths, while Corporate Espionage focuses on their weaknesses.
• Competitive Intelligence focuses on gathering information from internal sources only, while Corporate Espionage targets external sources.
• Competitive Intelligence uses legal and ethical means, while Corporate Espionage employs illegal and unethical tactics. (correct)
• Competitive Intelligence is used for strategic planning, while Corporate Espionage is used for financial gain.

According to the content, what percentage of information required for successful competition is publicly available?

95% (C)

What is the intended outcome of the information gathering phase?

To create a list of potential attack vectors for the target. (D)

What is the estimated annual loss to US industries due to corporate espionage, according to the content?

$70 billion (C)

Which of the following is NOT a benefit of competitive intelligence?

Gaining an unfair advantage over competitors (D)

According to the content, what is the definition of 'trade secret'?

Proprietary information that is not publicly known and provides a competitive advantage. (C)

What can the target's external infrastructure profile reveal?

The technologies used internally (B)

How can social engineering be effectively used during information gathering?

Interacting with identified information technology organizations (C)

Which of the following methods can provide information about remote access to a target?

Information on remote access portals visible on the homepage (D)

What type of information can be extracted from publicly accessible files?

A list of known applications used by the organization (C)

What is a technique used in passive fingerprinting?

Searching for discussions by technicians about technology issues (D)

What does active fingerprinting typically entail?

Sending test packets to public systems for response profiling (A)

Which aspect is crucial when discovering a target organization's defensive capabilities?

Understanding the complexity of defensive human capability (C)

What factor can often complicate information gathering regarding a target's defenses?

The inherent complexity of human defensive capabilities (B)

What is a key indicator that a target organization takes security seriously?

Presence of a CERT/CSIRT/PSRT team (B)

What can be an indication of security responsibilities in non-security related job postings?

Listing of security as a requirement (D)

Which tool can be used to gather email addresses from various search engines?

theHarvester (B)

How can footprinting be defined in the context of information gathering?

A phase of information gathering from an external perspective (C)

What would be a significant concern if an organization has outsourced its security?

Lack of internal security management (B)

Where is it likely to find corporate email addresses publicly listed?

Parent-teacher association contact info (D)

What is one method to verify an individual's social media presence?

Verifying their social media accounts (D)

What might indicate that employees of a company are engaged in the security community?

Specific individuals active in security discussions (D)

Which of the following methods are NOT commonly used in Open-Source Intelligence (OSINT) gathering?

Physical Security Analysis (A), Social Engineering (D)

What is the main reason for conducting Open-Source Intelligence (OSINT) gathering?

To identify potential vulnerabilities and entry points into an organization (C)

What kind of information would be most helpful for an attacker to gain access to an organization's network?

A detailed network topology diagram (A)

Which of the following is NOT considered a useful piece of information for an attacker to gather?

The company's marketing plan (C)

Which of these scenarios best exemplifies "Information Warfare" as defined in the provided text?

A government utilizing cyberattacks to disrupt a foreign country's critical infrastructure (D)

Which of the following is NOT considered a common method employed by disgruntled employees in illicit activities?

Using company resources for personal benefit (D)

What is one way that a company can protect itself from "Inside Jobs" by disgruntled employees?

Creating a positive and supportive work environment (C)

How can "False Pretenses" be used to infiltrate a company for intelligence gathering?

Using social engineering techniques to gain access to confidential information (B)

Which of the following is NOT a characteristic of Open Source Intelligence (OSINT) as described in the document?

OSINT is always accurate and up-to-date. (B)

What is a major limitation of passive information gathering, as described in the document?

It is unable to gather real-time data, making the information potentially outdated. (A)

Which of the following is an example of a semi-passive information gathering technique mentioned in the document?

Querying published name servers for information about the target organization's domain. (C)

What is the main purpose of the Wayback Machine, as per the document?

Storing and archiving websites to showcase their historical evolution. (C)

What kind of information is typically found in a WHOIS lookup?

Personal contact information of the domain owner. (A)

According to the document, what is a key consideration for companies and employees when it comes to online information?

The potential for online information to be used for malicious purposes. (C)

Which of the following best describes the difference between semi-passive and active information gathering?

Semi-passive methods aim to appear as normal internet traffic, while active methods involve more intrusive techniques. (C)

Which of the following is an example of "Google Dorking", as described in the document?

Using Google Search to find specific files or documents on a website. (B)

What is the primary purpose of performing onsite information gathering, as described in the provided content?

To gather information about employees and their activities. (D)

Which technique is NOT explicitly mentioned in the provided content as a part of onsite information gathering?

Social engineering (C)

What is the main purpose of identifying offsite locations and their importance to the organization during information gathering?

To determine the target's reliance on external resources and create social engineering scenarios. (C)

According to the content, which type of information can be obtained from mapping affiliate organizations tied to a target business?

The target's internal organizational hierarchy and key decision-makers. (C)

What is the primary focus of ‘Active Information Gathering’ as mentioned in the content?

Using techniques that are likely to be detected by the target. (B)

What is the main benefit of understanding the ‘External Relationships’ of a target organization?

Creating targeted social engineering campaigns aimed at specific individuals. (B)

Which technique would be considered part of ‘Active Information Gathering’ as described in the provided content?

Using a port scanner to identify open ports on the target's network. (A)

What is a potential advantage of using the ‘Whois’ command line tool to query information about a domain?

It can provide details about the domain's owner, registrar, and other relevant information. (B)

Flashcards

Open-Source Intelligence (OSINT)

Data collected from publicly available sources used for intelligence purposes.

Passive Information Gathering

Collecting information without alerting the target, using only existing data.

Semi-passive Information Gathering

Profiling a target cautiously to appear like normal internet traffic.

