1
00:00:00,450 --> 00:00:01,589
-: Welcome back.

2
00:00:01,589 --> 00:00:03,960
It is time we learn in details

3
00:00:03,960 --> 00:00:07,800
what is ""Information Gathering"" and how can we perform it?

4
00:00:07,800 --> 00:00:10,170
We already know that ""Information Gathering""

5
00:00:10,170 --> 00:00:13,830
is the first step in penetration testing, and it is an act

6
00:00:13,830 --> 00:00:17,370
of gathering data about our target.

7
00:00:17,370 --> 00:00:20,310
It can be any type of data that we might find useful

8
00:00:20,310 --> 00:00:22,050
for the future attack.

9
00:00:22,050 --> 00:00:23,910
And if you remember,

10
00:00:23,910 --> 00:00:27,030
there are two types of "Information Gathering".

11
00:00:27,030 --> 00:00:29,760
We got active "Information Gathering",

12
00:00:29,760 --> 00:00:32,067
and passive "Information Gathering".

13
00:00:33,090 --> 00:00:35,310
And we talked briefly about them

14
00:00:35,310 --> 00:00:39,123
but now it is time to fully explain what both of them are.

15
00:00:40,020 --> 00:00:43,017
So let's start with active "Information Gathering".

16
00:00:44,220 --> 00:00:46,350
In active "Information Gathering",

17
00:00:46,350 --> 00:00:48,810
we use our Kali Linux machine

18
00:00:48,810 --> 00:00:52,290
and we try to get as much data or as much information

19
00:00:52,290 --> 00:00:55,833
about our target while interacting with them.

20
00:00:56,910 --> 00:01:01,050
It could be a target website that we need to test,

21
00:01:01,050 --> 00:01:04,980
so we need to find as many things about it as we can.

22
00:01:04,980 --> 00:01:08,190
Or, it could also be a network that we are testing,

23
00:01:08,190 --> 00:01:10,683
or perhaps an entire company.

24
00:01:11,520 --> 00:01:15,000
The main point is that with active "Information Gathering"

25
00:01:15,000 --> 00:01:18,333
we directly get that data from the target.

26
00:01:19,800 --> 00:01:22,470
This could mean directly exchanging packets

27
00:01:22,470 --> 00:01:26,910
with the target by visiting and enumerating their website

28
00:01:26,910 --> 00:01:29,100
or, it could also mean talking

29
00:01:29,100 --> 00:01:30,843
to an employee that works there.

30
00:01:31,710 --> 00:01:34,230
We could maybe call them over mobile phone to

31
00:01:34,230 --> 00:01:37,320
try to get them to tell us something important,

32
00:01:37,320 --> 00:01:41,490
but this part is also considered social engineering.

33
00:01:41,490 --> 00:01:44,400
Nonetheless, any action where you exchange something

34
00:01:44,400 --> 00:01:47,637
with the target is active "Information Gathering".

35
00:01:48,570 --> 00:01:51,180
This can be legal to an extent.

36
00:01:51,180 --> 00:01:53,730
If you start performing some advanced scans

37
00:01:53,730 --> 00:01:56,640
or OS fingerprinting on the target,

38
00:01:56,640 --> 00:01:58,710
you most likely won't get in trouble

39
00:01:58,710 --> 00:02:02,340
but you should still not do it without permission.

40
00:02:02,340 --> 00:02:04,440
And it is important to mention that,

41
00:02:04,440 --> 00:02:07,593
usually active "Information Gathering" will provide us

42
00:02:07,593 --> 00:02:09,690
with much more important data

43
00:02:09,690 --> 00:02:12,030
than passive "Information Gathering",

44
00:02:12,030 --> 00:02:14,973
since we are directly interacting with the target.

45
00:02:15,990 --> 00:02:20,160
On the other hand, we got passive "Information Gathering"

46
00:02:20,160 --> 00:02:21,780
and it is similar.

