Hello and welcome to my first tutorial on Information Gathering.
In this tutorial we will understand and see what is the purpose of Information Gathering before starting to pentest or attack a Website.
First of all i will start with a funny but a logical example, let us assume your girlfriend tell you to hunt something for her. You wont go outside and start hunting. The first question you will ask what she actually want you to hunt, lets say fish. So now as you know its a fish then you will goto a place like a sea or a waterfall rather than to grounds in forest. You know to hunt a fish you will need a Fishing Rod and some other important things.
In the same manner Web Pentesting is also much like this. When you are going to hunt a website down then you must know what really you are going to deal with, if you know your enemy which you are going to face then you can prepare yourself for that.
So this is why Information Gathering is the first phase of Penetration testing. But now arise the question what information are we going to collect and where are we going to get that information from. "Where and how", Well i will tell you both of these things step by step in the next tutorials of Information Gathering.
But in this tutorial we will understand that what we are targetting to achieve via Information Gathering and how that information is going to help us in our Penetration testing.
Who is Information : This is the most basic information about a domain, It shows the registration Details of the website in which you can commonly see who registered the domain and which date did he registered it on, when will it expire etc. This information may help you sometimes in Social engineering like sending him email on his registered email. Or you use his address, name or contact number in various tasks of Social Engineering.
Ip Address: Well this ones for newbies, actually IP address is the real address behind any domain name which are resolved by the nameservers. Every Box or you can say a system contains a unique IP address for example (188.8.131.52). Using it computers communicate to eachother. IP Address will help us targetting the network as well as find open ports and other exploitable services on the system while pentesting.
NameServers: These are the DNS resolvers, for example when you type in google.com in your browser the DNS resolvers finds the real IP behind and and take your request to the server, and bring back the response. We can later target the nameservers to for DNS based attacks testing of our pentesting.
Web Server: Webservers the one we are dealing over here is an application which is running over an Operating system and serves to the web requests coming to the system. Like Apache, Tomcat, IIS etc are webservers running on an operating system when any web request is sent to a system they handle it and they are responsible for giving out the response. Many times you can get Exploits related to a webserver and get a way into the sytem using that exploit, and if you know which webserver is bieng used then it will help you to find out the default directories or known vulnerabilities for that web server.
Operating System: Well most of you know what an operating system is but still if any one is confused that why do we need to know the OS, then let me clarify that when we know the operating system then we can find out the rights attacks, Open Ports, Exploits, Common Services etc which will help us later in pentesting.
Login Pages: While pentesting when you find a login page or admin login page which requieres some username and password to login then that is nothing to get sab about, actually getting a login page is just like finding a Locked door of a Secure house. But the to break inside you can use a master key or you can even break the lock. In the same manner Login pages can also be tested for many known Attacks.
Sub Domain: If you do not know what subdomains are then, Subdomain are domains maintained under a domain for examle google.com is a domain name then mail.google.com is a subdomain inside it. We need to collect all available sub domains for a website. In many cases you may find hidden or private domain where they are maintaining something private and such application are usually left vulnerable and exposed because of the assumption the no one can reach them.
Web Application: Many times what you are targetting is a public Web Application like Joomla, Wordress or any other. We also need to get all the information about the web Application so we can find any known Vulnerability for that particular Version or else we can find any Vulnerability in the source code available online.
Other Domains on Same Server: Many times you can not find vulnerability in a Website then you can make a Reverse IP Domain Look up and find out other websites on the same server and you can p0wn them to get access to the server and make your way towards the target.
Web Application Firewall : We can also test if they are using any firewall for that we can know what we are going to face and is there any ways to bypass that firewall.
These are some of the common things we are going to try and find about our target.
Author : Zenodermus Javanicus
Date : 2014-02-23