6. Information Gathering

• active

• passive (OSINT): collect openly available data without direct interaction with target

  -> clarify and increase attack surface

• OSINT

• collect openly available data without direct interaction with target

• Goal: clarify and increase attack surface

• collect information about domain name

  • ns servers

  • IP addresses

  • Email/Phone numbers

  • etc.

• also reverse look up possible: ip -> domain

• use google in a smart way to get information

• user operators

  • limit to domain: “site:filora.eu”

  • limit to file extension: “filetype:txt”

  • limit to used programming language: “ext:php“

  • exclude html files: “-filetype:html“

• some pratical searches:

  • find directory listings: intitle:"index of" "parent directory"

  • https://www.exploit-db.com/google-hacking-database

Service which collects information about a website/domain, e.g.

• subdomains

• used technologies

• meta information

• using Github, Gitlab, SourceForge to search for public repos, which might contain sensitive information about the target.

• there are commerical tools which try to extract senstive information from github repos: Gitrob or Gitleaks

• search for internet-connect devices

• finds webservers but also connected IOT devices

• you can also search for open ports, e.g. devices with open ssh port

• site “security headers” allows to check for missing http headers, which might indicate a security misconfiguration

• there are also tools which check the running TLS/SSL configuration

• active scans interact with the target, e.g. we will send requests to see how the target behaves

• DNS servers might contain interesting information about a target

• use the host comannd to find DNS records of domain

Example enumeration based on given domain:

• brute force subdomains using “host” command

• check ips of subdomains

• find pattern in ips (e.g. all of them are in the same range) and brute force further domains

• scans might overload server/clients/networks

  • faster scanners use concurrent traffic -> limits bandwitdth

• tcp scans based on 3-way handshake (syn, syn-ack, ack)

• udp scans based on “ICMP port unreachable”

• in general: problems with firewalls!

• access to raw sockets require sudo access

• scan techniques:

  • -sS (sudo): SYN scan, 3-way handshake is not completeted -> no application log

  • -sT: Connect scan, 3-way handshake is completed -> application log and slower

  • -sU (sudo): UDP scan

• network discovery:

  • -sn: detect if host is up (ICMP + TCP SYN to port 80/443)

• other options:

  • -O: os fingerprinting

  • -sC: default scripts

  • -sV: version detection

• find NSE scripts: “ls -l /user/share/nmap/scripts/smb*“

• “Test-NetConnection” comand to scan single port

• Server Message Block, port 445

  • SAMBA is unix implementation of SMB, might be used as synonym for SMB

  • provides shared access to files/printers or other resources

• might uses Kerberos/NTLM authentication

• older versions use SMB over NetBios (port 139), which might be used for backward compatibility

• Siimple Mail Transport Protocol

• VRFY comannd to check if user exists

  
  

• Simple Network Management Protocol

  • used to monitor different devices in the network

• MIB is a database managed by SNMP server

  • contains network information

  • contains information about the server itself:

• if the community string is known, those values can be enumerated using snmp walk