Sunday, September 25, 2011

Information Gathering Techniques and Tools

What is information gathering??
Whenever planning an attack it is the is most sole part of it if you fail here then you can’t perform a successful attack on your victim.

what is OS fingerprinting???
 TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

IP addresses are the most useful here but what are IP addresses these are the identity of your systems    presence on internet and it is used for communication purposes. 
# Dynamic IP- these are the free ones provided by your ISP and change automatically at anytime day or night.

# Static IP- these are the paid ones used by the MNC and other big companies for remote communication 
and it’s easy to hack this one’s rather than dynamic ones……

# How to get IP of any nodes connected to internet
The best way is pinging or we can say establishing connection with the node its easy to perform just go to command type ping  and if the host is alive on internet then it will reply and you will get its IP addresses.

# The second method by which you can find an IP of an victim by doing an whois search of the server or of the website name go to type whois you will get the  all information about your victim and many other useful things 

2. PORT scanning
After you are confirmed with the IP of victim  you can proceed with this step.
There are many ports though which you communicate with internet like FTP for transfer of files HTTP for surfing websites , IMAP POP for emails etc.

# TOOLS for port scanning, OS finger printing, IP hosts, 
2) MingSweeper is a network reconnaissance tool designed to facilitate large address space,high speed node discovery and identification. MingSweeper is capable of performing Ping sweeps, Reverse DNS sweeps, TCP & UDP port scans, OS identification and application identification.

Features of mingsweeper
  1.        Reverse DNS Sweeps
  2.       Ping Sweeps (currently ICMP only)
  3.       TCP Port Scan (full connect)
  4.       TCP Port Scan (SYN scan)
  5.       TCP Port Scan (NULL scan)
  6.       TCP Port Scan (FIN scan)
  7.       TCP Port Scan (XMAS scan)
  8.       TCP Port Filter Scan (ACK scan)
  9.       UDP Port Scan
  10.       Operating System Identification (utilises IP stack fingerprinting)
  11.       Application Identification (utilises banner grabbing)
  12.       Lazy DNS resolution
  13.       Comprehensive results presentation views with filtering/searching
  14.       Loading & Saving of scan results
  15.       Flexible target range specification
Download mingsweeper here mingsweeper
3)Angry IP scanner is a very fast IP address and port scanner.
It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere.
Angry IP scanner simply pings each IP address to check if it's alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.
It also has additional features, like NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, customizable openers, etc.
Scanning results can be saved to CSV, TXT, XML or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs. Anybody who can write Java code is able to write plugins and extend functionality of Angry IP Scanner.
In order to increase scanning speed, it uses multithreaded approach: a separate scanning thread is created for each scanned IP address. Download here angry IP
4)Blue's Port Scanner 

A good port scanner is just one of the basic tools anyone who is seriously interested in the internet needs.
The BluesPortScan is, i think, the fastest scanner for 32Bit windows which you can found in the net. It scans local 5000 ports in 8sec. on my 2k (P3-866) machine. If you are using Win9x/ME it's a little bit slower... The new version 5 has now features like Port list-scans, AutoCompletion when entering known, existing host names or ips and a big list of typical port assignments. And of course, it's a little bit more stable, especially under Win9x/Me although these OSs are definitively not the operating systems of choice for the using this    program.

download Gui-Version v5.0.2 Build #1265
CBPS.exe Command line-Version v4.2 #272

5) P0f is a versatile passive OS fingerprinting tool. (passive OS fingerprinting tool- means other devices that were connected to you)
P0f can identify the operating system on:
  • machines that connect to your box (SYN mode),
  • machines you connect to (SYN+ACK mode),
  • machine you cannot connect to (RST+ mode),
  • machines whose communications you can observe.

P0f can also do many other tricks, and can detect or measure the following:

  • firewall presence, NAT use (useful for policy enforcement),
  • existence of a load balancer setup,
  • the distance to the remote system and its uptime,
  • other guy’s network hookup (DSL, OC3, avian carriers) and his ISP.
All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can’t do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries,etc .
P0fis quite useful for gathering all kinds of profiling information about your users, customers or attackers (IDS, honeypot, firewall), tech espionage (laugh…), active or passive policy enforcement (restricting access for certain systems or otherwise handling them differently; or detecting guys with illegal network hookups using masquerade detection), content optimization, pen-testing (especially with SYN+ACK and RST+ACK modes), thru-firewall fingerprinting… plus all the tasks active fingerprinting is suitable for. And, of course, it has a high coolness factor, even if you are not a sysadmin.
P0f v2 is lightweight, secure and fast enough to be run almost anywhere, hands-free for an extended period of time.
You can download p0f v2 here:

6) thc-Amap (Application MAPper)
thc-Amap (Application MAPper) is another excellent tool more towards banner grabbing
(Banner Grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. An intruder however can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits.) and protocol detection than OS-fingerprinting. But from the services running on a machine you can get a good idea of the OS and the purpose of the server.
Amap is a next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal. It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.
Without filled databases containing triggers and responses, the tool is worthless, the authors would like you to help fill the database. How to do this? Well, whenever a client application connects to a server, some kind of handshake is exchanged (at least, usually. Syslogd for instance won’t say nothing, and snmpd without the right community string neither). Anyway, Amap takes the first packet sent back and compares it to a list of signature responses. Really simple, actually. And in reality, it turns out really to be that simple, at least, for most protocols.
You can download Amap here:
The Win32/Cywin binary release:



Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More