Top Information Gathering Methods Explained
Information gathering also known as footprinting or reconnaissance is the first step of security testing of any target which is used by both hackers and security professionals.
Sometimes information gathering is enough for a hacker to break into a system.
Difference Between Passive and Active Information Gathering
Footprinting can be passive or active. Passive involves collecting information without the owner knowing it. While active is a type of footprinting that leaves tracks and alerts the sensors on the target.
What type of information to collect
Generally, there are 3 types of information that can be identified by information gathering.
- Network Information: such as domain name, IP addresses, websites, protocols used, VPNs, authentication mechanisms, and list of network systems.
- System Information: such as users, system banners, SNMP information, system architecture, operating systems, username, and passwords.
- Organizations’ Information: such as employee details, organization’s website, local details, address and phone numbers, security policies implemented, social media posts, news articles, and press releases.
Information gathering sources
The goal of information gathering is to collect as much information as possible about the target. So any source that can give us information about the target is valuable.
Some common sources for the information gathering are as follows:
- IP and Ports
- Social media
- Address books and offline sources
Let’s see what kind of information we can get from each source.
Security testing starts with one or more targets. By targets, we mean domain names or IP addresses. The place to find out more about domains and IPs are Domain Name Servers (DNS). We can find IP addresses corresponding to a domain name and vise versa using DNS footprinting (aka DNS interrogation). Another best place to find out subdomains of a domain is Google search.
Tools for DNS interrogation: NSlookup, Dns enumerator, Sam Spade
Who is the owner of a domain or IP address? WHOIS is a query and response protocol to answer this question. You can search any domain or IP in public databases to get information like the expiration date, current registrar, registrant information, etc.
Tools: Google for “Whois”
IP and Ports
After collecting IP addresses we should look for open ports and running services. Using tools like Ping, Telnet, Nmap, and other tools you can determine live IPs and running services.
⛔ WARNING: IP and Port scanning is an active footprinting technique and performing it unauthorized, is illegal in some countries.
Once you’ve found an open port you can do Banner grabbing to learn more about the running service behind the port. Many services send information like the service version and OS name in their responses. This information is known as banner and fetching this info is called Banner Grabbing.
For example, in the below example, you can see that an HTTP request has been sent to target and the server response contains the webserver name and underlying operating system.
$ nc target 80 HEAD / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sun, 27 Jun 2021 07:54:12 GMT Server: Apache/2.2.22 (Debian) Vary: Accept-Encoding Content-Length: 306 Connection: close Content-Type: text/html; charset=iso-8859-1
Tools for IP and port scanning: Ping, Telnet, NetCat, Nmap, SuperScan
Social media sites are growing more than ever and now it’s part of our day-to-day life. People sometimes share detailed information on public pages without knowing that this information can be abused by malicious users. Places like Facebook, Instagram, LinkedIn, and other social media sites are good places where valuable information is shared by users.
Address Books and Offline Sources
Looking into address books and trash bins or asking from people are a few of the oldest information gathering methods.
In the IT world dumpster diving refers to retrieving information from disposed items that could be used to carry out an attack or gain access to a computer network.
Website Information Gathering
Websites can reveal important information like server technologies, CMS, backend database, email addresses, and much more.
You can read our previous post to learn more about passive information gathering methods on websites.
Generally speaking, active scanning methods which can be used for information gathering are Fuzzing, testing for misconfigurations, and testing for known vulnerabilities.
Fuzzing refers to manipulating and sending crafted requests to the webserver to trick it into yielding information. Sometimes trying different inputs which are not expected by the web application can make the web application throw a detailed error message. Such error messages can reveal OS, server-side technologies, databases, or many other things. Also, the behavior of the webserver (the way it responds to the request) can reveal information like the webserver type.
Testing for misconfigurations: Using default or insecure configurations are common mistakes that leave valuable information unprotected. For example, a bad configured Apache webserver can show a huge amount of information on
Misconfigurations can be found anywhere. Another example is having a public community string for an SNMP service which can disclose a tremendous amount of information regarding the service.
Testing for know vulnerabilities: You may have heard of the Heartbleed bug which allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Using similar bugs and vulnerabilities is another method for collecting target information.
What to do with Collected Information
The next steps after information gathering are scanning and gaining access to the target. Sometimes (if you’re lucky) you can find information like passwords that allow direct access to the systems but most of the time you can only find the type of OS, web server, or database.
How to Protect Against Information Gathering
You should try to eliminate the disclosure of sensitive information. Below are some best practices you can use to achieve it.
- Classify the type of information which can be kept public.
- Don’t publish unnecessary information in any profile, social networking account, or website.
- Keep internal DNS and external DNS separate.
- Restrict and disable DNS zone transfer to authorized servers.
- Establish a disposal policy where all papers are shredded before being recycled
- Educate your employees to prevent unwanted information disclosure
- Audit and scan your website and network for any information leakage
- Keep your systems updated