Regardless of the color of their hats, cybersecurity experts start their works in the same way: "by gathering as much information as they can about the target."
The information collected is used directly in determining how the attack will be carried out and in planning each stage of the attack process. Therefore, the most crucial stage of security tests or a cyber attack is the information gathering stage.
We would like to tell you a story about the security test we performed for one of our customers.
According to the agreement between us, the only information that we received from our customer was only the domain name of their company. Let's call it s4e-customer.com.
On the first day of the penetration testing, we only collected passive information;
We are standing here to keep the list from getting longer, and this is enough for our story.
After having this data, we moved active information gathering stage;
Now, look at what we are doing by just collecting information. We did not run any exploitation code, detect zero-day vulnerabilities, just gathered data, and the result was:
Isn’t it thrilling?
We just gathered information. There are no unique methods, no advanced techniques. We merely searched for the right thing in the right place and combined the information we got.
Note: Our customer was informed at every stage, and their approval was obtained at the necessary steps.
Note 2: Our marketing experts kill us if we do not write this :)
If your company needs a security test, please contact us.
Or wait, we will contact you ;)
Just a joke, click here and fill out the pentest request form.
Here is the some information gathering techniques
The technique of collecting information for an asset (IP address, domain name, website, email, etc.) is classified into two: active information collection and passive information collection.
All transactions made without leaving a trace on the relevant asset are called passive information collection (whois, website history, searching through leaked data). This type of information collection does not leave any traces on the relevant system, so that it can not be detected. To illustrate, you can query the whois information of a domain name or IP address from many different places. This query information cannot be detected by the system administrator of the domain name or IP address.
Passive Information Gathering Can Be Processed Through:
The methods that leave traces (port scanning, directory scanning, DNS queries for sub-domain name detection) are known as active scanning. If you want to get information about the ports running on an IP address, you should scan for the open ports. For this, you have to send specific packets to the IP address, which can be detected by those who manage the relevant system.
What is detected here is the port scanning event and scanner IP addresses. The system administrator can only see the port scanning event and the scanner IP addresses. Generally, live systems generate many logs, therefore system administrators can overlook active information gathering scans. Additionally, it can be pretty difficult to distinguish between a genuine user browsing a website and a person accessing the website for information gathering purposes.
Active Information Gathering Can Be Processed Through:
Let's end with the following quote from the Chinese Sun Tzu, one of the most famous commanders who ever lived:
"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
You must have an MX record to send or receive e-mail from your domain's email addresses. You can check if your MX records are set correctly with this tool.
NS or Nameserver records point to a DNS server for domain and subdomains. So those who want to access your domain or subdomains are directed to a DNS server that holds IP-domain matching. Check your NS records with NS Record lookup tool.
An ANY DNS query is used to get all DNS records available for a specific domain name. Let's check what DNS records are answered to ANY DNS query for your domain. Make an ANY DNS request with this tool.
TXT records are used to keep text values related to your domain name. This type of record usually used for, proof for ownership of domain (google, yandex verification), Sender Policy Framework (SPF) records or DKIM. Check your TXT records with TXT record lookup tool.
You need to know which services and ports are accessible over the internet. Do not forget UDP protoco ! Check your top 10 udp open ports with online port scanning tools.
DNS servers share zones using AXFR protocol. If it's misconfigured, attackers can get all DNS information related to your domain.
Use this service if you want to see scan all port. If changes are made regularly on the server, it is a great advantage to use full port tcp scan.
Any system or anyone who wants to access your domain has to resolve your A records. These records point to IPv4 addresses. You can make an online DNS A record lookup, and check IPv4 address of your domain.
You can learn which HTTP methods are used for supporting your website with this tool.
A DNS AAAA (Address for IPv6) records hold IPv6 address or addresses related to your domain. Get your domain IPv6 address with AAAA record lookup tool.
CNAME (Canonical Name) is a type of DNS record that used as alias for another domain.
Subdomains often address different sections of a website (blog, e-mail, admin panel or another application). Each subdomain could be a new attack vector for you.
Check your SSL/TLS configuration for supported ciphers. Do not use weak ciphers. Also learning supported SSL cipher and making cross check with supported ones by security devices can be very important.
ICMP protocol is used to check whether the system is alive or for debugging. You can send PING packages to the target system by using PING tool.
You need to know which services and ports are accessible over the internet. Because an attacker can easily learn. Check your top 10 tcp open ports with online port scanning tools.
How much do you think a person can retrieve information about the e-mail accounts related to your company or website? Check our tool for how much information can be obtained about your e-mails.
An API key is a unique identifier serves as a authentication token. Attackers can use your leaked API keys by impersonating you and access your private data.
Backup files are critical files generally forgotten in somewhere while in development process. Check your system for backup files which can lead information leaks about your services.
Due to some misconfigurations, your asset may not reach the target. Check if your IP address or domain is blacklisted or not.
Version control systems may lead security vulnerabilities. Check if you have one.
Critical information can be compromised if log files are accessed by anyone.
Critical information can be compromised if these files are accessed by anyone.
Almost every application, user interface comes with a user, admin panel. Sometimes panels includes some security vulnerabilities. Wtih our tool, you can check your publicly available panels.
API endpoints that do not have an authentication mechanism can cause many private data to be leaked by attackers.
Critical information can be compromised if config files are accessed by anyone.
Misconfigured kibana/elasticsearch applications can cause many private data to be leaked by attackers.
Misconfigured redis applications can cause many private data to be leaked by attackers.
If you are affected by CVE-2017-9248 vulnerability, attackers can exploit your web application.
Attackers can exploit your web application if your Telerik framework File Upload page is accessible to everyone.
Security.txt file can expose hidden directories and files.
Robots.txt file can expose something sensitive such as the path of an administration panel.
If access permission to the private key file is configured incorrectly, anybody who steals the key can log into everything you have access to.
ASP.NET's includes a powerful mechanism for detailed request tracing called Trace.axd and it can also be used by attackers to gain information about requests and responses to the application.
If ELMAH is not properly configured elmah.axd file can allows attackers to gain information about the application.
Simple and fast Domain Whois lookup tool.
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'.
Its possible for an attacker to configure the servers without information of the application administrator.
Misconfigured Apache ZooKeeper server can cause many private data to be leaked by attackers.
In order to bypass the WAF, it is important to determine the WAF used in the system first.