Information Gathering Techniques for Penetration Testing [Updated 2022]
Information Gathering is the first and foundation step in the success of penetration testing. The more useful information you have about a target, the more you can find vulnerabilities in the target and find more serious problems in the target by exploiting them (to demonstrate). In this article, I am discussing information gathering techniques for penetration testing of IT infrastructure.
(1) Whois Lookup (http://whois.domaintools.com)
It helps in identifying the owner of a target, hosted company, and location of servers, IP address, Server Type, etc. You need to just the domain name and you may will get the juicy information.
(2) Identify technologies of the target web application
It helps in identifying technologies used in the development of web applications. It also helps in determining the outdated modules of software used in development. Later you can search exploits on exploit-db.com to further demonstrate the exploitation of issues in the web application. I am listing out resources that can be used to identify technologies of target:
(3) Robtex (https://www.robtex.com/)
This resource is perfect for gathering information related to DNS. Click Here to know more methods of performing DNS Enumeration.
(4) Subdomain Enumeration
Subdomain Enumeration is a technique to identify unused subdomains registered with the organization. Many tools available for subdomain enumeration like Knockpy, sublist3r, etc. are some of them.
- Download Link (Knockpy): https://github.com/guelfoweb/knock
- Download Link (Sublist3r):https://github.com/aboul3la/Sublist3r
The below video helps in installation and explains the usage of knockpy tool.
(5) Shodan (https://www.shodan.io/)
It is considered the first search engine to identify assets that are connected t0 the internet. It helps identify the misconfigured IoT devices (like a camera), IT infrastructure and monitor an organization's network security.
(6) Certificate Transparency (CT) (https://www.certificate-transparency.org/)
Certificate Authority (CA) needs to publish all SSL/TLS certificates which they issue. This portal is open for the public and anyone can see the CT logs and identify certificates issue for a particular domain.
(7) Discovering Sensitive Files
Many tools are available for finding the URL of sensitive files. One such tool is dirb which is a web content discovery tool.
(8) American Registry for Internet Numbers (ARIN)
ARIN organization manages the IP address numbers for the U.S. and its assigned territories. By using the below URL, you will get a lot of information related to an organization's systems configuration from public domain sources.
(9) Autonomous System Number (ASN)
To identify ASN for the organization, use https://bgp.he.net/ by keyword.
(10) Port Scanning
To identify web ports and other useful information such as Operating System, device type, MAC addresses etc. by proving URL or IP.
Google: Ultimate Tool for Information Gathering
By using multiple google search options, you can find sensitive data lying unattended on the internet. Click Here to know more awesome queries that help you to get juicy information.
site:google.com -site:www.google.com filetype:pdf
For successful penetration testing, the above tools and resources help in expanding the horizon of the successful test. Also, it provides exposure to hidden targets that may be useful while assessing.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.