information gathering - ProgrammerTech


information gathering

  • Share this:
information gathering

Gathering information about the first stage after targeting. The literal meaning of information gathering and information activities target. Our goal will be to get as much information as possible about the target. Our chances of achieving the goal have increased. There are two ways to collect information, which are given below:Passive information gathering/Active information gathering.

Passive information gathering

It is an activity or method of collecting information about the organization without contacting it directly, for example, the collection of information via the Internet or so-called public information, including the services that the company provides to users as well as the location of the company. This is often general information about a company's online accounts, such as its official Facebook account, for example.

But in fact, this is the simplest example of collecting information about the company in the Passive Information Gathering method. There are strategies and techniques for gathering highly accurate information about the target. This is the following:

Dumb Sub Domain   via search engines such as Google
Open source CodeExtract organization data from open source sites such as GitHub
Data About DataExtracting data from within the data, such as analyzing the company's files on its official account
Dumb Email Company Emails extract including Emails employees
Dumb IPS Company IPS collection

In fact, this is just a very small part of the information that we should know, and all this will be explained in detail

Active information gathering

Effectively collecting information or collecting information in direct contact with the target, including dealing with the target in a physical or computer way. Active information gathering is much faster and gives a lot of information about the target, albeit at the expense of higher risks. Information gathering in direct contact with the target includes finding information about the target system, as well as other technical specifications associated with the target system. Below is a list of the most frequently used information required to collect information directly related to the objective; However, this is not an exhaustive list:

IP Address: Target's IP address, both private and public

MAC Address: Specifies the hardware interface that the target uses to connect to the network

Ports: Port scanning is one of the most frequently used tools for active information gathering. Open ports in the system can be used to initiate communication with the target by knowing which software services are running on the target device: Knowing the different services running on the target may be a good starting point for initiating attacks. If the service running on the target has a known vulnerability, the vulnerability can easily be exploited in the target system.

This is the most common information required in active information gathering. You have to be very careful with active data collection. Ensure that you remain completely anonymous during the active information gathering procedure. Most modern systems have intrusion detection systems (IDS). They often keep a log of every attempt to wipe the system. If you are not anonymous, your identity can be easily revealed. Firewalls and IDS frequently prevent unwanted port scanning.

What is OSINT used for?

In Penetration testing you may start with no more than a company name, from which you need to start gathering information about the target By collecting publicly available (OSINT) sources of information about a particular target, a Penetration testing engineer can identify the potential victim to better understand their characteristics and narrow down the area to find potential weaknesses.

OSINT includes data from publicly available sources, such as DNS registrars, web searches, security-focused search engines such as Shodan and Censys, and countless other sources of information. The objective of collecting the information system is to obtain the necessary information for each effective model of penetration testing.

We will now explore two additional sources that can provide valuable information without interacting with our target: Social Media/Job Ads

Social media

Social media sites have become very popular not only for personal use but also for corporate use. Some social media platforms can reveal a lot of information about the target. This is especially true since many users tend to over-sharing details about themselves and their work, it is helpful to check the following:


Social media makes it easy to collect the names of employees of a particular company; Additionally, in some cases, you may learn certain pieces of information that could reveal answers to password recovery questions or gain ideas for inclusion in your target word list. Contracts from technical personnel may reveal details about the company's systems and suppliers. For example, a recently certified Juniper Network Engineer might hint at the use of Juniper's network infrastructure in an employer's environment.

Job Ads

Job ads can also tell you a lot about the company. In addition to discovering names and email addresses, technical functions can give insight into the company's targeted systems and infrastructure. Common functions may vary from country to country. Be sure to check job list sites in countries where your customer may post their advertisements. In addition, it is always useful to check their website for any vacancy and see if this can leak any interesting information.

We have finished the theoretical part of gathering information and the rest of the practical part of the next lesson.