Information Gathering

Scanning in a cybersecurity context can be regarded as the means to identify or detect live hosts, services, ports, and architecture of a system meant to be targeted. Architecture in a cybersecurity context is basically what the system is made up of or what it is built around. This involves but is not limited to the Operating System, services it’s running e.t.c. I did talk about why scanning should be done exhaustively briefly earlier on and this is basically because whatever gets picked during a scan is what would be researched just to perform exploitation. Scanning is quite a wide topic to talk about and there are quite a lot of ways to get scanning done and when it comes to scanning, try not to settle for only a method or tool, just like performing reconnaissance or information gathering, scanning should be done exhaustively. The main reason why I did say scanning should be done exhaustively would be explained in detail later on. Thus, scanning should be done exhaustively just so a lot of information can be noted down. Furthermore, scanning is also quite ideal when it comes to finding vulnerabilities within a network and threats within any given network. There is a huge misconception between vulnerability and threat in cyber security and I would try and get this clarified shortly. Nessus is one of the vulnerability scanners out there and I remember a couple of years back when I first got introduced to this amazing piece of tool, I was shocked at how powerful it was. Nessus is a vulnerability scanner and before I dive deep into it, I believe I should clear up a misconception related to the difference between vulnerability, risk, and threat. When it comes to cybersecurity and penetration testing, Most people think they are the same but I’m happy to let you know there’s a difference between both and I would give you a technical difference as well as a real-life scenario as to why it’s different. Vulnerabilities can simply be seen as a weakness in an asset and this could be hardware, software, web servers, website, and procedures e.t.c. Just see vulnerability as a loophole a hacker needs to hack a system. Threat on the other hand is something that capitalizes on a vulnerability and is capable of damaging or destroying an asset. While risk is the possibility for assets to be damaged or destroyed. Now let us look at a real-life scenario detailing this. Consider you have a warehouse where you’re storing some valuable belonging of yours, and the door to this warehouse is a very old door that can be brought down by just a kick. The door being very old is the VULNERABILITY in this instance, the possibility of you losing your belongings is the RISK and the THREAT in this instance would originate from this old door in your warehouse. It might look like the same but you need to understand the fact that there would be no threat in the absence of a vulnerability. Diving right back into Nessus, it is a vulnerability assessment tool by Tenable. It is quite beginner-friendly as this is a Graphical User interface tool(GUI). Nessus’ capabilities are endless because it is capable of performing; Network scans Host discovery Mobile Device Scan Malware scan Web Application vulnerability scan and a whole bunch of other stuff. According to Tenable, Nessus is #1 in Accuracy and coverage.  Furthermore, it should be noted that this is a subscription-based service and payment needs to be made to Tenable to access this tool. However, there is still a free version that can be used to explore without having to pay any fee. Finally, the video below dives into how to get started with Nessus and how to also install it on your computer system, and finally, it showcases Nessus in action.

In the context of penetration testing, email address gathering refers to the process of collecting email addresses for the purpose of conducting a security assessment. This can involve collecting email addresses from various sources, such as the organization’s website, social media accounts, and public databases.  Email address gathering is quite important in penetration testing for a variety of reasons, many of which I will be explaining soon. You should also understand that there are a whole lot of ways to gather the email address of an organization/web application we are trying to perform penetration testing on. Many of these ways are tedious, don’t come up with the result needed and some methods are just not practical enough and finally, some are not viable when it comes to real-life applicability. You might be wondering why it’s necessary to gather email addresses but having the email address of people that work within an organization is useful when there is a need to perform social engineering during a penetration test, and thus we know where to channel our energy. It might be really useful to have the email address of people within an organization because that would enable us to know about their email address structure as well maybe it is first.lastname@company.com or whichever way it is. Below are listed ways to gather the email address of people that work within an organization.

