Ethical Hacking - Information Gathering

TutorialsPoint

16 Jan 201812:37

Summary

TLDRThis video provides an introduction to information gathering, the first phase of ethical hacking. It explains the difference between active and passive information gathering, detailing how hackers collect information about their targets, such as websites or web servers. The video covers various tools and techniques for finding details like Whois information, reverse IP lookups, subdomains, and server operating systems. Additionally, it demonstrates how to detect a website's platform, such as WordPress or PHP frameworks, using tools like builtwith.com, offering valuable insights for ethical hacking.

Takeaways

🔍 Information gathering is the first phase of ethical hacking, also called reconnaissance, focused on learning about the target.
🔗 It is categorized into two types: active and passive information gathering.
📞 Active information gathering involves directly interacting with the target, such as phone calls or interviews.
🕵️‍♂️ Passive information gathering uses third-party tools or sources, without the target's knowledge, making it a preferred method for hackers.
🌐 When targeting a website, useful information includes Whois details, DNS records, platform/framework, and reverse IP checks.
🔍 In the case of a web server, gathering open port information, running services, and service versions helps in identifying vulnerabilities.
🔄 Reverse IP lookup helps discover other websites hosted on the same server, providing insights into whether the server is shared or dedicated.
🛠 Tools like 'Knock Subdomain Scan' and 'BuiltWith.com' assist in finding subdomains and determining the technologies a website is using.
💻 Operating system detection can be done using a ping command by analyzing the TTL (Time to Live) value to differentiate between Linux and Windows servers.
🔒 Identifying the platform or content management system (CMS) helps exploit vulnerabilities; examples include WordPress, PHP frameworks, and CDN information.

Q & A

What is information gathering in the context of ethical hacking?
-Information gathering, also known as reconnaissance, is the first phase of ethical hacking. It involves obtaining details about the target, such as its structure, services, and vulnerabilities, to plan potential exploits.
What are the two types of information gathering?
-The two types of information gathering are active information gathering and passive information gathering. Active gathering involves directly interacting with the target, while passive gathering collects data through third-party sources or stealthy methods.
How does active information gathering work?
-In active information gathering, information is collected directly from the target. This could involve phone calls, face-to-face meetings, or interviews to extract information from the target.
What makes passive information gathering more popular among hackers?
-Passive information gathering is more popular because it involves collecting information without directly interacting with the target, making it less likely that the target will know they are being investigated. This method uses third-party sources like search engines or web tools.
What kind of information can be gathered if the target is a website?
-If the target is a website, information like the registrar, DNS records, platform/framework used, and other websites hosted on the same server can be gathered. This helps identify vulnerabilities in the website.
How can information about a web server be gathered?
-Information about a web server can be gathered by checking open ports, identifying services running on those ports, and analyzing their version numbers. This information can be used to exploit the server.
What is a reverse IP lookup and how is it useful?
-A reverse IP lookup identifies other websites hosted on the same server as the target. This can reveal whether the server is shared or dedicated, which helps understand the server environment better.
What is the significance of finding subdomains during information gathering?
-Finding subdomains is important because they may contain additional services or applications that are more vulnerable than the main domain, providing additional entry points for attackers.
How can the operating system of a website be determined?
-The operating system can be determined by using a ping command and analyzing the TTL (Time to Live) value. A TTL near 60 suggests the server is running Linux, while a TTL over 110 indicates a Windows server.
What kind of details can be gathered about the platform a website is running on?
-Details about the platform can include whether the site uses a content management system like WordPress, the programming framework (e.g., PHP), and other technologies like JavaScript libraries or CDN (Content Delivery Network).