Information Gathering

Hello hackers, I’m Mostafa Elguerdawi this will be first write-up about Penetration Testing series.

In this Write-up we will talk about first phase in pentesting, Information gathering.

Information Gathering

• Information gathering and Footprinting is a first step that an attacker collect information about his/her target.

What Is Network Footprinting?

• It’s a process about identify and understanding the security risks in organization.
• There is two types of Information gathering, Active and Passive
• Active footprinting is about collect data about target with interact with target
• Passive footprinting is the opposite, its about collect data without direct interaction with target like information in public search engines.

What Is Reconnaissance?

• Step that attacker collect data about target system, This include Active(target infrastructure) and Passive(public resources).
• Footprinting is a part of Reconnaissance.
• Data can be collected from Reconnaissance such as : Employees details(emails, phone numbers, social media accounts), Network infrastructure(network type such as LAN,MAN, and WAN, IP address range), Domain Information(Registrar, Registration Date, Expiry Date).

Footprinting Methodology

• First step is to identify the Objective of the assessment like for security assessment and risk analysis.
• After identify the goal of this assessment, Second we need to start to collect data.

Domain Information

• In this step we start to get information about domain like owner of the domain, IP Address, Registrar, Registration and Expiry Date.
• We can use WHOIS to get information about the Domain.
• WHOIS is an internet protocol that display and search information about domain name from Registrars worldwide.

DNS Footprinting

• DNS Footprinting is a technique that is used by an attacker to gather DNS information about the target system. DNS Footprinting allows the attacker to obtain information about the DNS Zone Data
• There is some records that we can find from DNS Footprinting like A, MX, and CNAME.
• A record is the IPv4 for the target
• MX is the mail server record specifies an SMTP email server
• CNAME alias record used to alias a hostname to another hostname
• We can use some tools for DNS Footprinting like host, nslookup, and dig.
• Subdomains: Enumerate any subdomains discovered we can use dnsenum tool
• Associated Services: Identify any services or applications linked to DNS records, this will be done with some tools, First we need to get domain A record using host tool, then scan this IP using tool like nmap.

Web Footprinting

• Detail the results of web footprinting, such as:
• Web Server Information: We can do that with a lot of methods like HTTP Headers using command curl -I https://target.com or using nmap scan, netcat(nc target.com <http-port>).
• Directory and File Structure using web archive or Fuzzing directory using ffuf tool.
• Technologies in Use: List content management systems (CMS), frameworks, or scripting languages used, We can do that using web extension like wapalyzer, OR using some tools like whatweb and WafW00f.
• Extract Metadata from web pages, if available, We can use this code:

import requests
from bs4 import BeautifulSoup

# Replace with the URL of the web page you want to extract metadata from
url = input("Enter URL >>> ")

# Send an HTTP GET request to the URL
response = requests.get(url)

# Check if the request was successful
if response.status_code == 200:
    # Parse the HTML content of the web page
    soup = BeautifulSoup(response.text, "html.parser")

    # Extract metadata tags such as <title>, <meta>, etc.
    title = soup.find("title").text.strip() if soup.find("title") else None
    description = soup.find("meta", {"name": "description"})["content"] if soup.find("meta", {"name": "description"}) else None
    keywords = soup.find("meta", {"name": "keywords"})["content"] if soup.find("meta", {"name": "keywords"}) else None

    # Print or use the extracted metadata
    print(f"Title: {title}")
    print(f"Description: {description}")
    print(f"Keywords: {keywords}")

else:
    print(f"Failed to retrieve the web page. Status code: {response.status_code}")

Network and WHOIS Enumeration

• Network Range and CIDR: Using this Site we can get CIDR range and ASN number for any domain.
• Find subdomains using CIDR and ASN: ammas intel -asn <ASN> OR ammas intel -cidr <CIDR-Rang> OR amass intel -whois -d <target.com>