Information Gathering is the first and foundation step in the success of penetration testing. The more useful information you have about a target, more you able to find vulnerabilities in the target and hence able to find more serious problems in the target by exploiting them (to demonstrate). In this article, I am discussing ten information gathering techniques for penetration testing of IT infrastructure.
(1) Whois Lookup (http://whois.domaintools.com)
It helps in identifying the owner of a target, hosted company, and location of servers, IP address, Server Type etc.
(2) Identify technologies of the target web application
It helps in identifying technologies used in the development of web application. It also helps in determining the outdated modules of software used in development. Later you can search exploits on www. exploit-db.com to further demonstrate the issues in the web application. Following resources can be used to identify technologies of target:
- Netcraft site report (https://toolbar.netcraft.com/site_report)
(3) Robtex (https://www.robtex.com/)
This resource is perfect for gathering information related to DNS.
(4) Subdomain Enumeration
Subdomain Enumeration is a technique to identify unused subdomains registered with the organization. Many tools available for subdomain enumeration like Knockpy, sublist3r etc. are some of them.
- Download Link (Knockpy): https://github.com/guelfoweb/knock
- Download Link (Sublist3r):https://github.com/aboul3la/Sublist3r
Below video helps in installation and explain the usage of knockpy tool.
(5) Shodan (https://www.shodan.io/)
It is considered as a first search engine to identify assets which connected t0 internet. It helps in identifying the misconfigured IoT devices (like a camera), IT infrastructure and also help to monitor the network security of an organization.
(6) Certificate Transparency (CT) (https://www.certificate-transparency.org/)
Certificate Authority (CA) need to publish all SSL/TLS certificates which they issue. This portal is open for public and anyone can see the CT logs and identify certificates issue for a particular domain.
(7) Discovering Sensitive Files
Many tools available for finding the URL of sensitive files. One such tool is dirb which is a web content discovery tool.
(8) American Registry for Internet Numbers (ARIN)
ARIN organization manages the IP address numbers for the U.S. and assigned territories. By using below URL, you will get a lot of information related to an organization’s systems configuration from public domain sources.
(9) Autonomous System Number (ASN)
To identify ASN for the organization, use https://bgp.he.net/ by keyword.
(10) Port Scanning
To identify web ports and other useful information such as Operating System, device type, MAC addresses etc. by proving URL or IP.
- Nmap (https://nmap.org/)
- Masscan (https://github.com/robertdavidgraham/masscan)
Google: Ultimate Tool for Information Gathering
By using multiple google search options, you can find sensitive data lying unattended on internet.
site:google.com -site:www.google.com filetype:pdf
For successful penetration testing, above tools and resources helps a lot to expand the horizon of the successful test.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.