Notes

Sec5 - Information Gathering

2 min read

Passive Reconnaissance

A stealthy OSINT approach to collect data without direct interaction with target systems, minimizing detection risk.
Passive methods build the initial profile and guide later phases.

  • Public Source-Code Repositories
    • Platforms: GitHub, Bitbucket, SourceForge
    • Risks: Hostnames, IP addresses, database servers, service configurations, credentials
    • Examples:
      • Hard-coded DB credentials in code
      • Deployment scripts exposing environment variables
  • Image & Archived-Site Search
    • Tools: Wayback Machine, TinEye, Google Image Search, web-cache viewers
    • Use: Recover deleted directories, old press releases or UIs that reveal infrastructure details
  • DNS Enumeration (dig)
    • Purpose: Extract A/MX/NS/TXT records to map domains ↔ IPs, uncover subdomains and mail servers
    • Advantage: Completely passive—no direct packets to target systems

Network Sniffing

Capturing live traffic to reveal network topology, active hosts, and protocol weaknesses.

  • Packet Capture (PCAP)
    • Capture via tcpdump, analyze .pcap in Wireshark
    • Supports replaying interactions, diagnosing intermittent issues, and post-incident forensics
  • Wireshark
    • Filtering: By protocol, IP address, port number
    • Use Cases:
      • Troubleshoot connection errors
      • Decode IoT/OT protocols (e.g., MQTT, Modbus) with dedicated dissectors

Active Reconnaissance

Direct engagement with target services—higher risk of detection but yields precise, actionable data.

While riskier, active methods confirm hypotheses formed during passive and sniffing phases.

  • Port & Protocol Scanning
    • Nmap
      • TCP SYN Scan (nmap -sS): Half-open handshake to detect open TCP ports
      • UDP Scan (nmap -sU): Send UDP packets; ICMP “unreachable” vs. silence indicates status
  • Banner Grabbing
    • Purpose: Identify service software and version details
    • Tools/Commands:
      • curl -I <URL>
      • Netcat: 
        echo -en "GET / HTTP/1.0\n\n" | nc <host> 80 | grep Server
      • Nmap: nmap -sV --script=banner <host>
  • Application-Layer Enumeration
    • FTP (21): File transfers, cleartext credentials
    • SMTP (25): Open mail relay checks, header analysis
    • DNS (53): Zone transfers, record harvesting
    • HTTP/S (80/443): Web server fingerprinting
    • SMB (139/445): File-share enumeration

Web Reconnaissance

Mining web content and archives for hidden or historical data.

  • HTML Scraping
    • Tools: Browser “Inspect”, Beautiful Soup
    • Targets: HTML comments (<!-- … -->), meta tags (<meta>), script endpoints
  • Cached Pages
    • Google Cache: cache:<URL>
    • Wayback Machine: Archive snapshots to retrieve removed/altered pages
  • HTTP Header Analysis
    • Identify server type/version (e.g., Server: Apache/2.4.29)
    • Correlate versions to known CVEs (e.g., Optionsbleed in Apache 2.2.34)

Summary: Passive methods establish stealthy groundwork; network sniffing uncovers real-time behaviors; active scans verify and expand findings; web reconnaissance recovers hidden or historical artifacts. Together, they form a comprehensive information-gathering strategy for Pentest+ engagements.

Graph View