Information gathering is a critical phase in any penetration testing engagement. The goal of this phase is to gather as much information as possible about the target organization, including its systems, applications, and network architecture. Here are some commonly used tools for information gathering:
Image by storyset on Freepik
WHOIS
A tool used to gather information about domain registrations, including registration dates, contact information, and name servers.
To perform a whois lookup during the information gathering phase of a penetration testing engagement, you can use the whois command in a command prompt or terminal window. Here are the steps:
- Open a command prompt or terminal window on your computer.
- Type “whois” followed by the domain name you want to look up, for example: “whois example.com”.
- Press Enter to execute the command.
The results of the whois lookup will be displayed in the terminal window. The information typically includes the domain registration date, expiry date, registrar, and contact information for the registrant, administrative contact, and technical contact.
Image by vectorjuice on Freepik
There are several WHOIS websites that can be used for a penetration testing test. Here are a few popular ones:
- Whois.com: This website provides WHOIS lookup information for domain names, IP addresses, and email addresses.
- ICANN WHOIS: The Internet Corporation for Assigned Names and Numbers (ICANN) WHOIS website provides a centralized repository of WHOIS data for domain names.
- DomainTools: This website provides WHOIS lookup information for domain names, IP addresses, and email addresses. It also includes additional information such as historical WHOIS records and DNS data.
- WHOISology: This website provides WHOIS lookup information for domain names and IP addresses, as well as advanced search options and filtering capabilities.
It’s important to note that not all domain names may be publicly accessible through a whois lookup, as some registrars offer privacy protection services that hide the registrant’s contact information. Additionally, some top-level domains may have specific whois servers or require a specific syntax for the whois query. In such cases, you may need to consult the registry for that particular top-level domain for further instructions.
THE HARVESTER
The Harvester is a tool used to gather email addresses, subdomains, and other information from search engines, social media, and other sources.
Repository: https://github.com/laramies/theHarvester
Image by aleksandarlittlewolf on Freepik
The Harvester is a tool commonly used in the information gathering phase of a penetration testing engagement. It is designed to gather information from search engines, social media platforms, and other online sources. Here are some steps on how to use The Harvester in a penetration test:
- Install The Harvester on your system. The tool is available on GitHub and can be downloaded and installed on Linux, macOS, and Windows.
- Open The Harvester and specify the target domain or email address you want to gather information on.
- Choose the sources you want to search. The Harvester supports several sources, including Google, Bing, LinkedIn, Twitter, and more.
- Specify the output format you want to use. The Harvester supports several output formats, including HTML, CSV, and XML.
- Start the search. The Harvester will retrieve and aggregate information from the selected sources and output the results in the specified format.
- Analyze the results. Review the information gathered by The Harvester and identify potential vulnerabilities or attack vectors that could be exploited.
It’s important to note that The Harvester should be used ethically and in accordance with all legal and regulatory requirements. Additionally, The Harvester may not be able to gather all the information you need, and it should be used in conjunction with other information gathering tools and techniques to get a complete picture of the target environment.
RECON-NG
Recon-ng is a tool used for open-source reconnaissance and information gathering.
Repository: https://github.com/lanmaster53/recon-ng
Image by macrovector on Freepik
Recon-ng is an open-source tool used for reconnaissance and information gathering during a penetration testing engagement. Here are some steps on how to use Recon-ng:
- Install Recon-ng on your system. The tool is available on GitHub and can be downloaded and installed on Linux, macOS, and Windows.
- Open Recon-ng and run the “show modules” command to list all the available modules.
- Select the modules you want to use for your reconnaissance. Recon-ng has a wide variety of modules that can be used for OSINT, DNS enumeration, social media, and other types of reconnaissance.
- Load the selected modules by running the “use” command followed by the name of the module.
- Configure the module options as required. Each module has specific options that need to be configured before running the module.
- Run the module by running the “run” command. Recon-ng will start the reconnaissance process and gather information from the target environment.
- Analyze the results. Review the information gathered by Recon-ng and identify potential vulnerabilities or attack vectors that could be exploited.
It’s important to note that Recon-ng should be used ethically and in accordance with all legal and regulatory requirements. Additionally, Recon-ng may not be able to gather all the information you need, and it should be used in conjunction with other information gathering tools and techniques to get a complete picture of the target environment.
SHODAN
Link: https://www.shodan.io/
Image by vectorjuice on Freepik
Shodan is a search engine for internet-connected devices that can be used in a penetration testing engagement to gather information about potential targets. Here are some steps on how to use Shodan:
- Sign up for a Shodan account. Shodan offers both free and paid subscriptions.
