Passive and Semi-Passive Information Gathering

Questions and Answers

What is the primary characteristic of passive information gathering?

• It aims to avoid detection by the target. (correct)
• It typically uses automated tools to gather data.
• It relies solely on publicly available information.
• It involves direct interaction with the target's systems.

Which of the following is a drawback of using Open-Source Intelligence (OSINT)?

• The information might be inaccurate or outdated. (correct)
• It can be difficult to obtain information on specific organizations.
• It requires specialized technical expertise to use effectively.
• It can be time-consuming to gather information.

What is a key characteristic of semi-passive information gathering?

• It aims to appear like normal internet traffic. (correct)
• It involves using social engineering techniques.
• It focuses on gathering information from confidential sources.
• It requires advanced technical skills to implement.

Which of the following is an example of using a passive information gathering technique?

Analyzing content from a website's cached versions on Wayback Machine. (A)

What is the primary purpose of the WHOIS database?

To provide information about domain registrations. (C)

Which of the following actions is generally considered to be semi-passive information gathering?

Analyzing data from social media platforms like LinkedIn and Facebook. (C)

Why is it crucial for companies to understand their online presence and how it can be exploited?

To avoid reputational damage from potential cyberattacks. (D)

What is a key difference between passive and semi-passive information gathering?

Passive methods aim to avoid leaving any traces, while semi-passive methods may leave some evidence. (A)

What is a key reason for performing Open-Source Intelligence (OSINT) gathering?

To determine various entry points, including physical, electronic, and human, into an organization. (B)

Which of the following is NOT an example of a common element that an attacker might consider useful during an attack?

Marketing and advertising strategies of the target organization. (E)

In the context of Information Warfare, which of these actions is meant to achieve information superiority?

Gathering intelligence and understanding an adversary's capabilities and vulnerabilities. (E)

Which of the following is categorized as an Open-Source Intelligence (OSINT) gathering tool?

Publicly available search engines and online databases. (B)

How is "Information Warfare" defined as a strategy?

It is a set of actions taken through electronic means to achieve information superiority in support of a national military strategy. (C)

What is a common example of a false pretenses approach in intelligence gathering?

A student pretending to be a journalist to interview an executive and gain insider information. (A)

What is a potential outcome of extracting metadata from a document?

Creating a profile of the organization and its users. (D)

Which tool is described as a GUI-based program for extracting metadata from various file types?

FOCA (A)

What kind of information can be obtained from analyzing past marketing campaigns?

Contact information for external marketing organizations. (C)

What kind of information can be extracted from email addresses obtained from an organization's website?

A list of potential usernames and domain structure. (D)

What type of information can be obtained through an open-source search for IP addresses?

The types of infrastructure equipment used by the organization. (B)

What is a primary source for obtaining information about network blocks owned by an organization?

Publicly available domain name registration data. (B)

What is the significance of extracting metadata from a document?

It provides insights into the organization's internal structure and security practices. (A)

What type of information does metadata on an image typically include?

The date and time the image was taken. (A)

What is a characteristic of active information gathering?

It involves reconnaissance that can be deemed suspicious. (D)

Which method is NOT typically associated with active information gathering?

Whistleblowing (A)

Which of the following is an example of covert gathering?

Conducting physical inspections of security measures. (B)

What type of information might be sought during onsite intelligence gathering?

Types of equipment in use. (C)

Offsite information gathering includes identifying which of the following?

Data center locations related to the organization. (C)

Which element is NOT involved in social engineering during information gathering?

Surveying competitor's financial statements. (C)

What does document metadata provide?

Information about the data or document itself. (D)

Which activity would be least effective for covert onsite information gathering?

Conducting a formal employee survey. (A)

What is one way to assess if a company prioritizes security?

Inspect for frequent job listings for security positions (D)

What should be checked to verify how security responsibilities are managed within the organization?

Check for outsourcing agreements regarding security (A)

What does footprinting involve in the context of information gathering?

Gathering information through direct contact with the organization (B)

Which tool is mentioned for automating the search for email addresses?

theHarvester (D)

How can one gather usernames associated with a company?

By looking for email addresses in publicly available sources (B)

Which aspect of social media can provide insight into an employee’s influence in security?

Verification of their active online security-related contributions (A)

What might indicate that security is an important requirement for non-security roles within a company?

Job descriptions that list security as a skill requirement (C)

What should be monitored for employees to understand their exposure and possible information leakage?

Their social media presence and interaction patterns (C)

What is the primary purpose of information gathering in Ethical Hacking and Penetration Testing?

