Information Gathering Techniques Quiz

Questions and Answers

Which of the following is NOT a method used in onsite information gathering?

• Physical security inspections
• Employee behavior training inspection
• Wireless scanning
• Social engineering (correct)

What is the primary goal of active information gathering?

• To gather information that can be used to create successful social engineering scenarios
• To extract information directly from the target organization's systems (correct)
• To identify the target organization's business partners and suppliers
• To passively observe the target organization's online activity

What is a common example of active information gathering?

• Using a web crawler to index the target organization's website
• Reviewing publicly available company profiles
• Analyzing social media posts about the target organization
• Performing a port scan on the target organization's network (correct)

Why is it important to identify the target organization's offsite locations?

To determine the organization's network infrastructure (D)

Which of the following activities can be used to gather information about a target organization's business partners?

Analyzing publicly available corporate web pages (C)

What type of information can be gathered by analyzing the metadata of electronic documents?

The document's creation date and author (B)

Which of the following is a common technique used to gather information about physical security measures at a target organization?

Physical security inspections (C)

How can information about the target organization's business partners be used in social engineering?

To create more convincing social engineering scenarios (B)

What is the primary goal of information gathering in penetration testing?

To gather data for future attack vectors (B)

Which of the following is a form of legal and ethical information gathering?

Competitive Intelligence (C)

What percentage of information required for competitive success is typically available in the public domain?

95% (C)

What is defined as the theft of trade secrets for economic gain?

Corporate Espionage (C)

Which of these activities most closely relates to information warfare?

Espionage and intelligence activities (A)

What kind of losses does corporate espionage create for U.S. industries annually according to estimates?

$70 billion (C)

Which phase of the penetration testing framework comes after information gathering?

Threat Modeling (C)

Which of the following is NOT a method of information gathering?

Product Development (B)

What could be a consequence of companies not considering the information they make public?

It can allow attackers to gather information about them. (B)

Which statement is NOT true about Open-Source Intelligence (OSINT)?

OSINT is always up-to-date and accurate. (A)

What is a characteristic of Passive Information Gathering?

It may use archived or stored information. (B)

What is the primary aim of Semi-passive Information Gathering?

To gather data without appearing suspicious. (B)

Which tool allows users to see the historical changes of websites?

Wayback Machine (C)

During Passive Information Gathering, which of the following methods is typically used?

Conducting Google searches. (D)

What kind of information is typically found in WHOIS records?

Contact information of the domain owner. (C)

What is a primary disadvantage of relying on OSINT?

It can often be manipulated or incorrect. (D)

What is one of the primary reasons for extracting metadata from files?

To create a blueprint of the internal network and users (D)

Which of the following tools is NOT mentioned as a method for extracting metadata?

MailChimp (C)

What type of information can be obtained from network blocks owned by an organization?

Potential usernames associated with email addresses (D)

What is one of the risks associated with having metadata present in documents?

It can expose private user information for targeted attacks. (D)

Which format is NOT typically used for displaying metadata extraction results?

JPEG (B)

What kind of information can be pulled from an organization's past marketing campaigns?

Design components such as colors and graphics (C)

Which one of these could potentially provide a list of valid usernames for an organization?

Email addresses found on the organization’s website (C)

How can information about IP addresses be passively obtained?

By performing whois searches (B)

What is the primary purpose of gathering an external infrastructure profile?

To understand the internal technologies used by a target (B)

Which method is NOT typically used for passive fingerprinting?

Sending probe packets to public facing systems (D)

How can social engineering be effectively employed in an information gathering scenario?

By contacting product vendors for insider information (D)

What type of information can How-To documents reveal?

Procedures for remote access connections (B)

What is the goal of remote access information gathering?

To pinpoint potential access points into the organization (C)

Which of the following is true about active fingerprinting?

It involves the use of probe packets to test security measures. (D)

Which factor can complicate the discovery of an organization's defensive human capability?

High staff turnover rates (C)

What type of information can header information reveal?

The systems in use and their protection mechanisms (B)

What is the purpose of checking for a company-wide CERT/CSIRT/PSRT team?

To evaluate the company's security response capabilities (D)

Why is it important to check if security is listed as a requirement for non-security jobs?

To determine if security awareness is valued company-wide (A)

What does 'footprinting' involve?

Interacting with the target to gather information externally (B)

What can be inferred by mapping an individual's location history?

Evaluating potential security risks based on locations visited (A)

How can email addresses be significant in security profiling?

They can be used to identify usernames publicly associated with individuals (D)

What is a primary goal of using a tool like theHarvester?

To automate the search for potential email addresses associated with a domain (B)

What type of information can be gathered from checking internet presence?

