How to start information gathering?

Control is an Illusion is what I believe in and it’s the showtime now. Yes! today we’ll move towards this quote by understanding how to do information gathering about something. Till now, we were beating around the bush to prepare ourselves to stand in front of the bush. The time has come to use the power of Linux that you gathered in the last article.

The best hacks are not about how cool the attacks are but it’s about how crucial information is taken out. Information gathering is the first phase of hacking and this is where things start.

First Phase of Hacking

The first phase of hacking is about finding the online presence of the target, which will then reveal the information one will need at the end. If you’re doing network pen-testing, you’ll collect information about the network and if it is about web pen-testing, it will be about the application.

Types of information gathering

First things first, information gathering is classified into 2 categories:

  • Active Information Gathering: In this, we directly interact with the target to collect information about them like what ports are open, OS they use etc. This kind of collecting information is very noisy. By noisy, I mean that it will leave your traces on the target system. Hence, we don’t use this way directly.
  • Passive Information Gathering: In this, we gather information about the target using online sources and not directly engaging with the target like social media, google, and other websites. Since you won’t be interacting with the target’s system, our target may not know about you. Hence, this is the preferred way.

Digging it deep

Collecting information passively is similar to doing analysis before investing in the stock market. Information is everywhere you just have to find the proper sources and collect as much possible information as you can. Let us take site.com as a sample website. To start with here are some sources:

1. WhoIs

WhoIs is a huge database of common information about every website. It can provide you information like the owner of the website and their email.

sudo apt install whois <-- to install whois site.com <-- usage

2. Traceroute

Traceroute provides information about network orientation. Nope, not knowing which ports are open but it will tell you about how firewalls, load balancers etc.
There are 3 types of traceroutes based on the networks.

traceroute site.com <-- usage sudo apt install tcptraceroute <-- to install tcp traceroute tcptraceroute site.com <-- usage

3. WhatWeb

WhatWeb is a package that does active footprinting on a website. This means it has more than 800 plugins to identify details like server version, email addresses, and SQL errors. It is available in Kali and can be used by

whatweb site.com

4. Google

Google is the father of information and we all know it. It will be having one or another type of information about the target. We’ll separately cover how to use google for collecting information.

5. Harvesting E-Mail Lists

This is a method by which we look for information about an organization and take out information about IPs and linked people’s emails using a tool called theHarvester. This collects all the information from various sources like Linkedin, google, bing, etc.

theHarvester -d site.come -l 500 -b google

Isn’t that mind-blowing that we can collect a lot of information about someone without them knowing? Why not try these once yourself. I’ll share more techniques once you go through these.

We’ll meet again once you complete exploring the tools shared above and this time we’ll know about how to take help from Google (The father of data) in gathering data. See you soon!