1
00:00:00,840 --> 00:00:06,660
‫Hello and welcome to this information gathering over the internet lecture in this lecture, you'll learn

2
00:00:06,660 --> 00:00:12,780
‫the types and methods of information gathering, the classic information gathering methods such as who

3
00:00:12,780 --> 00:00:16,680
‫is and banners, how to use search engines to gather information.

4
00:00:17,790 --> 00:00:23,520
‫How to gather information about the people who are related to a target company, how to find more from

5
00:00:23,520 --> 00:00:24,390
‫the archives.

6
00:00:25,550 --> 00:00:29,720
‫And the tools to help you collect valuable information about the target company.

7
00:00:32,360 --> 00:00:37,520
‫The first phase in security assessment is focused on collecting as much information as possible about

8
00:00:37,520 --> 00:00:43,400
‫the target information gathering is one of the most critical steps of hacking or penetration testing.

9
00:00:43,970 --> 00:00:49,340
‫The more information is gathered about the target, the more it becomes possible to customize the attack.

10
00:00:49,580 --> 00:00:52,190
‫In this section, we're going to answer these questions.

11
00:00:52,670 --> 00:00:55,040
‫What can we learn about the target over the internet?

12
00:00:55,490 --> 00:00:57,260
‫How can we collect the information?

13
00:00:57,680 --> 00:01:00,500
‫Where can we find the information about the target?

14
00:01:01,450 --> 00:01:06,010
‫Before we begin, we should answer a basic question, what is the target?

15
00:01:06,780 --> 00:01:14,520
‫Target is the company institute network system or even a person that we want to hack an application,

16
00:01:14,670 --> 00:01:20,610
‫a person, a system will try to collect every bit of information that helps us to hack the target.

17
00:01:22,470 --> 00:01:24,630
‫There are two types of information gathering.

18
00:01:25,470 --> 00:01:27,750
‫The first type is passive information gathering.

19
00:01:28,350 --> 00:01:34,220
‫In this type of information gathering, you don't want to be detected by the target in this regard.

20
00:01:34,230 --> 00:01:37,140
‫You don't use tools that send traffic to the target.

21
00:01:37,440 --> 00:01:41,100
‫Neither from your host nor an anonymous one across the internet.

22
00:01:41,940 --> 00:01:49,140
‫Passive information gathering activities may include, but are not limited to, identifying IP addresses

23
00:01:49,140 --> 00:01:55,710
‫and subdomains, identifying external or third party sites, identifying people who are related to the

24
00:01:55,710 --> 00:01:56,190
‫target.

25
00:01:56,640 --> 00:02:03,030
‫Identifying technologies, identifying content of interest identifying vulnerabilities.

26
00:02:03,750 --> 00:02:10,920
‫You can collect information possibly from web archives, mail archives, social networks, search engines,

27
00:02:10,920 --> 00:02:11,790
‫etc..

28
00:02:12,840 --> 00:02:18,120
‫A second type is active information gathering in this type of information gathering.

29
00:02:18,450 --> 00:02:20,700
‫You scan on the target's systems.

30
00:02:21,630 --> 00:02:27,360
‫Active information gathering requires more preparation for the attacker pen tester because it leaves

31
00:02:27,360 --> 00:02:33,480
‫traces which are likely to alert the target or produce evidence against him in the course of a possible

32
00:02:33,480 --> 00:02:34,860
‫digital investigation.

33
00:02:36,250 --> 00:02:42,670
‫There are a lot of places you can collect data over the Internet, Web archives, suppose that the sensitive

34
00:02:42,670 --> 00:02:44,860
‫data was published accidentally.

35
00:02:45,310 --> 00:02:49,900
‫A few days later, the admins realized the mistake and remove the data from the website.

36
00:02:50,260 --> 00:02:55,360
‫But what if someone has already archived that web site with the sensitive data?

37
00:02:56,590 --> 00:03:01,210
‫Scanning the ports and services, you can find the ports accessible over the internet.

38
00:03:01,870 --> 00:03:06,880
‫The target company opened that service intentionally or unintentionally.

39
00:03:08,320 --> 00:03:14,430
‫Using search engines, you can find enormous pieces of useful information beyond the known weaknesses.

40
00:03:14,440 --> 00:03:19,060
‫Leave traces on the web sites on headers, titles, you URLs.

41
00:03:19,270 --> 00:03:22,480
‫You can easily find these traces using search engines.

42
00:03:24,080 --> 00:03:29,390
‫You can find some useful information about the target company on social networks, for example, Facebook,

43
00:03:29,390 --> 00:03:30,950
‫Twitter or LinkedIn.

44
00:03:31,930 --> 00:03:35,860
‫Suppose the target company is looking for a new system admin to hire.

45
00:03:36,400 --> 00:03:38,230
‫Look at the job sites or LinkedIn.

46
00:03:38,500 --> 00:03:45,220
‫What would you see the information about systems that are used in the target company or tools and programs

47
00:03:45,220 --> 00:03:46,810
‫used to monitor those systems?

48
00:03:48,060 --> 00:03:53,730
‫Look at the experts working for a target company carefully, do they subscribe to forums or email lists?

49
00:03:54,000 --> 00:03:59,850
‫What kind of problems do they share on this forum or these mailing lists asking for help about Java

50
00:03:59,850 --> 00:04:02,400
‫version nine or Hibernate Framework?

51
00:04:04,370 --> 00:04:09,830
‫You take and publish pictures of your secret disaster recovery center on your website.

52
00:04:10,370 --> 00:04:15,290
‫You're sure that it's impossible to understand from the picture where the center is.

53
00:04:15,950 --> 00:04:16,820
‫Are you sure?

54
00:04:17,240 --> 00:04:19,220
‫What about the metadata of the picture?

55
00:04:19,670 --> 00:04:21,950
‫Did you choose the location info?

56
00:04:23,010 --> 00:04:29,040
‫Who is is a Web application used to get information about the target website, such as the administrators

57
00:04:29,040 --> 00:04:32,100
‫email address, details about the registration.

58
00:04:32,550 --> 00:04:38,490
‫Who is is a very large database and contains information of approximately all the websites.

59
00:04:38,970 --> 00:04:42,570
‫It can be searched by domain name or an IP address.

60
00:04:42,570 --> 00:04:48,570
‫Block the protocol stores and delivers database content in a human readable format.

61
00:04:49,870 --> 00:04:54,130
‫You can use the WHO is command of Linux systems to get the WHO is query results.

62
00:04:54,580 --> 00:04:58,660
‫In addition, there are some web sites that help you to get the WHO is query results.

63
00:04:59,110 --> 00:05:00,790
‫You see some of them on the slide.

64
00:05:00,970 --> 00:05:04,780
‫And who is service of Domain 2's websites is also given as an example.

65
00:05:09,660 --> 00:05:15,120
‫If we analyze the banners of the response sent by the Web systems of the target company, we can find

66
00:05:15,120 --> 00:05:19,350
‫some detailed information about the server, the technology used, etc..

67
00:05:21,360 --> 00:05:28,140
‫We sent a request to put 80 of NHS staff at UK website using telnet services and get the response.

68
00:05:31,580 --> 00:05:34,310
‫Look at the server and the exposed by headers.

69
00:05:34,700 --> 00:05:43,400
‫We learned that the application server of NHS staff UK is Microsoft II's version 8.0 and ASP Darknet

70
00:05:43,730 --> 00:05:47,060
‫is used to develop the web application, but hold on.

71
00:05:47,330 --> 00:05:48,160
‫Are we sure?

72
00:05:48,590 --> 00:05:50,600
‫Could the information be fake?