To understand the target's security posture and identify potential attack vectors. (A)

Which of the following is NOT a type of information gathering activity?

Security Testing (A)

What percentage of information required for successful competition is estimated to be available in the public domain?

95% (A)

What is the term used for the theft of trade secrets for economic gain?

Corporate Espionage (B)

What is the estimated annual loss to U.S. industries due to corporate espionage?

$70 billion (A)

Which of the following is NOT a phase of the penetration testing framework mentioned in the content?

Network Scanning (D)

What is the primary goal of intelligence gathering in penetration testing?

To gather as much information as possible about the target. (C)

What is the role of intelligence gathering in the penetration testing framework?

To provide context and information to guide the entire penetration test. (D)

Flashcards

Information Gathering

The process of gathering data to understand a target for penetration testing.

Open-Source Intelligence (OSINT)

Gathering publicly available data to derive intelligence about a target.

Footprinting

The technique of collecting information about a target's network and systems.

Competitive Intelligence

Legal and ethical data collection to understand competitors and inform decisions.

Corporate Espionage

The illegal collection of trade secrets for economic advantage.

Trade Secret

Confidential business information providing competitive advantage.

Information Warfare

Strategically using information to cause advantage over an adversary.

Pentesting

Simulated cyber attack to identify vulnerabilities in systems.

Inside Jobs

Illicit activities committed by employees from within an organization, often motivated by grievances or bribery.

False Pretenses

Deceptive tactics used to gather insider information, such as pretending to be someone else during job interviews.

Useful Information for Attackers

Types of information that can be exploited, including organizational structures and security weaknesses.

Security Enforcing Functions

Policies and controls implemented to safeguard an organization’s information and physical access.

Social Engineering

Manipulative techniques used to trick individuals into divulging confidential information.

Intelligence Gathering Methods

Various strategies employed to collect information about an organization, including OSINT and scanning.

Types of OSINT

OSINT is categorized into three forms: Passive, Semi-passive, and Active.

Passive Information Gathering

Collecting information without alerting the target, using only stored resources like old data.

Semi-passive Information Gathering

Profiling a target while imitating normal internet behavior, avoiding attention.

Google Dorks / Dorking

A method of passive information gathering using advanced search queries to locate hidden data online.

WHOIS Database

A database that contains information about domain ownership, including contact details of the owner.

Wayback Machine

An online tool that shows how websites have changed over time by archiving pages.

Information Validity in OSINT

OSINT may not always be accurate or timely due to manipulation or obsolescence of sources.

Whois Command

A tool used to query information about domain registrations.

Active Information Gathering

Collecting data in a way that may alert the target to suspicious behavior.

Reconnaissance

The process of identifying and mapping network infrastructure.

Onsite Information Gathering

Collecting data at the target’s physical location over time.

Offsite Information Gathering

Identifying information from outside the organization’s physical premises.

Organizational Chart

A diagram that outlines the structure and important roles in an organization.

Document Metadata

Information embedded in a document that describes its properties.

Metadata

Data that provides information about other data, like authorship and location.

Importance of Metadata

Metadata helps identify internal networks, users, and software which can aid cyber attacks.

Metadata Extraction Tools

Software used to retrieve metadata from files, such as FOCA and exiftool.

Fingerprinting Organizations with Collected Archives (FOCA)

A GUI tool used to search, download, and analyze documents for metadata.

Past Marketing Campaign Analysis

Reviewing previous marketing efforts for insights that can inform future projects.

Infrastructure Assets

Details about an organization's network and assets, often obtained via WHOIS searches.

Email Address Collection

Gathering email addresses to build a list of potential user accounts and domain structures.

Open-Source Searches

Using public resources to gather information about IP addresses and infrastructure.

CERT/CSIRT/PSRT

Teams that coordinate responses to computer security incidents.

Security Job Listings

Presence of advertised security positions in a company.

Outsourcing Security

When a company partially or fully delegates security responsibilities.

Social Media Verification

Confirming the existence of a target's social media accounts.

Internet Presence

Publicly available information associated with individuals, like email or nicknames.

Email Address Harvesting

Finding usernames or emails through various platforms.

theHarvester Tool

A Python tool for finding email addresses using search engines.

Footprinting Phase

Collecting external information by interacting with a target.

Study Notes

Ethical Hacking and Penetration Testing - Lecture 2: Information Gathering

• The lecture covers information gathering, a crucial pre-engagement phase in penetration testing.
• Information gathering, also known as intelligence gathering, involves reconnaissance to collect as much data as possible about a target.
• This data is used to plan further phases, such as target scanning, vulnerability assessment, and exploitation.
• More information gathered during this phase leads to more potential attack vectors.
• Different types of information gathering include: competitive intelligence, corporate espionage, information warfare, private investigation, and penetration testing.

