Information Gathering for Network Vulnerability Assessment

Learn the importance of information gathering and about the various tools required to perform effective information gathering in this guest post by Sagar Rahalkar, the author of Network Vulnerability Assessment.

Information gathering is the first step to assessing network vulnerability. Before the target networks are scanned using vulnerability scanners, testers must be well-aware of the assets involvedin the scope of testing,so they can prioritize assets for scanning.

Why gather information?

"Give me six hours to chop down a tree and I will spend the first four sharpening the axe," goes a famous quote by Abraham Lincoln. This is relevant to the context of security assessment as well. It’s crucial that a majority of your time is spent in gathering as much information as possible prior to performing the assessment, so you have a 360-degree view of the system. Without it, the security assessment is as good as half-baked.

With enough information at your behest, you can then proceed to effectively plan the actual assessment. Information gathering can be of two types: passive and active.

Passive information gathering

Passive information gathering involves no direct contact with the target. All the information is obtained through an intermediate source, which may be publicly available. The internet has many useful resources that can help you with passive information gathering.

The following diagram describes how passive information gathering works:

1. The client system first sends a request to an intermediate system.
2. The intermediate system probes the target system.
3. The target system sends the result back to the intermediate system.
4. The intermediate system forwards it back to the client.

Since there's no direct contact between the client and target systems, the client is partially anonymous to the target system. It’s time now to look at some passive information gathering techniques.

Reverse IP lookup

Reverse IP lookup is a technique used to probe any given IP address for all the domains it hosts. So, all you need to do is feed the target IP address and you'll be returned to all the domains hosted on that IP address. One such tool for reverse IP lookup is available online here. Note that reverse IP lookup works only on internet-facing websites and isn't applicable for sites hosted on intranet.

Site report

Once you have the target domain, you can get a lot of useful information about the domain, such as its registrar, name-server, DNS admin, the technology used, etc. Netcraft, available here, is a very handy tool to fingerprint domain information online:

Site archive and way-back

It's very common, indeed, for any given site to undergo changes at regular intervals. Normally, when a site is updated, there's no way for the end users to see its previous version. However, the site, https://archive.org/, takes you to the pastversion of a given site,whichcan reveal some prudent information that isn't present in the latest version of the site:

Site metadata

Getting access to the metadata of the target site can provide a lot of useful information. The site http://desenmascara.me gives you the metadata for any given target site. The metadata typically includes domain information, header flags, and so on, as shown in the following screenshot:

Looking for vulnerable systems using Shodan

Shodan is a search engine that can provide interesting results from a vulnerability exploitation perspective. Shodan can be effectively used for finding weaknesses in all internet-connected devices, such as webcams, IP devices, routers, smart devices, industrial control systems, etc. Shodan can be accessed at https://www.shodan.io/.

The following screenshot shows the home screen of Shodan. You’d need to create an account and log in in order to fire search queries:

As shown in the following screenshot, Shodan provides an out-of-the-box Explore option that provides search results belonging to the most popular search queries:

The following screenshot shows the search results for online webcams. The search results can further be classified based on their geographical location:

Advanced information gathering using Maltego

Maltego is an extremely powerful, capable, and specialized information gathering tool. It is a part of Kali Linux by default and has numerous sources through which it can gather information for any given target. From a Maltego perspective, a target could be a name, email address, domain, or phone number. You need to register a free account to access Maltego.

The following screenshot shows the Maltego home screen:

The following screenshot shows a sample search result for the domain, https://www.paterva.com. A search query is known as transform in Maltego. Once a transform is complete, it presents a graph of the information obtained. All the nodes of the graph can be further transformed as required:

theHarvester

Having email addresses belonging to the target system/organization can prove to be useful during further phases of penetration testing. theHarvesteris a tool that helps you gather various email addresses belonging to your target system/organization. It uses various online sources for gathering this information. The following screenshot shows various parameters of theHarvester:

The following syntax will execute theharvester on the domain, demo.testfire.net, and look for up to 20 email IDs using Google as the search engine.It will then store the output in the output.html file:

root@kali:~# theharvester -d demo.testfire.net -l 20 -b google -h output.html

Active information gathering

Unlike passive information gathering, which involves an intermediate system for gathering information, active information gathering involves a direct connection with the target. The client probes for information directly with the target with no intermediate system in between.

While this technique may reveal much more information than passive information gathering, there's always a chance of security alarms going off on the target system. Since there's a direct connection with the target system, all the information requests would be logged and can later be traced back to the source.

The following diagram depicts active information gathering where the client is directly probing the target system:

Active information gathering with SPARTA

SPARTA is an excellent active information gathering tool. It is part of the default Kali setup. The following screenshot shows the home screen of SPARTA. In the left pane, you can simply add the IP/host you want to probe:

Upon feeding the IP/host to SPARTA, it quickly gets into action by triggering various tools and scripts starting with Nmap. It performs a quick port scan and goes further with service identification. It also provides screenshots of various web interfaces the target might be running, while also automatically trying to retrieve passwords for various services running on the target system.

The following screenshot shows sample results from one of the SPARTA scans:

Recon-ng

Recon-ng is an extremely powerful and flexible tool capable of performing both passive as well as active information gathering. It has numerous modules that can be plugged in and triggered to gather information as required.

The following screenshot shows various modules available as part of Recon-ng:

You can select any module of your choice and then execute it, as shown in the following screenshot:

Recon-ng really provides a wealth of information about the target system. You can explore various modules of Recon-ng to better understand its aspects and usability.

Dmitry

Dmitry is another versatile tool in Kali Linux capable of both passive as well as active information gathering. It can perform whois and reverse lookups. It can also search for sub-domains and email addresses, and can perform port scans as well. It's very easy to use, as shown in the following screenshot:

root@kali:~# dmitry -wn -o output.txt demo.testfire.ne

The preceding command performs a whois lookup, retrieves the site information from Netcraft, and then writes the output to output.txt.

Gathering information is the key to successful vulnerability assessments. The tools discussed in this post are not the only ones available; there are myriad other tools that you can leverage for your information gathering requirements. However, what’s important in the end is that you have as much information about the target systems at your behest as possible, so penetration testing and security assessments can be performed without any hassles.

If you found this article interesting and want to learn more about security assessments, you can explore Network Vulnerability Assessment. Written by Sagar Rahalkar, a seasoned information security professional, the book equips you with a wealth of knowledge required to perform optimal security assessments and identify security loopholes in your network infrastructure.