Hands-on: Passive Target Information Gathering (en)
For hands-on ethical hacking using Kali Linux 2024.3, we can passively collect target information as part of the reconnaissance stage. Passive information gathering is the process by which we collect data without directly interacting with the target. Here are the steps and examples of tools that can be used:
Using WHOIS
WHOIS is a service that allows us to obtain domain-related information such as registrant, contact details, and expiration date.
Steps:
- Open a terminal in Kali Linux.
- Run the following command:
whois example.com
Example: If we run `whois kali.org`, we can find domain registration information, DNS servers, registration dates, and others.
DNS Enumeration with `dig` and `dnsenum`
DNS (Domain Name System) information is very important in the information gathering process. We can check the DNS server, mail server, and other records of the target.
Steps:
- Use `dig` to get DNS information.
dig example.com
- For more in-depth DNS Enumeration, use `dnsenum`:
dnsenum example.com
Example: Using `dig kali.org` can return the IP address of the domain and additional information such as mail exchange (MX) and name server (NS).
Using `theHarvester`
'theHarvester` is a very useful tool for collecting emails, subdomains, hosts, and usernames from open sources such as search engines.
Steps:
- Run `theHarvester` to find information related to a specific domain.
theHarvester -d example.com -b anubis theHarvester -d kali.org -l 500 -b duckduckgo
You can use sources like Bing, fullhunt, hunternow, and others, such as,
- bevigil - Free upto 50 queries. Pricing can be found here: https://bevigil.com/pricing/osint
- binaryedge - $10/month
- bing
- bufferoverun - uses the free API
- censys - API keys are required and can be retrieved from your Censys account.
- criminalip
- fullhunt
- github
- hunter - limited to 10 on the free plan, so you will need to do -l 10 switch
- hunterhow
- intelx
- netlas - $
- onyphe -$
- pentestTools - $
- projecDiscovery - invite only for now
- rocketreach - $
- securityTrails
- shodan - $
- tomba - Free up to 50 searches.
- zoomeye
Example: If you run `theHarvester -d kali.org -b zoomeye`, you can get a list of emails and subdomains registered to that domain based on Google results.
Censys or Shodan for IoT Information
Shodan or Censys can be used to search for internet-connected devices that have vulnerabilities. This is a way to gather more information without interacting directly with the target.
Steps:
- Shodan:
shodan host <IP_address>
- Censys:
You must register first, then use the Censys API to search for target devices.
Example: If you use Shodan to look up the IP address of a target, you may be able to see IoT devices or services running on the target.
Social Media Gathering with `Maltego`
Maltego is a powerful tool for gathering information from social media. You can use it to identify relationships between accounts, locations, and other data.
Steps:
- Launch Maltego and select the type of entity you want to search for (e.g., domain names or social media accounts).
- Perform a transformation to see the relationships and information available.
Example: Using Maltego to analyze someone's social media profile can provide data about their personal and professional connections that may be useful in the attack process.
Website Metadata with `whatweb`
`whatweb` allows you to gather information about the technologies used by a website (CMS, framework, server, etc.).
Steps:
- Run the following command to identify the technology behind a website.
whatweb example.com
Example: Using `whatweb` on a target site like `example.com` may reveal that the site uses WordPress, Apache as its web server, and various plugins that could be points of vulnerability.
Summary
Passive information gathering is an important step in ethical hacking because it allows us to understand the target without leaving a trace. Tools like `whois`, `dig`, `theHarvester`, Shodan, and Maltego are very effective to use on Kali Linux 2024.3 to gather data before moving on to the exploitation stage.