An information gathering endeavor is the pen tester locates publicly available information related to the target and seeks ways that could be exploited to get into the systems.
There are two types information gathering methods
Passive information gathering refers to gathering as much information as possible without establishing contact between the pen tester (yourself) and the target about which you are collecting information.
Active information gathering involves contact between the pen tester and the actual target. When you actively query systems to gain the information you are moving to a dark legal situation as most countries prohibit attempts to break into systems without the necessary permission.
Table of Contents
Information to be collected
Here are some typical information a pen tester would like to collect
Shodan is a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Shodan currently returns 10 results to users without an account and 50 to those with one.
Shodan has several powerful yet easy to use filters which prove handy during VA/PT exercises. The usage of filters is usually of the form filter:value.Some of the most common basic filters that you can use in Shodan are as follows.
city: find devices in a particular city.
country: find devices in a particular country.
geo: search for specific GPS coordinates. geo:”31.8639, 117.2808″
hostname: find values that match the hostname.
product: search the name of the software or product identified in the banner.
os: search based on operating system.
port: find particular ports that are open.
before/after: find results within a timeframe.
org: search specific organization or company. org:”google”
isp” search specific ISP. isp:”rogers”
1. Country: The country filter allows users to search for computers running services in a particular country. The country code is specified as a two-letter word. Usage: cisco country: IN (searches for Cisco devices in the particular country. In this case, it’s India).
2. Host name: This useful option in Shodan lets you find a particular service or the service running in specified hosts or domains. Usage: “Server:IIS” host name: domain name Host name: domain name
3. Net: This filter is used to scan a particular IP address or subnet range. The service name can also be added along with the IP address or subnet. Usage: For scanning an IP address: net: 184.108.40.206(any IP) For scanning a subnet: net: 220.127.116.11/24
4. Port: This filter allows you to scan a particular service. For instance, FTP (21), HTTP (80). Usage: Service port number Example: IIS port: 80
5. Operating system (OS): This Shodan filter helps you to identify a service with a required OS. You can use it to find the service running on the particular OS. Usage: Service: OS: OS name Example: IIS “OS: OSName”
6. After/before: This option helps or returns the query, changed or unchanged before. Example: apache after: 22/03/2010 before: 4/6/2010 Example: apache country: CH after:22/03/2010 before: 4/6/2010
From Kali terminal :
search operators and tips:
“” : exact phrase . “Penetration Testing”
– : excluded words. “Web Cam” -Cisco
~ : Similar Words. ~mobile phone. Search the results with the word “phone”, as well as “cell “, “cellular “, “wireless “, etc.
define: find meanings. define:cybersecurity. Search the links to definitions of the word “cybersecurity”
site: Limit results to those from a specific website.
link: linked page. searches for webpages that link to a particular website
inurl: displays all pages and sub-pages that contain the search term in the URL. inurl:asp?id= , inurl:php?id= intext: Find pages containing a certain word (or words) somewhere in the content. filetype: Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. The “ext:” operator can also be used—the results are identical. intitle: Find pages with a certain word (or words) in the title info: cache: Returns the most recent cached version of a web page