Public email addresses and personal nicknames (D)

What is the benefit of reviewing outsourcing agreements in security assessment?

To determine if the organization's security is solely managed internally or partially outsourced (B)

Flashcards

Information Gathering

The process of collecting data to aid in penetration testing.

Open-Source Intelligence (OSINT)

Gathering publicly available information for intelligence purposes.

Footprinting

The initial stage of gathering information about a target system.

Competitive Intelligence

Legal and ethical data gathering to inform business decisions.

Corporate Espionage

Illegally gathering confidential business information.

Corporate Trade Secret

Economic advantage derived from confidential business information.

Intelligence Gathering

Reconnaissance performed to prepare for a penetration test.

Pentesting

Simulated cyber attacks to test and improve security.

OSINT Accuracy

OSINT may not always be accurate or timely due to manipulations or outdated information.

Wayback Machine

A tool that shows how websites have evolved over time.

Passive Information Gathering

Gathering information without alerting the target; only using archived data.

Google Dorks

Advanced Google search techniques for finding specific information online.

Semi-passive Information Gathering

Profiling a target using normal internet behavior without drawing attention.

WHOIS Database

A record-keeping system for domain registrars providing owner and contact information.

Domain Information

Records maintained by registrars about domain ownership and contact details.

Whodis Command

A command line tool used to query domain registration information.

Active Information Gathering

Detectable reconnaissance aimed at mapping network infrastructure and vulnerabilities.

Covert Gathering

Information gathering conducted secretly to avoid detection.

Onsite Information Gathering

Reconnaissance conducted at specific physical locations over time.

Offsite Information Gathering

Collecting data from locations not directly observed, like remote facilities.

Social Engineering

Manipulating individuals to gain unauthorized access or information.

Organizational Chart

A visual representation identifying key individuals and structures within an organization.

Document Metadata

Information that provides details about a document or data file.

External Infrastructure Profile

Information that reveals technologies used internally by a target based on their external appearance.

OSINT Searches

Open-Source Intelligence searches for publicly available information about target technologies.

Remote Access Ingress

Information about how clients and employees connect remotely to the target organization.

Application Usage

A list of applications used by the target organization gathered from accessible data.

Passive Fingerprinting

Gathering information about defensive technologies by observing public discussions.

Active Fingerprinting

Sending probe packets to identify system defenses through response patterns.

Defense Technologies

Identifiable methods and systems used for protecting an organization's assets.

Human Capability Assessment

Evaluating the defensive skills and knowledge of personnel within a target organization.

Metadata

Data that provides information about other data, such as authorship, resolution, and location.

Importance of Metadata

Metadata helps profile network locations, users, and software details, aiding in security assessments.

Metadata Extraction Tools

Software used to retrieve metadata from documents and images, such as FOCA and exiftool.

FOCA

A GUI-based tool for searching, downloading, and analyzing metadata from documents.

Open-Source Searches

Techniques using public resources to gather data, often revealing network infrastructure details.

Whois Search

A method to obtain information about network ownership and IP addresses.

Email Addresses in Recon

Emails can provide valid usernames and domain structures for gathering intelligence.

Past Marketing Campaigns

Historical marketing data that can guide future projects by revealing usable design elements.

CERT/CSIRT/PSRT

Teams that respond to computer security incidents within organizations.

Security Job Listings

Job postings indicating the frequency of security openings in an organization.

Outsourcing Security

Delegating security responsibilities to external parties or firms.

Social Media Presence

The online profiles and activities of individuals or organizations on social platforms.

Usernames from Emails

Gathering usernames by checking publicly available email addresses.

theHarvester

A tool for automating the search for email addresses across multiple platforms.

Location Awareness

Mapping location history through various information sources for profiling.

Footprinting Process

The initial phase of gathering external information about a target organization.

Study Notes

Ethical Hacking and Penetration Testing - Lecture 2: Information Gathering

• The lecture is about information gathering in Ethical Hacking and Penetration Testing.
• Information Gathering or Intelligence Gathering is the reconnaissance process against a target to gather as much information as possible, used to penetrate the target during later stages like target scanning, vulnerability assessment, and exploitation.
• The more information gathered, the more attack vectors can be identified.
• Key types of Information Gathering include:
  • Competitive intelligence
  • Corporate Espionage
  • Information Warfare
  • Private Investigations
  • Pentesting

Competitive Intelligence

• Relies on legal and ethical methods to gather data.
• Over 95% of the information needed by companies to compete successfully comes from the public domain.
• Helps organizations understand their competitive environment to make sound business decisions.

