Passive approaches to Information Gathering

Passive info gathering is the OSINT(open-source intelligence) approach to know about the target. In passive info gathering, we gather information from open-source resources like social media network, target partners, their web presence, their infrastructure, financial information and many more.

While performing passive info gathering we need to keep information well organized you can use cherry tree or dradis like tools.

Whois lookup: Whois provides public database infrastructure-related information.

usage:

$ whois amazon.com

it will give you information like below

Domain Name: AMAZON.COM
   Registry Domain ID: 281209_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2019-05-07T20:09:37Z
   Creation Date: 1994-11-01T05:00:00Z
   Registry Expiry Date: 2024-10-31T04:00:00Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
   Registrar Abuse Contact Phone: +1.2083895740

Dnslookup

We can use ns lookup for DNS enumeration of target host

Nslookup is a program to query Internet domain name servers.

$ nslookup -h

$nslookup google.com
Server:        192.168.43.1
Address:    192.168.43.1#53

Non-authoritative answer:
Name:    google.com
Address: 172.217.166.238
Name:    google.com
Address: 2404:6800:4002:804::200e

We have also another tool called dig dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers

that are returned from the name server(s) that were queried.

$ dig -h

$ dig google.com

We will now use search engines as our info-gathering tool.

Google

**Google is a powerful search engine, which provides advanced search options and its dorks like below. **

  • intitle: Use if you want to search for a specific title over the web.( intitle: indexof mp4)
  • inurl: Use if you want to search a specific term in url over the web. (inurl: login.php)
  • site: Use if you want a specific website as a search result. (site: virustotal.com)
  • filetype: Use it to search all document with specific extension (filetype:docx)
  • link: It will display a website that have a link to specific websites. (link:facebook.com)
  • cache: It will show the cached content of the website. (cache:virustotal.com)

let’s see their usage total, as its old school trick to passive info gathering

search following strings on google.

site:amazon.com filetype:pdf

site:.pk inurl:admin/login

To get all subdomains about a specific website:

site:.amazon.com

you can make your own as per your requirement

To know more about advance search and dorks;

http://www.googleguide.com/advanced_operators_reference.html http://pdf.textfiles.com/security/googlehackers.pdf https://www.exploit-db.com/google-hacking-database/

Using wayback machine we can also find archived/deleted data of website: just open url below and search website or you can also use dorks http://www.archive.org/index.php

There are many search engines which also supports dorks and advance search engines

Social Media

Social media is also a way to find information about your target, like several employees, physical address, events, job posting, requirements, products and more. Facebook, Linkedin, Indeed, and other job sites are the most useful sites to gather information passively.

theharvestor

Its a passive info gathering tools for Linux which gather information about a specific target.

Basic usage:

# theharvester -d netflix.com -l 200 -b google, linkedin, facebook
-d: for the domain.
-b: for the data source.
-l: limit result.

SHODAN

https://shodan.io

Shodan is the world’s first search engine for Internet-connected devices. Use Shodan to discover which of your devices are connected to the Internet, where they are located, and who is using them. Websites are just one part of the Internet.

we can search for webcam, open ports, specific IP, specific web on shodan using shodan dorks.

Download DEFCON document for shodan to know more, (click here)[https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18-Schearer-SHODAN.pdf]

censys

https://censys.io Censys scans the most ports and houses the biggest certificate database in the world, to provide the freshest and most thorough view of your assets; both known and unknown.

Conclusion

Use these approaches, to gather information about your target.