Information Gathering - Study Guide

Information Gathering, also known as reconnaissance or enumeration, is a critical phase in the ethical hacking process. It involves systematically collecting and analyzing data about a target system or network to gather intelligence, identify vulnerabilities, and assess potential security risks. The purpose of information gathering in ethical hacking is to understand the target system's architecture, configuration, and potential weaknesses to assist in vulnerability assessment and penetration testing.

Information gathering can be passive or active, and it may involve both technical and non-technical methods.

Passive

Passive information gathering typically involves using publicly available information, such as domain name registrations, WHOIS records, DNS queries, search engine queries, social media profiles, and other publicly accessible data.

Active

Active information gathering, on the other hand, involves actively scanning and probing the target system or network using various techniques and tools to collect information, such as port scanning, service identification, OS fingerprinting, and network mapping.

Some common techniques used in information gathering in ethical hacking include:

1. Open Source Intelligence (OSINT): Collect publicly available information from sources such as search engines, social media, online forums, and public databases.

2. Network Scanning: Conduct scans of target networks to identify live hosts, open ports, and services running on those ports using tools like Nmap, Netcat, and Wireshark.

3. Enumerating Services: Identifying services running on the target system and gathering information about their versions, configurations, and potential vulnerabilities using tools like banner grabbing, service fingerprinting, and protocol analysis.

4. DNS Enumeration: Extracting DNS (Domain Name System) information from the target system or network to identify subdomains, mail servers, and other DNS-related information using tools like Dig, DNSenum, and DNSRecon.

5. Social Engineering: Collecting information through social engineering techniques, such as phishing, pretexting, and elicitation, to exploit human vulnerabilities and gather sensitive information.

6. WHOIS Lookup: Collect information about domain names, such as domain registrants, contact information, and registration dates, using WHOIS lookup tools.

7. Google Hacking: Using advanced search techniques and operators in search engines like Google to discover vulnerabilities, misconfigurations, or sensitive information on the target system.