Corporate Espionage

• This involves the illicit collection, collation, and analysis of information to gain economic gain.
• "Trade Secrets" are valuable pieces of information that give a significant advantage over competitors who don't know them.
• Yearly losses to US industries due to corporate espionage exceed $70 billion.

How Espionage is Done

• A majority of illicit activities are internal, such as:
  • Disgruntled employees
  • Bribes from competitors
  • Industrial moles (planted individuals)
  • Companies employing competitors' employees to gain internal knowledge.
  • Applicants interviewing for jobs to get information
  • Spies pretending to be students, journalists, or venture capitalists

Information Warfare

• State sponsored information and electronically delivered actions designed to gain information superiority in support of national military strategy.
• Aims to affect enemy information and information systems while protecting one's own.
• Also involves electronic warfare, surveillance systems, precision strike, and advanced battlefield management.

Useful Information for Attackers

• Structure: Organization charts, departmental diagrams

• Infrastructure: Phone systems, network diagrams, IT support groups, and utility providers

• People: Phone directories, email address books, employee information

• Geography: Locations of the IT department, servers, and other crucial elements

• Security Enforcing Functions: Access control, password policies, hardware reuse, firewall and IDS use, and other policies

• Networks: Detailed network topologies, firewalls, routers, and proxy positions

• Software/Hardware: Machine specifications, operating systems, software versions, and administration policies

Open-Source Intelligence (OSINT)

• A method for compiling intelligence from publicly available sources.
• Involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.
• This type of information gathering is used to identify entry points into an organization (physical, electronic, and human).
• Many companies fail to recognize how public information can be used against them by attackers.
  • Employees also often do not consider the risks of putting personal information online.

OSINT Forms

• Passive: Gather information from archived or stored sources. Can be outdated or incomplete. Useful if you don't want to be detected. (e.g., Google searches).
• Semi-passive: Profile the target using methods that appear as normal internet traffic. Look for metadata, but don't try to actively scan for hidden data. (e.g., WHOIS database).
• Active: Methods that are likely to be noticed by the target. (e.g., sending probe packets to test system vulnerabilities). Should be carefully planned.

Tools Related to OSINT

• Wayback Machine: Website archive
• Google Dorks: Specialized search queries for specific information

Covert Gathering

• On-site: Includes gathering information over several days, observing patterns, and reviewing physical security/employee behavior.
• Off-site: Gathering information about the target's external relationships and their importance to the organization. Analyze openly shared information from websites, corporate webpages, and partner/supplier information.

Organizational Chart

• Position Identification: Identifying important individuals
• Transactions: Mapping changes in an organization (promotions, etc.)
• Affiliates: Understanding connections to affiliate organizations

Electronic Metadata

• Contains information about data or documents, such as author, creation time, location, standards used, etc.
• The provided file, network, and folder paths are also considered electronic metadata.
• Image metadata may contain camera information and coordinates/location.
• Various tools are used to extract metadata (e.g., FOCA, metagoofil, exiftool).

Electronic Communications

• Historical and current marketing materials can often reveal useful information about projects, specific technologies, and contacts. This includes colors, fonts, design components, and company contact details.

Infrastructure Assets

• External Profile: Understanding the target's external infrastructure profile.
• Tools: OSINT searches through forums, mailing lists, and other resources.
• Social Engineering: Use of social engineering against IT organizations and product vendors to gather information.
• Network Blocks: This is information that is passively available via whois searches. DNSStuff is a tool that offers this information.
• Email Addresses: Useful for gathering usernames and domain structure. Sources include the company website and shared email groups like groups.google.com.

Remote Access

• Methods used by employees and clients to connect.
• Application, procedures, and user documentation can reveal details.

Active/Passive Fingerprinting

• Passive: Using publicly available information to understand a target.
• Active: Sending network requests to systems to test blocking patterns, analyze headers, and understand protection mechanisms in place. (e.g., using "ping", "trace route, Nmap, or Banner Grabbing.").

Human Capabilities

• Presence of a company-wide CERT/CSIRT/PSRT team.
• Advertisments for security jobs and developers
• Contract details related to security outsourcing

Individuals - Employees

• Internet Presence: Identifying a target's employees online. Includes email addresses, handles, nicknames, registered domains and static IPs.
• Footprinting: Obtaining information about a target from an external perspective.
• Social Media Presence: Verifying the presence on social media.

Lab and Reading Material

• The lab tasks include gathering insights from tools like Whois, theHarvester, Google Dorks, and the Wayback Machine.
• Reading materials include links to cheat sheets for Google Dorking and information on passive reconnaissance, OSINT, and social engineering.

Next Week

• The following week's material will cover target scanning and enumeration.