Active Information Gathering

Engaging directly with the target to gather information, often detectable.

Wayback Machine

A tool that shows historical versions of websites over time.

WHOIS Database

A database that contains information about registered domain names and their owners.

Google Dorks

Advanced Google search techniques used to find hidden data.

OSINT Limitations

OSINT may not be reliable, accurate, or timely due to data manipulation or age.

Inside Jobs

Illicit activities often committed by employees or insiders.

False Pretenses

Deceptive practices to gain information or access, like impersonation.

Information Warfare

State-sponsored actions aimed at gaining information superiority.

Useful Information to Attackers

Types of data that attackers seek to infiltrate organizations.

Probing and Target Scanning

Techniques to identify vulnerabilities in systems or networks.

Intelligence Gathering Methods

Techniques used to collect actionable intelligence on targets.

Security Enforcing Functions

Policies and measures that protect organizational assets.

Information Gathering

The reconnaissance phase to collect data on a target for penetration testing.

OSINT

Open-Source Intelligence; publicly available data used for intelligence gathering.

Competitive Intelligence

Gathering data legally to understand competitors and inform decision-making.

Corporate Espionage

The illegal collection of proprietary information for economic advantage.

Footprinting

The process of creating a detailed map of a target's systems and networks.

Trade Secret

Information that provides a business advantage over competitors.

Pentesting

Security testing to identify vulnerabilities by simulating cyberattacks.

Reconnaissance

Initial stage of penetration testing involving mapping out network infrastructure and services.

Vulnerability Scanning

Scanning for weaknesses in systems or services during active information gathering.

Social Engineering

Manipulating individuals to divulge confidential information by exploiting human psychology.

Onsite Information Gathering

Physical reconnaissance focusing on the target environment over time to detect patterns.

Offsite Information Gathering

Collecting information from important locations that relate to the organization.

Organizational Chart

Visual representation of the structure of an organization showing relationships and roles.

Document Metadata

Information that provides details about a data/document such as author, date created, etc.

External Infrastructure Profile

Information about a target's technologies and systems that can aid in attack scenarios.

OSINT Searches

Using public forums and resources to gather intel on target technologies.

Remote Access Information

Details on how users connect to a target, revealing potential entry points.

Application Usage List

A collection of applications used by the target, often extractable from metadata.

Passive Fingerprinting

Collecting tech information through public discussions without alerting the target.

Active Fingerprinting

Directly testing target systems with specific probes to reveal technology.

Defense Technologies Fingerprinting

Identifying security measures employed by the target organization through various methods.

Human Defensive Capability

Understanding a target's defensive human resources and their effectiveness is challenging.

CERT/CSIRT/PSRT

Teams responsible for responding to computer security incidents.

Job Listings for Security Positions

Analyzing job ads that require security expertise to assess security focus.

Outsourcing Security

Determining if an organization's security is managed externally.

Profile Mapping

Mapping an individual's location history for potential security insights.

Internet Presence

Observing an individual’s online activities and identifiable information.

theHarvester Tool

A Python tool to automate finding email addresses from search engines.

Email Address Discovery

Finding corporate email addresses through various online sources.

Study Notes

Ethical Hacking and Penetration Testing - Lecture 2: Information Gathering

• This lecture covers information gathering, a crucial phase in penetration testing
• Information gathering, also known as intelligence gathering, involves reconnaissance to collect as much information as possible about a target
• This gathered information is used to inform further phases (target scanning, vulnerability assessment, exploitation)
• The more information collected, the more attack vectors are identified
• Information gathering methods include:
  • Competitive Intelligence: Relies on ethical methods, collecting publicly available data to gain business insights
  • Corporate Espionage: Illicitly accessing trade secrets for economic gain (illegal)
  • Information Warfare: State-sponsored actions to achieve information superiority (illegal)
  • Private Investigation and Other Methods
  • Pentesting: Legal and ethical testing of security systems
• Information Gathering can be completed actively or passively
• Active information gathering can include:
  • Network Infrastructure mapping
  • Organization Structure and Charts
  • Location details
  • Employee information
  • External Relationships
  • Physical Infrastructure
  • Electronic Security
  • Communication Channels
• Some examples tools for Active Information gathering include:
  • Ping, Traceroute, Nmap
• Passive information gathering focuses on information publicly available without directly interacting with the target
• Examples of passive information gathering include:
  • Whois lookups
  • Google searches
  • Network Block identification
• Tools used for passive information gathering include:
  • Wayback Machine, Google Dorks
• There are three forms of OSINT (Open Source Intelligence):
  • Passive: gathering information without interacting with the target
  • Semi-passive: gathering information that appears as normal website traffic
  • Active: gathering information that may be detected
• Active form of foot printing involves sending packets to systems to identify vulnerabilities
• Passive form involves collecting information from publicly available sources

Information Gathering - Covert Gathering

• Includes onsite techniques for information gathering, often over several days
• Includes:
  • Physical inspection
  • Wireless Scanning
  • Employee behavior inspection
  • Accessible/adjacent areas
  • Dumpster diving
  • Equipment identification

External Relationships

• Includes off-site collection from publicly available information
• Includes:
  • Analyzing webpages
  • Business partners and vendors
  • Data centers

Organizational Chart

• Includes techniques for identification of key people, departments, and their relationships
• Includes historical information about the target, such as transactions and promotions

Electronic Metadata

• Metadata provides information about data such as author, date, location etc.

Week's Lab

• Completion of Week 2 labs using various tools, including Whois, theHarvester, Google Dorks, and Wayback Machine

Reading List

• Providing links to various resources on information gathering

Next Week

• Target scanning and enumeration is to be covered in the next session