The information gathering steps involves footprinting and scanning and are of utmost importance. Good information gathering can make the difference between a successful hack and one that has failed to provide maximum benefit to the client. An amazing amount of information is available about most organizations in business today. This information can be found on the organization’s website, trade papers, Usenet, financial databases, or even from disgruntled employees. Some potential sources are discussed, but first, let’s review documentation.
Information gathering techniques can be classified into two main categories, as
- Active Information Gathering – Hackers directly engage with the target, by port scanning or gathering information about open ports on a particular target, list of services running and the operating system in use. These techniques are very noisy at the other end thus, easily detected by IDS, IPS, and firewalls and generate a log of their presence. It is not recommended sometimes.
- Passive Information Gathering – Direct engagement with the target does not take place by using search engines, social media and other websites to gather information about the target. It is usually recommended as no log of presence on the target system is generated. Social networks websites like LinkedIn, Facebook and others are used for information gathering about the employees and their interests which will be useful during phishing, keylogging, browser exploitation, and other client side attacks on the employees.
There are many sources of information to gather information from and includes social media website, search engines, forums, press releases, people search and job sites. Information gathering can be broken into seven logical steps which are
- Unearth initial information
- Locate the network range
- Ascertain active machines
- Discover open ports / access points
- Detect operating systems
- Uncover services on ports
- Map the Network
Footprinting is done in first two phases for getting initial information and locating the network range. Open source footprinting involves gathering information from freely available, information sources about a target like URLs, DNS tables, and domain names is fairly easy to get and within legal limits. Checking the HTML (Hypertext Markup Language) source code of the Web site can reveal links, comments, and Meta tags. The information that can be available from open sources include general information about the target, employee information, business information, information sourced from newsgroups (such as postings about computer systems), links to company/personal web sites and HTML source code.
The information gathered during the footprinting phase should reveal the network architecture, server and application types where valuable data is stored. Before an attack or exploit can be launched, the operating system and version as well as application types must be uncovered so the most effective attack can be launched against the target. Information gathered during footprinting usually includes domain name, network blocks, network services and applications, system architecture, intrusion detection system, authentication mechanisms, specific ip addresses, access control mechanisms, phone numbers and contact addresses. After compiling this information, it provides better insight into the organization, where valuable information is stored, and how it can be accessed.
The attacker may choose to source the information from:
- A Web page (save it offline, e.g., using an offline browser such as Teleport Pro, downloadable at http://www.tenmax.com/teleport/pro/home.htm), Yahoo!, or other directories. (Tifny is a comprehensive search tool for USENET newsgroups. The quality of experience can be improved by the program by keeping track of previous usage and utilities.)
- Multiple-search engines (All-in-One, Dogpile), groups.google.com are great resources for searching large numbers of newsgroup archives without having to use a tool.
- Using advanced search in Web sites (e.g., AltaVista—where reverse links to vulnerable sites can be unearthed).
- Search on publicly traded companies (e.g., EDGAR).
