Information Gathering(aka, footprinting or reconnaissance)  is second phase of PTES(Penetration Testing Execution Standard) and it has two sub-categories; Passive information gathering, Active information gathering. CEH exam would throw some questions about those two sub-categories to see if you can tell the difference between them. While the names pretty much tell the main idea, we will look into more details today.

 

Passive Information Gathering

During Information Gathering phase, Passive information gathering will take place before we move on to Active information gathering.  Passive information gathering is relatively less aggressive than active information gathering. Unlike active information gathering which requires much more direct engagement with the target, passive does not. Passive information gathering uses publicly published information about the target organization by using Google Hacking(aka. Google Dorks), The Wayback Machine, Job postings, NetCraft, Whois search, NSlookup, EDGAR(Electronic Data Gathering, Analysis and Retrieval System) and more.

 

Google Hacking(Google Dorks) : We wrote a lab how to use Google Dorks at here-> http://themitigators.com/index.php?mid=board_LPhd58&document_srl=380

 

The Wayback Machine(Archive.org) : This service stores archive copies of over 10billion websites. You often can retrieve useful information about the target organization by comparing now and then.

 

Job Postings : Job postings usually tell type of devices, software version the target organization uses if you look for labels such as Cisco, Microsoft, Juniper to name a few.

 

NetCraft, Whois, NSlookup : These services can tell you information about domain holder(unless it’s private mode), name of mail servers, domain nickname, type of servers the target organization uses.

 

Active Information Gathering

Active information gathering involves direct engagement with the target organization through such  techniques like social engineering, nmap scan. Since it makes a direct contact to the target Active Information Gathering would trigger the target’s IDS, IPS if there are any and this is where we draw the line between Passive and Active Information Gatherings.

 

 

Related Questions

Questions 1

Bob has been hired to perform a penetration test on ABC.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to Newsgroups and financial websites to see if they are leaking any sensitive information of have any technical details online. Within the context of penetration testing methodology, what phase is Bob involved with?

 

  1. Passive information gathering
  2. Active information gathering
  3. Attack phase
  4. Vulnerability Mapping

 

Question 2

Which of the following is the best way an attacker can passively learn about technologies used in an organization?

 

  1. By sending web bugs to key personnel
  2. By web crawling the organization website
  3. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization
  4. By performing a port scan on the organization’s web site

 

Question 3

Which of the following activities will not be considered passive footprinting?

 

  1. Go through the rubbish to find out any information that might have been discarded
  2. Search on financial site such as Yahoo Financial to identify assets
  3. Scan the range of IP address found in the target DNS database
  4. Perform multiples queries using a search engine

 

Question 4

When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform?

 

  1. Cover his tracks by eradicating the log files and audit trails.
  2. Gain access to the remote computer in order to conceal the venue of attacks.
  3. Perform a reconnaissance of the remote target for identical of venue of attacks.
  4. Always begin with a scan in order to quickly identify venue of attacks.

 

Question 5

In which of the following should be performed first in any penetration test?

 

  1. System identification
  2. Intrusion Detection System testing
  3. Passive information gathering
  4. Firewall testing

 

Question 6

Vulnerability mapping occurs after which phase of a penetration test?

 

  1. Host scanning
  2. Passive information gathering
  3. Analysis of host scanning
  4. Network level discovery

 

Question 7

Which of the following activities will NOT be considered as passive footprinting?

 

  1. Go through the rubbish to find out any information that might have been discarded.
  2. Search on financial site such as Yahoo Financial to identify assets.
  3. Scan the range of IP address found in the target DNS database.
  4. Perform multiples queries using a search engine.

LEAVE A REPLY

Please enter your comment!
Please enter your name here