Home OSCP-6: Passive Information Gathering
Post
Cancel

OSCP-6: Passive Information Gathering

Posted Jul 19, 2022
By
5 min read

Chapter 6: Passive Information Gathering

Depending on the pentest that you are doing, the first step may be gathering openly available information about the target without directly interacting with it. This is also known as OSINT: Open-Source Intelligence. In this post several tools and technologies that can help us to gather information about the victim will be discussed.

Taking Notes

We may find a lot of information, so it is important to organize everything correctly and take notes that can help you to identify important data or remember something that you though but didn’t have time to try.

Website Recon

If the victim has a website, the first thing we must do is browse it and inspect the target. Some websites give sensitive information like email addresses of their employees, names, etc. We can use this information to gather more information about the people working on that company, if the email addresses follow a pattern an can be guessable, etc.

Whois Enumeration

The whois command can give us information about a domain by just using that domain name as an argument. Let’s make an example with google.com:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

❯ whois google.com
   Domain Name: GOOGLE.COM
   Registry Domain ID: 2138514_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2019-09-09T15:39:04Z
   Creation Date: 1997-09-15T04:00:00Z
   Registry Expiry Date: 2028-09-14T04:00:00Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
   Registrar Abuse Contact Phone: +1.2086851750
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: NS1.GOOGLE.COM
   Name Server: NS2.GOOGLE.COM
   Name Server: NS3.GOOGLE.COM
   Name Server: NS4.GOOGLE.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2022-07-19T08:45:39Z <<<
...

Google Hacking/Dorking

Google has an incredible search engine that if used correctly can help you to obtain information that was not meant to be public but it is due to misconfigurations. This methodology consists in using search strings and operators:

  • site: This operator limits the searches to the domain that you specify. For example, if we want some official information related to faceboo.com, we want to avoid some randomsite.com talking about facebook.
  • filetype/ext: This operator specifies the type of document that we want. If we put a - before the operator, all the files matching that operator will be excluded from the search.
  • intitle: This operator specifies a text that has to be in the title

There are a lot of operators, you can find a list of them here. Moreover, in the ExploitDB you can find useful search queries already written.

Netcraft

Netcraft is a company that offers a free web portal that performs information gathering, for example information about the domain (https://searchdns.netcraft.com/). When you search for a domain it also provides you with a site report that gives a lot of information like the technologies being used.

Recon-ng

Recon-ng is a module-based framework tool that performs web-based information gathering. It also has a database so the results of one module can feed another module and expand the scope. When we first install the framework, we have no modules installed. We can use the marketplace search to add modules. Some modules require an API key. You can also use the marketplace info to obtain more details and the marketplace install to add a module. Once a module is installed, we can use module load followed by the module name and then info to know the required parameters. You can set the parameters using options set command and finally run the module using run

You can find more information about how to use it here.

Open-Source Code

If we are talking about open-source projects, being able to read de code can give us a lot of information about the application and potential vulnerabilities and exploits. It is also possible to use the google dorking thechniques explained previously in other search bars, like Github and we can use to retrieve data that was not supposed to be public, but it is, like testing files, files with temporal passwords, etc. There are tools that do this like Gitrob and Gitleaks.

Shodan

Shodan is a search engine that analyzes devices connected to the internet, but not just web applications. It gives us information about open ports and services running, published vulnerabilities, etc. It is like using nmap but without getting our hands dirty and being detected.

Security Headers Scanner

Security Headers is a site that analyzes the HTTP response headers to detect some security misconfigurations (There are several HTTP headers that protect the website from known attacks).

SSL Server Test

The SSL Server Test is a site that analyzes the implementation of SSL/TLS and it detects potential vulnerabilities, like using an outdated cipher.

Pastebin

Pastebin is a website for sharing text and store it. It is a public service and it doesn’t require a user account. It is worth to take a look at it.

User Information Gathering

Instead of obtaining information about domains and sites, we can also gather information about users.

  • Email Harvesting: This technique consists of obtaining real user e-mails that can be used in phishing campaigns. theHarvester is a tool that gathers a lot of information related to a domain, included e-mails.
  • Password Dumps: Some hackers that have dumped databases usually post the data at some public sites like Pastebin. These dumps are used to create Wordlists, like rockyou, which contains most used passwords.

Social Media Tools

Twofi is a tool that scans a user’s Tiwtter feed and creates a specific wordlist for that user. This tool requires a Twitter API key.

linkedin2username is a script that generates username lists based on LikedIn data about a company.

Stack Overflow

We can obtain interesting information if we analyze what kind of questions a user is doing at Stack Overflow, for example questions related to patching some vulnerabilities, etc.

Information Gathering Frameworks

The OSINT Framework collects a huge amount of tools and categories that you can use in order to obtain information about the client.

Maltego is an extremely powerful data mining tool, but the community version requires an account. It displays information in a graph structure that allows easy reading and navigation.

OSCP-Study-Guide
OSCP
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents