Passive Information Gathering

Passive Information Gathering / Enumeration / Recon

There are 2 types of information gathering, Passive and Active.

  • Passive Information Gathering, also known as Open-source Intelligence (OSINT), is the process of collecting openly-available information about a target, generally without any direct interaction with that target.

What is Passive

  • There are 2 schools of thought about what constitutes "passive" in this context.

  • In the strictest interpretation, we never communicate with the target directly. For example, we could rely on third parties for information, but we wouldn't access any of the target's systems or servers. Using this approach maintains a high level of secrecy about our actions and intentions, but can also be cumbersome and may limit our results.

  • In a looser interpretation, we might interact with the target, but only as a normal internet user would. For example, if the target's website allows us to register for an account, we could do that. However, we would not test the website for vulnerabilities during this phase.

Passive Information Gathering Tools

  • whois <Domain Name or IP Address> - a utility that can perform a domain lookup and also reverse lookup (using the IP address).

  • Netcraft is a free web portal that performs various information gathering functions such as discovering which technologies are running on a given website and finding which other hosts share the same IP netblock. Some examples are the DNS looking up function or the website technology analyzer.

  • We can use GitHub to search a user's or organization's repos; however, we need an account if we want to search across all public repos. Gitrob and Gitleaks are 2 of the tools that automate this process.

  • Shodan is a search engine that crawls devices connected to the internet, including the servers that run websites, but also devices like routers and IoT devices.

  • Security Headers is a website that will analyze HTTP response headers and provide basic analysis of the target site's security posture.

  • Another tool is SSL Labs which analyzes a server's SSL/TLS configuration and compares it against current best practices. It will also identify some SSL/TLS related vulnerabilities, such as Poodle[240] or Heartbleed.

Google Hacking

  • Google Hacking is using clever search strings and operators for the creative refinement of search queries, most of which work with a variety of search engines.

  • site:<Domain Name> - Limits search results for the provided domain only.

  • site:<Domain Name> filetype:txt - Limits the search results to the domain specified and files of type text.

  • The robots.txt file instructs web crawlers, such as Google's search engine crawler, to allow or disallow specific resources. If accessible it can expose some important directories/subdomains/etc..

  • site:<Domain Name> -filetype:html- Exclude HTML files, it is good to find other important files associated with the domain.

  • site:<Domain Name> intitle:"index of" "parent directory" - Good to search for directory indices.

  • The Google Hacking Database (GHDB) contains many more examples of Google hacks.

  • The DorkSearch tool can be used to generate dorks.

PreviousReport WritingNextActive Information Gathering

Last updated