In cybersecurity, the term “target” can refer to a number of different things, depending on the context. Generally, a target is a specific asset or system that an attacker is seeking to compromise or exploit. It could be a computer, a network, a web application, or any other type of digital system that has vulnerabilities or weaknesses that an attacker can exploit.  For the sole purpose of this topic, I would be reviewing some popular platforms where you can find a target to practice your penetration testing skills on and I would also be explaining the fine print. Finally, i would be talking about the laws governing cyber security and penetration testing in the United Kingdom. Kindly take a few minutes to read through the disclaimer as it would be very helpful for this topic. When it comes to finding an asset we would be performing tests on, of course, there are labs for penetration testing on platforms out there but the labs are meant to be solved in some way and thus, you get to learn whilst you’re solving these penetration testing labs. But, real-life practicality is missing. It would interest you to know that there are thousands of companies out there who would let you perform penetration tests on their asset and should you find any vulnerability or bug, you get paid. That does sound interesting but it’s no easy task. Before giving you ways to locate these companies/organisations that would let you perform penetration tests on their asset, it’s best to explain the fine print behind these types of tasks to you so you do not end up in jail. When these companies list out an asset for penetration testing to be performed on, they reasonably do not expect you to just perform DDOS using HOIC or LOIC because that would be an unreasonable thing to do. They give out specific guidelines alongside the listing and taking the time to read through these guidelines would guarantee you of being a free man/ woman and not winding up in jail. I understand there’s been a couple of jail talks now and this is because in cybersecurity before penetration tests can be conducted; you need to have been given the consent and go ahead to do so. You can’t just try out things you learned online on a website that is not giving you your expected refunds or try to try out things on websites you detest. it’s not DONE and you do not perform penetration testing if you’ve not been authorised to do so. Please do not perform penetration tests on assets if you have not been authorised to do so. In the United Kingdom where I reside, there are several laws that govern the conduct of penetration testing.  The Computer Misuse Act 1990 is the primary legislation that covers cybercrime in the UK. It criminalizes unauthorized access to computer systems and data, as well as the distribution of malicious software. While the act does not explicitly mention penetration testing, it does provide an exemption for “the person who has the permission of the owner or other lawful authority.” This means that if a penetration tester has the explicit permission of the system owner to conduct the test, they are not breaking the law.  Another relevant law is the Data Protection Act 2018, which regulates the processing of personal data in the UK. It requires organizations to have appropriate safeguards in place to protect personal data from unauthorized access, use, or disclosure. During a penetration test, personal data may be accessed and processed, so it is important for testers to ensure that they have the necessary permissions and that they follow the requirements of the act.  There are also industry-specific regulations that may apply to penetration testing, such as the Payment Card Industry Data Security Standard (PCI DSS) for organizations handling credit card transactions, and the General Data Protection Regulation (GDPR) for organizations operating in the European Union.  In addition to these laws, there are also best practices and guidelines that penetration testers should follow in order to ensure that their work is ethical and respectful of the rights of others. For example, the Open Web Application Security Project (OWASP) has published a list of guidelines for ethical hacking, which includes recommendations such as obtaining prior consent, avoiding causing damage or disruption, and respecting the privacy of individuals.  In summary, the laws governing penetration testing in the UK are designed to protect against cybercrime and ensure the proper handling of personal data. As long as testers have the necessary permissions and follow relevant laws and guidelines, they can conduct ethical hacking activities to help organizations improve their security.  Back to the topic, companies that list out their assets for penetration testing to be conducted on do give out something called “SCOPE”. Now what does scope in penetration testing means? In the context of penetration testing, scope refers to the specific systems, networks, or applications that are included in the test. It is important to know the scope of a penetration test before tests are carried out, as it helps to ensure that the test is focused and relevant to the organization’s needs.  The scope of a penetration test can be determined in a number of ways, depending on the goals and objectives of the test. Some common considerations for determining the scope of a penetration test include:  The assets or systems that are most critical to the organization’s operations. These may be prioritized for testing in order to ensure that they are secure.  The vulnerabilities or weaknesses that the organization is most concerned about. These may be the focus of the test in order to identify and address potential risks.  The types of attacks that the organization is most likely to encounter. This may include specific types of malware, network vulnerabilities, or web application vulnerabilities.  The resources that are available for the test. This may include the time and budget allocated for the test, as well as the