Competitive Intelligence

• Uses legal and ethical methods to gather data.
• Over 95% of needed information is publicly available.
• Helps understand the competitive environment and improve business decisions.

Corporate Espionage

• Involves collecting, collating, and analysing illicitly gained information.
• Often includes theft of trade secrets for economic gain.
• International Trade Commission estimates annual losses to U.S. industries from corporate espionage are over $70 billion.
• Methods often include disgruntled/bribed employees, industrial moles, and false pretenses (e.g., pretending to be a student).

Information Warfare

• State-sponsored electronically delivered actions to achieve information superiority in support of national military strategy.
• Aims to affect enemy information systems whilst protecting own systems.
• Includes electronic warfare, surveillance systems, precision strikes, and advanced battlefield management.

What's Useful to an Attacker

• Organizational structure, departmental diagrams, contact details, IT infrastructure diagrams, support groups.
• Contact information such as phone directories, email addresses, 'who's who' directories.
• Geographic information and location of IT departments, servers, etc.
• Security policies, hardware re-use, firewall / IDS use, e-mail policies, phone-use policies.
• Network topologies, firewalls, routers, proxies, and their positions.
• Server software, host software, database software, web server software, and administration policies.

Open Source Intelligence (OSINT)

• A form of intelligence gathering using publicly available sources.
• Involves finding, selecting and analysing information for actionable intelligence.
• OSINT aims to determine entry points into an organization (physical, electronic, and/or human).
• Many companies fail to consider how publicly available data can be exploited.
• OSINT forms: Passive (no target detection), Semi-passive (normal traffic), and Active (suspicious behavior).

Open Source Intelligence (OSINT) - What it's not

• OSINT data may not be accurate or up-to-date.
• Information sources may be manipulated to misrepresent data.
• Data can be incomplete or obsolete with time.

Tools

• TheHarvester (Python tool) to search for email addresses.
• Wayback Machine (web.archive.org) to see how websites evolved over time.
• Google Dorks (specific search operators for Google).
• WHOIS Database to find domain information.

Information Gathering – Covert Gathering (On-site)

• Select locations for on-site reconnaissance for 2-3 days to identify patterns.
• Conduct physical security inspections.
• Employ wireless and radio frequency scanning.
• Review employee behavior training and examine adjacent facilities.
• Conduct dumpster diving and identify equipment in use.

External Relationships (Off-site)

• Identify offsite locations and their importance to the organization (e.g., data centers, network providers, business partners).
• Analyse publicly available information such as corporate websites, rental company listings, etc.
• Use this data to understand business projects and create social engineering scenarios.

Organizational Chart

• Identify important people and individuals.
• Track transactions and mapping of organizational changes.
• Identify affiliate organizations tied to the business.

Electronic – Document Metadata

• Metadata gives details about the data or document (name, creator, time, date, standards, location).
• Image metadata might contain resolution, camera details, and coordinates.

Electronic - Marketing Communications

• Past marketing campaigns may provide information on retired products or services.
• Current materials may reveal internal information and external contact details.

Infrastructure Assets

• Network blocks are passively gathered, often by utilizing whois search engines (e.g., DNSStuff).
• Open-source search queries for IP addresses give details about the organization's infrastructure.
• Email addresses can reveal usernames and domain structures.

Information Gathering – Continued

• Remote access details (how employees connect remotely) might reveal an entry point.
• Application usage patterns can be identified from documents and public files.
• Defensive technologies (e.g. firewalls, antivirus software) can be tracked.

Information Gathering – Continued

• Passive fingerprinting involves searching forums for information on the target's systems/technology.
• Active fingerprinting uses probe packets to analyze systems' responses, and test for vulnerabilities.
• (Example applications or systems: Email gateways, anti-virus scanners)

Human Capability

• Analyze if a company has an incident response team (CERT/CSIRT/PSRT).
• Check advertisements for security-related positions.
• Check if security is a requirement for non-security roles.
• Determine if agreements or security duties are outsourced.

Individuals - Employees

• Analyze location history, social media presence, email addresses, personal domain names.
• Information to find usernames on the internet, using tools like theHarvester (Python).

Summary

• Summarizes introduced topics covering information gathering, a practical phase of ethical hacking.
• Offers tools and methodology that an ethical hacker can adopt.