47
00:02:21,780 --> 00:02:26,780
We got our Kali Linux machine and our target, but we also

48
00:02:28,080 --> 00:02:31,380
have an intermediate system or what I like to

49
00:02:31,380 --> 00:02:33,570
call a middle source.

50
00:02:33,570 --> 00:02:36,930
And what this middle source is, well, basically

51
00:02:36,930 --> 00:02:41,250
it could be anything from a search engine to a website.

52
00:02:41,250 --> 00:02:43,020
It could also be a person,

53
00:02:43,020 --> 00:02:47,430
but what matters is that information we get is going

54
00:02:47,430 --> 00:02:49,383
through that middle source.

55
00:02:50,430 --> 00:02:53,040
For example, if we want to find out something

56
00:02:53,040 --> 00:02:56,040
about a certain target, and we Google that target to

57
00:02:56,040 --> 00:02:59,280
find some pages that contain information about it,

58
00:02:59,280 --> 00:03:02,667
this is considered passive "Information Gathering".

59
00:03:03,540 --> 00:03:04,373
Okay, good.

60
00:03:04,373 --> 00:03:06,240
But what are the goals of this?

61
00:03:06,240 --> 00:03:08,760
What exactly are we searching for?

62
00:03:08,760 --> 00:03:12,003
Which information could be of value to us?

63
00:03:12,870 --> 00:03:15,150
Usually the first thing we search to

64
00:03:15,150 --> 00:03:20,150
identify a target, is there IP address or IP addresses

65
00:03:20,250 --> 00:03:24,060
if the target has multiple addresses that belong to them.

66
00:03:24,060 --> 00:03:27,750
This could be, for example, a company that has servers

67
00:03:27,750 --> 00:03:30,480
and buildings all around the world.

68
00:03:30,480 --> 00:03:32,850
And if we were to test this company,

69
00:03:32,850 --> 00:03:36,660
we would also be interested in their employees too.

70
00:03:36,660 --> 00:03:39,730
For example, we would want to gather their emails

71
00:03:40,620 --> 00:03:41,880
which could be useful

72
00:03:41,880 --> 00:03:44,850
for a future attack to gain access to that company.

73
00:03:44,850 --> 00:03:48,360
Or we could possibly want to gather their phone numbers

74
00:03:48,360 --> 00:03:50,130
which could also be useful.

75
00:03:50,130 --> 00:03:53,730
But most importantly, and what we are mainly interested in

76
00:03:53,730 --> 00:03:56,643
are technologies that the target has.

77
00:03:57,570 --> 00:03:59,820
If it was a company, we would want to know how

78
00:03:59,820 --> 00:04:02,640
many networks they have, what softwares are running

79
00:04:02,640 --> 00:04:05,970
on their machines, what operating systems they have.

80
00:04:05,970 --> 00:04:06,990
If it was a website

81
00:04:06,990 --> 00:04:08,670
we would also want to know,

82
00:04:08,670 --> 00:04:10,470
how that website was built,

83
00:04:10,470 --> 00:04:12,780
which programming languages it has.

84
00:04:12,780 --> 00:04:14,730
Does it have JavaScript or PHP?

85
00:04:14,730 --> 00:04:17,670
For example, just one software

86
00:04:17,670 --> 00:04:20,399
on one machine that is outdated or that has

87
00:04:20,399 --> 00:04:22,019
unknown vulnerability,

88
00:04:22,019 --> 00:04:24,873
that could be exploited is our way in.

89
00:04:26,160 --> 00:04:29,040
So, now that we know what we are looking for

90
00:04:29,040 --> 00:04:32,910
during this first step, it is time we see what tools

91
00:04:32,910 --> 00:04:35,220
and programs can we use to find out

92
00:04:35,220 --> 00:04:39,270
as much information as possible about our target.

93
00:04:39,270 --> 00:04:40,103
Let's do it.