Hunting subdomains is quite important when performing a web application penetration test. To start with, it would be okay to understand what domains are and then understand what subdomains are. The most simple way to understand what domain names are is to see them as an address people type into a web browser’s URL bar to visit a website. Domain names also get registered with domain name registrars. Now we know that domain names are just like google, youtube, and tobididit. Now that we understand what domain names are, it is only proper to dive into what subdomains are and why we even need to hunt them as this is what the topic focuses on basically. Subdomains can be best understood by seeing them as a little or smaller part of a domain that is much larger. It is basically a unique set of word used in creating a unique web address. Why websites have subdomains when a domain is functional is a good question to have at this point. The answer is not far-fetched, website owners tend to use it to send people to a different web address and also used to target a specific country most of the time. Suppose a big brand like Cocacola that has a headquarters in the USA has a market in Swaziland where the official language is Swazi, it would be considered unfair to them if all of Coca-Cola’s content is written in the English language, if they need to order by calling USA number and if prices are displayed using US dollar. with the help of a subdomain, Coca-Cola’s URL displaying content tailored for the people of Swaziland might be www. sz.cocacola.com.Furthermore, another thing that should be noted is knowing about a wildcard subdomain. A wildcard subdomain is also called a catch-all subdomain and this can be understood by the name it’s called. A catch-all subdomain means whether a subdomain exists or it doesn’t, it redirects us to a specific domain name. Now I’m sure you’re being curious about why we are doing this when we’re gathering information. Subdomain hunting is very necessary because we might run into a subdomain that contains information that shouldn’t be seen by us. This might be dev.donotsee.com testsite.donotsee.com & hunting subdomains during a web app pentest is important because looking at only a domain name without checking out the subdomains means getting limited to information gathered. A tool to use for this that does the job is sublister. & also crt.sh Work with owasp amass as well. Tomnonnom probe Below are videos reviewing these tools and also, be kind enough to like the video, subscribe to the channel, and also leave a comment if you find it helpful.

In the context of cybersecurity, information gathering refers to the process of collecting and analyzing data about a target system or network in order to identify potential vulnerabilities or threats. Information gathering can be an important part of a variety of cybersecurity activities, including vulnerability assessment, penetration testing, and incident response.  There are several different techniques that can be used for information gathering in cybersecurity, including:  Network scanning: This involves using tools like Nmap to scan the target network for open ports and services. This can help identify potential targets and gather information about the network architecture and configuration.  Social engineering: This involves using psychological manipulation or deception to trick people into revealing sensitive information or granting access to restricted areas. Social engineering can be effective in gathering information that is not readily available through other means.  Web application analysis: This involves analyzing the structure and functionality of a target web application to identify potential vulnerabilities. Tools like BurpSuite can be used to intercept and analyze traffic between the web application and the user’s browser.  Public records searches: This involves searching public databases and records for information about the target organization or individuals. This can include things like company registration records, property records, and social media profiles.  Physical reconnaissance: This involves physically visiting the target location and gathering information about the layout and security measures in place. This can include things like observing security protocols, taking pictures, or collecting discarded materials that might contain sensitive information.  Consider a scenario where you are trying to break into a house as “A Thief Maybe” Of course; you’re not a thief. But imagine you’re a thief trying to perform reconnaissance or gather information on a house you’re planning to break into; what do you think you’ll be on the lookout for….. How about popping answers in the comment. Moving forward, you’ll probably want to see if they’ve got a wooden window or if it’s made from glass, if their window is always open or if they leave their door open at all times, and if there is a CCTV mounted, the type of locks they use e.t.c. I have a limited idea on this because I haven’t broken into a house before. Back to cyber, the more information you’re able to gather, the more chance you have of having a good result in the end, and thus, information gathering should be mastered. It should also be noted that information gathering is necessary because the information gathered on a victim can be used when guessing passwords, among other attacks. To get started with information gathering, we need to identify our target, and also, knowing our target would help us in deciding whether we should go for active or passive reconnaissance. I’ll explain both, of course.Passive reconnaissance can best be explained as when you try to gather information on an asset without interacting with the said asset. This simply means you’re doing information gathering, but the asset or target doesn’t know you are gathering information. This can be done via Google Hacking, Shodan, using Open Source Intelligence (OSINT).Active reconnaissance, on the other hand, can be seen as gathering information on an asset or target whilst still interacting with the said target. This could be trying to find open ports with the aid of NMAP. Finding vulnerabilities using Nessus or Nikto. It’s important to note that information gathering should be conducted ethically and within the bounds of the law. In the context of cybersecurity, this means obtaining consent from the target and respecting any privacy or security measures in place.  Overall, information gathering is a critical part of effective cybersecurity, as it allows security professionals to gather the information they need to identify and mitigate potential threats to the target system.  I know I’ve mentioned a lot of tools but do not feel overwhelmed. You will definitely get the hang of all these tools.That being said, it’s pretty much decent to conclude on what information gathering does entail, and this is just the basics. Every tool mentioned and method will be explained fully in upcoming posts, and there will be videos guiding you on how to get started with all these tools and finally, be on the lookout for our next post, “Identifying our targets”, because there is no reconnaissance without a target. I do hope you find this post simple to understand. Do not forget to subscribe to our newsletter so you can get notified when there’s a new post.