1
00:00:00,850 --> 00:00:04,510
‫Hello and welcome to this information gathering over the Internet lecture.

2
00:00:05,760 --> 00:00:10,980
‫The first phase and security assessment is focused on collecting as much information as possible about

3
00:00:10,980 --> 00:00:16,860
‫the target, information gathering is one of the most critical steps of hacking or penetration testing.

4
00:00:17,370 --> 00:00:22,770
‫The more information is gathered about the target, the more it becomes possible to customize the attack.

5
00:00:22,990 --> 00:00:25,680
‫In this section, we're going to answer these questions.

6
00:00:26,100 --> 00:00:28,460
‫What can we learn about the target over the Internet?

7
00:00:28,890 --> 00:00:30,720
‫How can we collect the information?

8
00:00:31,110 --> 00:00:33,930
‫Where can we find the information about the target?

9
00:00:34,870 --> 00:00:39,460
‫Before we begin, we should answer a basic question, what is the target?

10
00:00:40,210 --> 00:00:48,070
‫Target is the company institute network system, or even a person that we want to hack an application,

11
00:00:48,070 --> 00:00:54,070
‫a person, a system will try to collect every bit of information that helps us to hack the target.

12
00:00:55,870 --> 00:01:02,290
‫There are two types of information gathering, the first type is passive information gathering in this

13
00:01:02,290 --> 00:01:03,790
‫type of information gathering.

14
00:01:03,790 --> 00:01:07,660
‫You don't want to be detected by the target in this regard.

15
00:01:07,670 --> 00:01:13,960
‫You don't use tools that send traffic to the target, neither from your host nor an anonymous one across

16
00:01:13,960 --> 00:01:14,560
‫the Internet.

17
00:01:15,340 --> 00:01:22,600
‫Passive information gathering activities may include, but are not limited to identifying IP addresses

18
00:01:22,600 --> 00:01:29,170
‫and subdomains, identifying external or third party sites, identifying people who are related to the

19
00:01:29,170 --> 00:01:36,490
‫target, identifying technologies, identifying content of interest, identifying vulnerabilities.

20
00:01:37,180 --> 00:01:43,780
‫You can collect information possibly from web archives, e-mail archives, social networks, search

21
00:01:43,780 --> 00:01:45,250
‫engines, etc..

22
00:01:46,270 --> 00:01:49,060
‫A second type is active information gathering.

23
00:01:49,750 --> 00:01:54,190
‫In this type of information gathering, you scan on the target systems.

24
00:01:55,030 --> 00:02:00,820
‫Active information gathering requires more preparation for the attacker pen testor because it leaves

25
00:02:00,820 --> 00:02:06,940
‫traces which are likely to alert the target or produce evidence against him in the course of a possible

26
00:02:06,940 --> 00:02:08,310
‫digital investigation.

27
00:02:09,670 --> 00:02:16,120
‫There are a lot of places you can collect data over the Internet, Web archives, supposedly sensitive

28
00:02:16,120 --> 00:02:18,310
‫data was published accidentally.

29
00:02:18,700 --> 00:02:23,330
‫A few days later, the admins realized the mistake and remove the data from the website.

30
00:02:23,680 --> 00:02:28,780
‫But what if someone has already archived that Web site with the sensitive data?

31
00:02:30,000 --> 00:02:34,660
‫Scanning the ports and services, you can find the ports accessible over the Internet.

32
00:02:35,340 --> 00:02:42,960
‫The target company opened that service intentionally or unintentionally using search engines.

33
00:02:42,960 --> 00:02:47,900
‫You can find enormous pieces of useful information beyond the known weaknesses.

34
00:02:47,910 --> 00:02:52,530
‫Leave traces on the Web sites, on headers, titles, you URLs.

35
00:02:52,710 --> 00:02:55,950
‫You can easily find these traces using search engines.

36
00:02:57,490 --> 00:03:02,830
‫You can find some useful information about the target company on social networks, for example, Facebook,

37
00:03:02,830 --> 00:03:04,380
‫Twitter or LinkedIn.

38
00:03:05,350 --> 00:03:09,290
‫Suppose the target company is looking for a new sys admin to hire.

39
00:03:09,820 --> 00:03:11,680
‫Look at the job sites or LinkedIn.

40
00:03:11,920 --> 00:03:18,670
‫What would you see the information about systems that are used in the target company or tools and programs

41
00:03:18,670 --> 00:03:20,260
‫used to monitor those systems?

42
00:03:21,490 --> 00:03:27,190
‫Look at the experts working for a target company carefully, do they subscribe to Forbes or mail lists?

43
00:03:27,490 --> 00:03:33,700
‫What kind of problems do they share on this forum or these mail lists asking for help about Java Version

44
00:03:33,700 --> 00:03:35,860
‫nine or Hibernate framework?

45
00:03:37,810 --> 00:03:44,530
‫You take and publish pictures of your secret disaster recovery center on your website, you're sure

46
00:03:44,530 --> 00:03:48,730
‫that it's impossible to understand from the picture where the center is.

47
00:03:49,330 --> 00:03:50,260
‫Are you sure?

48
00:03:50,710 --> 00:03:52,670
‫What about the metadata of the picture?

49
00:03:53,110 --> 00:03:55,420
‫Did you choose the location info?

50
00:03:56,430 --> 00:04:02,490
‫Who is is a Web application used to get information about the Target Web site, such as the administrators,

51
00:04:02,490 --> 00:04:09,600
‫email address, details about the registration, who is is a very large database and contains information

52
00:04:09,600 --> 00:04:11,940
‫of approximately all the websites.

53
00:04:12,360 --> 00:04:19,530
‫It can be searched by domain name or an IP address, block the protocol stores and delivers database

54
00:04:19,530 --> 00:04:21,990
‫content in a human readable format.

55
00:04:23,280 --> 00:04:27,580
‫You can use the who is command of Linux systems to get the who is query results.

56
00:04:27,990 --> 00:04:32,100
‫In addition, there are some websites that help you to get the WHO is query results.

57
00:04:32,550 --> 00:04:36,200
‫You see some of them on the slide and who is service of domain tools.

58
00:04:36,210 --> 00:04:38,220
‫Websites is also given as an example.

59
00:04:43,070 --> 00:04:48,560
‫If we analyze the banners of the response sent by the web systems of the target company, we can find

60
00:04:48,560 --> 00:04:52,780
‫some detailed information about the server, the technology used, et cetera.

61
00:04:54,820 --> 00:05:01,600
‫We sent a request to put 80 of NHS UK website using town that services and get the response.

62
00:05:05,000 --> 00:05:10,940
‫Look at the server and the X powered by headers, we learned that the application server of NHS Start

63
00:05:10,940 --> 00:05:19,120
‫UK is Microsoft, Dash is version eight point zero and ASPE Dot Net is used to develop the Web application.

64
00:05:19,730 --> 00:05:20,540
‫But hold on.

65
00:05:20,750 --> 00:05:21,590
‫Are we sure?

66
00:05:22,040 --> 00:05:24,080
‫Could the information be fake?