4-Information Gathering (Ch4).pdf
Document Details
2024
Tags
Full Transcript
CYB515 Vulnerability Assessment Dr. Farrukh A. Khan Professor of Cybersecurity [email protected] Master in Cybersecurity Program, Al Yamamah University (Fall 2024 Semester) REFERENCE: Book: Network Vulnerability Assessment:...
CYB515 Vulnerability Assessment Dr. Farrukh A. Khan Professor of Cybersecurity [email protected] Master in Cybersecurity Program, Al Yamamah University (Fall 2024 Semester) REFERENCE: Book: Network Vulnerability Assessment: Identify security loopholes in your network's infrastructure Author: Sagar Rahalkar Chapter 4: Information Gathering 2 Information Gathering In this chapter, the following topics will be covered: Defining information gathering Passive information gathering Active information gathering 3 What is information gathering? Information gathering is the first step toward the actual assessment. Before targets are scanned using vulnerability scanners, testers should know more details about the assets in the scope of the testing. This will help the testing team to prioritize assets for scanning. 4 Importance of information gathering "Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” This is a very old and famous quote by Abraham Lincoln. The same applies to the amount of time spent in gathering as much information as possible prior to performing any security assessment. Unless, and until, you know your target inside and out, you will never succeed in performing its security assessment. It's crucial to have a 360-degree view of the target and gather all possible information about it through all available sources. Once you are confident that you have gathered enough information, then you can very effectively plan the actual assessment. Information gathering can be of two types: passive information gathering and active information gathering. 5 Passive information gathering Passive information gathering is a technique where no direct contact with the target is made for gathering the information. All the information is obtained through an intermediate source which may be publicly available. The internet has many useful resources that can help us with passive information gathering. 6 Passive information gathering The following diagram describes how passive information gathering works: 7 Passive information gathering Here is how it works: 1. The client system first sends a request to an intermediate system 2. The intermediate system probes the target system 3. The target system sends the result back to the intermediate system 4. The intermediate system forwards it back to the client So, there's no direct contact between the client and the target system. Hence, the client is partially anonymous to the target system. 8 Reverse IP lookup Reverse IP lookup is a technique that is used to probe any given IP address for all the domains it hosts. So all you need to do is feed the target IP address and then you'll be returned to all the domains hosted on that IP address. One such tool for reverse IP lookup is available online at http:/ / www. yougetsignal. com/ tools/ web- sites- on- web- server/. Reverse IP lookup works only on Internet-facing websites and isn’t applicable for sites hosted on intranet. 9 Site report Once you have the target domain, you can get a lot of useful information about the domain, such as its registrar, name-server, DNS admin, the technology used, and so on. Netcraft, available at http:/ / toolbar. netcraft. com/ site_ report, which is a very handy tool to fingerprint domain information online: 10 Site report 11 Site archive and way-back It's very common indeed for any given site to undergo changes at regular intervals. Normally, when a site is updated, there's no way for the end users to see its previous version. However, the site https:/ / archive. org/ takes you to the past version of a given site. This may reveal some information that you were looking for but that wasn't present in the latest version of the site: 12 Site archive and way- back 13 Site metadata Getting access to metadata of the target site can provide a lot of useful information. The site http://desenmascara.me provides metadata for any given target site. The metadata typically includes domain information, header flags, and so on, as shown in the following screenshot: 14 Site metadata 15 Looking for vulnerable systems using Shodan Shodan is a search engine that can provide very interesting results from a vulnerability exploitation perspective. Shodan can be effectively used for finding weaknesses in all internet connected devices, such as webcams, IP devices, routers, smart devices, industrial control systems, and so on. Shodan can be accessed at https://www. shodan. io/. The following screenshot shows the home screen of Shodan. You would need to create an account and log in in order to fire search queries: 16 17 Shodan provides an out-of-the-box Explore option that provides search results belonging to the most popular search queries: 18 The above screenshot shows the search results for online webcams. The search results can further be classified based on their geographical location: 19 Advanced information gathering using Maltego Maltego is an extremely powerful, capable, and specialized information gathering tool. By default, it is part of Kali Linux. Maltego has numerous sources through which it can gather information for any given target. From a Maltego perspective, a target could be a name, email address, domain, phone number, and so on. You need to register a free account in order to access Maltego. 20 21 The above screenshot shows a sample search result for domain https:/ /www. paterva. com. A search query is known as a transform in Maltego. Once a transform is complete, it presents a graph of information obtained. All the nodes of the graph can be further transformed as required: 22 theHarvester Having email addresses belonging to the target system/organization can prove to be useful during further phases of penetration testing. theHarvester helps us gather various email addresses belonging to our target system/organization. It uses various online sources for gathering this information. 23 root@kali:~# theharvester -d demo.testfire.net -l 20 -b google –h output.html The above syntax would execute theharvester on the domain demo.testfire.net and look for up to 24 20 email IDs using Google as the search engine and then store the output in the output.html file. Active information gathering Unlike passive information gathering, which involves an intermediate system for gathering information, active information gathering involves a direct connection with the target. The client probes for information directly with the target with no intermediate system in between. While this technique may reveal much more information than passive information gathering, there's always a chance of security alarms going off on the target system. Since there’s a direct connection with the target system, all the information requests would be logged and can later be traced back to the source. The following diagram depicts active information gathering where the client is directly probing the target system: 25 Active information gathering with SPARTA SPARTA is an excellent active information gathering tool. It is part of the default Kali setup. The following screenshot shows the home screen of SPARTA. In the left pane, you can simply add the IP/host you want to probe: 26 27 Active information gathering with SPARTA Upon feeding the IP/host to SPARTA, it quickly gets into the action by triggering various tools and scripts starting with Nmap. It does a quick port scan and goes further with service identification. It also provides screenshots of various web interfaces the target might be running and, most interestingly, it also automatically tries to retrieve passwords for various services running on the target system. 28 Sample results from one of the SPARTA scans: 29 Recon-ng Recon-ng is an extremely powerful and flexible tool that is capable of performing both passive as well as active information gathering. It has got numerous modules that can be plugged in and triggered to gather information as required. It functions quite similar to Metasploit. 30 Recon-ng Various modules available as part of Recon-ng: 31 Recon-ng We can select any module of our choice and then execute it Recon-ng is really a tool providing a wealth of information about the target system. You can explore various modules of Recon-ng to better understand its aspects and usability. 32 Dmitry Dmitry is another versatile tool in Kali Linux that is capable of both passive as well as active information gathering. It can perform whois lookups and reverse lookups. It can also search for subdomains, email addresses, and perform port scans as well. It's very easy to use, as shown in the following screenshot: 33 Dmitry root@kali:~# dmitry -wn -o output.txt demo.testfire.ne The above command performs whois lookup and retrieves site information from Netcraft and then writes the output to file output.txt. 34