- Log in to your Shodan account and search for the target device or network. You can use various search parameters such as IP address, hostname, or keywords to narrow down your search.
- Review the results. Shodan will return a list of devices or networks that match your search criteria. You can view information about the devices such as open ports, services running, and operating systems.
- Identify potential vulnerabilities or attack vectors. Review the information gathered by Shodan and identify potential vulnerabilities or attack vectors that could be exploited.
- Use other tools and techniques to validate the information and gather more intelligence about the target environment.
It’s important to note that Shodan should be used ethically and in accordance with all legal and regulatory requirements. Additionally, not all devices or networks may be publicly accessible through Shodan, and it should be used in conjunction with other information gathering tools and techniques to get a complete picture of the target environment.
MALTEGO
Link: https://www.maltego.com/
Image by Freepik
Maltego is a powerful data visualization tool that can be used in a penetration testing engagement to gather and analyze information about a target environment. Here are some steps on how to use Maltego:
- Install Maltego on your system. The tool is available on the Maltego website and can be downloaded and installed on Linux, macOS, and Windows.
- Open Maltego and create a new project. Select the type of project you want to create, such as a standard or a discovery project.
- Choose the entities you want to investigate. Maltego supports several types of entities, such as IP addresses, email addresses, domain names, and more.
- Add the entities to your graph. You can add entities manually or use Maltego’s automated discovery features to populate the graph.
- Analyze the graph. Maltego’s data visualization capabilities make it easy to identify connections between entities and potential attack vectors.
- Use Maltego’s built-in transforms to gather additional information about the entities. Maltego includes several built-in transforms for OSINT, DNS enumeration, social media, and other types of reconnaissance.
- Analyze the results. Review the information gathered by Maltego and identify potential vulnerabilities or attack vectors that could be exploited.
It’s important to note that Maltego should be used ethically and in accordance with all legal and regulatory requirements. Additionally, Maltego may not be able to gather all the information you need, and it should be used in conjunction with other information gathering tools and techniques to get a complete picture of the target environment.
NMAP
Link: https://nmap.org/
Image by Freepik
Nmap is a powerful network scanning tool that can be used in a penetration testing engagement to gather information about the target environment. Here are some steps on how to use Nmap:
- Install Nmap on your system. The tool is available on the Nmap website and can be downloaded and installed on Linux, macOS, and Windows.
- Identify the target IP address or range. You can use various techniques, such as DNS enumeration or scanning a range of IP addresses, to identify the target.
- Choose the type of scan you want to perform. Nmap supports several types of scans, such as a ping scan, TCP scan, UDP scan, and more.
- Run the scan. Use the Nmap command line interface to run the scan against the target IP address or range. You can specify options such as timing, port range, and output format.
- Analyze the results. Nmap will return a list of open ports, services running, and operating systems. Analyze the results to identify potential vulnerabilities or attack vectors that could be exploited.
- Use other tools and techniques to validate the information and gather more intelligence about the target environment.
It’s important to note that Nmap should be used ethically and in accordance with all legal and regulatory requirements. Additionally, Nmap may trigger security alerts or cause network disruption if not used properly, and it should be used in conjunction with other scanning tools and techniques to get a complete picture of the target environment.
OSINT FRAMEWORK
Link: https://osintframework.com/
Image by storyset on Freepik
OSINT (Open Source Intelligence) Framework is a tool that can be used in a penetration testing engagement to gather information from publicly available sources. Here are some steps on how to use OSINT Framework:
- Install OSINT Framework on your system. The tool is available on the OSINT Framework website and can be downloaded and installed on Linux, macOS, and Windows.
- Identify the target entity. This could be a person, organization, domain, email address, or other entity of interest.
- Choose the type of source you want to investigate. OSINT Framework supports several types of sources, such as social media, search engines, email, and more.
- Use OSINT Framework to automate the gathering of information. The tool includes several modules that can be used to automate the process of collecting data from different sources.
- Analyze the results. OSINT Framework will return a list of information gathered from the selected sources. Analyze the results to identify potential vulnerabilities or attack vectors that could be exploited.
- Use other tools and techniques to validate the information and gather more intelligence about the target environment.
It’s important to note that OSINT Framework should be used ethically and in accordance with all legal and regulatory requirements. Additionally, OSINT Framework may not be able to gather all the information you need, and it should be used in conjunction with other information gathering tools and techniques to get a complete picture of the target environment.
In the next posts we will go deeper into the tools and how to use them. We will also get to get good results in order to be able to make a good penetration test report.
Image by vectorjuice on Freepik
Some of our contents have been created by ChatGPT, a large language model trained by OpenAI, based on the GPT-3.5 architecture, with the knowledge cutoff date of 2021-09