This is the first article on the upcomming series on Information Gathering.

In penetration testing,  gathering as much information about our target is the first step.

Information gathering or footprinting is of two types namely passive reconnaissance and active reconnaissance.

In passive reconnaissance we gather information without actually interacting with the target sytems.

Gathering publicly available information about a company from the internet is passive reconnaissance.

Whereas active reconnaissance requires interaction with target’s systems.

Port scanning is an example of active reconaissance.

It is advised to be careful when conducting active reconnaissance on an organization because it is illegal in most countries without  approval.

Although there are no hard and fast rules in penetration testing but it is recommended to follow a certain methodology.

In theory footprinting or informaton gathering is divided into seven steps.

The steps along with the best tools to perform them are:

Step       Title                                                       Active/Passive                                 Common Tools

1              Information gathering                   Passive                                Netcraft, Whois, Nslookup

2              Determining network range        Passive                                 traceart, APNIC, ARIN

3              Identify active machines               Active                                  Ping, traceroute, Angry IP scanner

4              Finding open ports                         Active                                  Nmap, Zenmap, war dialers

5              OS fingerprinting                            Active/passive                   Nmap, ettercap, Nessus,

6              Fingerprinting services                  Active                                  FTP, Netcat, SSH, vulnerablity scanners

7              Mapping the network                     Active                                    scapy , traceroute,visualroute

 

Information Gathering

Gathering initial information abut the target is the very first step in the footprinting process.

Collecting different domain names associated with the  target company, name servers, IP addresses etc is the goal here.

A visit to the company’s website can provide us with a lot of useful information.

For example a recent news at their website might say that they have upgraded their systems to windows 2012 and installed cisco switches.

They have 4 nodes of access to the internet which provides robust connectivity.

This itself provides us with a lot of informaton like  the servers they run about  the switches and the number of nodes to target fo a DDOS attack.

Also checking out similliar websites set up by disgruntled ex-employees can give valuable insights about the company

There are also tools for finding out more relevant information.

One of the most useful tools in the arsenal is netcraft.

Netcraft is a UK based website that basically tracks and collects details about almost every website on the internet.

Here is the link www.netcraft.com .

info gathering

A quick search about any website provides us with a host of useful information.

Here is an example of the results of Hackeroyale.com.

Clicking on the site report provides us with detailed information about the website.

Google  dorks are also useful when trying to extract information about a website.

Determining network range

After getting  the necessary information about like names, email addresses , name severs and IP addresses we now need to determine the network range or the subnet mask.

An ip address consists of two parts namely network portion and host portion, devices on the same network have same network portion but different host portions.

A subnetmask is used to identify which part of an ip is networkand which is host.

Ok now lets discuss about the tools to find out the network ranges.

The easiest way to find the network range is to use the ARIN whois search.

The link is www.arin.net .

Here is the result for hackeroyale’s ip.

Identifying active machines

Next step is identifying the active machine in the target network.

A simple ping command can help us identify the active machines but it takes a lot of time identifying each machine individually.

we need to conduct a ping sweep for this.

There are several programs for conducting a ping sweep but the one I recommend is angry ipscanner.

Here is the download link http://angryip.org/download

We just need to put in the ip range and it identifies all the active machines.

There are a host of other features like open port scanner, web detect, mac vendor detection, mac adresses fetcher etc.

For now we will concern ourselves with the indentification of active machines.

Finding open ports and OS fingerprinting

After finding out the network range and the list of active machines,we can proceed further to identify the open ports and access points along with the OS the devices are running.

The  process of identification of the OS is called OS fingerprinting.

There are two types of fingerprinting, active and passive but for convenience here we will discuss active fingerprintng with nmap.

One of the most common and useful port scanning tools is nmap, although it is not the only one.

Here is the download link https://nmap.org/download.html.

Nmap is the most popular portscanning tool out there.

It can perform a wide array of scans like TCP intense scan plus UDP port scan, TCP stealth scan, OS fingerprinting etc and can also load custom scripts.

Nmap also allows us  to customize the speed of the scans.

Below is the example of nmap command with -h or help option to review some of its many switches.

C:\nmap-4.5>nmap -h
Nmap 4.5 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
  -sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
  -sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
  -sV Version scan probes open ports determining service and app names/versions
 -sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
  -p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
  -F Only scans ports listed in nmap-services
  -v Verbose. Its use is recommended Use twice for greater effect.
  -P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
  -6 scans via IPv6 rather than IPv4
  -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
  -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
  -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
  -iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
  --interactive Go into interactive mode (then press h for help)
  --win_help Windows-specific features
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

When using nmap for scanning, it displays all the open, closed or filtered ports along with the service name and protocol.

In order to use nmap, we use the nmap command along with the preferred switch and the ip address.

We can also scan a range of ip adresses.

An example of its usage is given below along with the -sS switch for a stealthy TCP scan and -O option for OS identification.

C:\nmap-4.5>nmap -sS - O 192.168.16.10
Starting nmap V. 4.5 by fyodor@insecure.org ( 
www.insecure.org/nmap/ )
Interesting ports on  (10.4.0.5):
(The 1514 ports scanned but not shown below are in state: 
closed)
Port       State       Service
21/tcp     open        ftp
80/tcp     open        http
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
443/tcp    open        https
1032/tcp   open        iad3
1521/tcp   open        ncube-lm
1526/tcp   open        pdap-np
1723/tcp   open        pptp
TCP Sequence Prediction: Class=trivial time dependency
                         Difficulty=2 (Trivial joke)
Remote operating system guess: Windows NT4 / Win95 / Win98
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

Here we can see that the device has 9 open ports along with their respective services and that it is a windows machine.

Service fingerprinting

In some of our previous scans, the we saw some of the ports and the services associated were open.

If we only knew which ports were open, the respective services could be easily displayed by banner grabbing.

Banners can be easily grabbed by simpy by using telnet or FTP.

These are inbuilt in windows and linux systems.

By simply telnetting into the port we could see which type of service and vesrion of the software the device is running.

This is a very crucial information as some of these services can be easily exploited if they are not updated or they run an older version of the software.

C:\>telnet 192.168.16.10 80
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Fri, 07 Jun 2017 22:22:04 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head><body>The parameter is incorrect. </body>
</html>
Connection to host lost

Here we can see the machine is running n IIS 5.0 server.

Also one of the easiest way of banner grabbing is by using netcat which is also called the swiss army knife of hacking.

Netcat is available for both windows and linux.

If you are using windows command line then typing nc -v -n IP_Address Port  should do the trick.

More about netcat for reconaissance and pentesting in the next articles of the series.

Mapping the network

Now we can finally map the network to provide us with the blueprint of the company.

We can use good old  fashioned traceroute or a more graphical an interactive tool.

One such tool is visualroute.

Here is the download link http://www.visualroute.com/download.html.

Visualroute is graphical tool for mapping a network.

It visually show the route a packet has taken over the internet.

It also shows the geolocations of the points the packets have been through which is very convenient and running it a couple of times can give us a pretty good idea if two systems are on the same network.

 

This was only an introduction to information gathering.

There are far more powerful tools which performs the functions of multiple tools simultaneously and almost automates the entire process.

Some of these tools will be elaborated and their usage discussed in details in our next articles in the series.

Till then happy hunting.