Information Gathering Types:
In this regard, we will see how to collect active and passive information gathering about the targets. What I call a target can be a person, a presenter and so on.
Information collection is divided into active information collection and passive information collection. Passive information collection is the type that we cannot understand or leave a trace without contacting the target, that is, when we collect information. If you don’t know what these are, don’t worry, you will learn them all. Active information gathering is the opposite of passive information gathering, that is, if we leave a mark on the other side while collecting information, it becomes active, but of course we can overcome it by spoofing. Examples of active information collection are methods such as DNS Zone transfer or port scanning.
Active and Passive Information Gathering Detailed Narration:
Hello everyone, today we will talk about collecting information. Information gathering is also called reference, which is the first stage of ethical hacking. Information gathering is actually the process of getting to know the target well and it is done to find interesting information that we can use about our target, to benefit from that information in the future. There are two types of information gathering, the first is active information gathering and the second is passive information gathering.
Now I will briefly mention some information gathering stages, but you can find them in more detail in the information collection category on my blog.
Reverse DNS Lookup
If our target is a website, we can perform a reverse IP check when we find out the registrar information of this website, the DNS records, as well as what platform or framework the website generates, and even what the other website is.
In other words, by doing a short reverse dns lookup search, we can find other sites on the server and search openly on those sites.
If the target is a site, it shows who got the expiry date of the domain, where it got it from, the mail it used to receive, from which company it received, and ns information. Kali linux can also be used as whois site.com. Of course, for security purposes, domain owners can unlock whois and store information if they want, but this feature is free in some companies and paid for others.
Network mapping can be done by typing tracert site.com in Windows cmd. This process creates a network map of the target ip address, that is, the server.
Nmap – Recon
Nmap is the most important active information gathering tool. It can investigate services, ports and even system vulnerabilities with its own scripts. You will need to grasp the subject of this.
I think email collection may be the last thing to do in collecting passive information, because if an exploit research is finished in pentest services, social engineering is done, so it can be the last step because it will be done to the emails we find. The e-mail collector can be used in the Metasploit, of course, I will explain them in a separate topic, so just keep this in mind.
Finding subdomains goes into passive information gathering. What we call subdomains are subdomains, xx.site.com, a subdomain site.com is a domain. With a vulnerability that we can find in the subdomain, we can access the target system.
By using the web.archive.org site, we can examine what the target site has set up and shared before, sometimes this can be very useful.
Google and Bing
Google and Bing search engines play a big role in gathering information. Especially in google google, we will learn commands such as site inurl intitle, we will search for files on the target site.
We can clone the site with Httrack, maybe we will get some important information, who knows?
If our target is a person, we can do research on social media, pipl.com and peekyou.com.
In the link extractor, we can look at where there are redirects and we can examine the redirects to the sites.
and more but gradually you will be able to see them all in this category.