1
00:00:00,490 --> 00:00:01,540
Hello, my name is Stefan.

2
00:00:01,550 --> 00:00:02,950
Welcome to this lecture.

3
00:00:02,950 --> 00:00:08,080
In this lecture, we are going to learn about information gathering phase reconnaissance.

4
00:00:08,140 --> 00:00:13,600
The information gathering phase is a crucial step in any security assessment.

5
00:00:13,600 --> 00:00:20,020
Bug bounty hunters and security professionals emphasize the importance of this phase as it lays the

6
00:00:20,020 --> 00:00:22,930
foundation for the entire process.

7
00:00:22,930 --> 00:00:28,810
During the information gathering, the goal is to discover assets and enumerate the attack surface of

8
00:00:28,810 --> 00:00:33,640
the target to obtain as much relevant information as possible.

9
00:00:33,640 --> 00:00:40,000
Every piece of information gathered can potentially contribute to the success of the security assessment.

10
00:00:40,030 --> 00:00:48,370
In this lecture, we are various data points are collected, including usernames, passwords, hostnames,

11
00:00:48,370 --> 00:00:53,470
IP addresses, external providers, internal services and version banners.

12
00:00:53,500 --> 00:01:00,440
These details provide insights into the target's infrastructure and potential vulnerabilities.

13
00:01:00,440 --> 00:01:07,850
The information obtained during this phase becomes invaluable for subsequent stages of the security

14
00:01:07,880 --> 00:01:08,690
assessment.

15
00:01:08,690 --> 00:01:13,460
So there are numerous reconnaissance tasks that can be performed during an assessment.

16
00:01:13,500 --> 00:01:20,360
And one powerful tool for information gathering is Nmap Scripting Engine.

17
00:01:20,360 --> 00:01:21,710
NSC.

18
00:01:22,010 --> 00:01:30,440
NSC offers internal results obtained from scans as well as external data sources that complement other

19
00:01:30,440 --> 00:01:38,180
standalone tools by utilizing all available resources, security professionals and ethical hackers increase

20
00:01:38,180 --> 00:01:44,180
their chances of finding critical information that could compromise a target's security.

21
00:01:44,210 --> 00:01:50,660
Paying attention to the small details is crucial during this phase, as it can yield significant dividends.

22
00:01:50,660 --> 00:01:56,480
And Nmap is a well known for its robust information gathering capabilities, such as operating system

23
00:01:56,480 --> 00:02:00,430
fingerprinting, port enumeration and service discovery.

24
00:02:00,440 --> 00:02:07,040
However, with the inclusion of NSC and Map scripting engine, additional information gathering task

25
00:02:07,040 --> 00:02:08,480
can be performed.

26
00:02:08,480 --> 00:02:13,880
These tasks include obtaining additional IP address information, checking for malicious activities

27
00:02:13,880 --> 00:02:20,510
associated with the host, using external databases, discovering new targets through the external databases,

28
00:02:20,540 --> 00:02:27,860
brute forcing DNS records, parsing SSL certificates and collecting valid email accounts.

29
00:02:27,860 --> 00:02:31,940
So let's explore some practical examples of these techniques here.

30
00:02:31,940 --> 00:02:33,560
So here we will.

31
00:02:33,560 --> 00:02:38,600
In this section we will do we will perform IP address geolocation.

32
00:02:38,600 --> 00:02:46,940
So geo locating an IP address can help system administrators and threat intelligence analysts identify

33
00:02:46,940 --> 00:02:49,880
the geographical origin of a network connection.

34
00:02:49,880 --> 00:02:56,540
NSA scripts such as IP here so IP geolocation.

35
00:02:56,540 --> 00:02:57,950
Maxmind.

36
00:02:58,220 --> 00:03:01,220
IP geolocation.

37
00:03:03,050 --> 00:03:04,280
Oh, actually, let's write it.

38
00:03:04,700 --> 00:03:08,030
Write it down on the notepad here.

39
00:03:08,030 --> 00:03:09,950
So the NSA scripts.

40
00:03:09,980 --> 00:03:14,510
IP Geo Location Maxmind.

41
00:03:14,540 --> 00:03:23,810
IP geo Location IP info Database DB IP Geo Location.

42
00:03:23,810 --> 00:03:27,410
Geo Plugin IP Geolocation.

43
00:03:28,290 --> 00:03:29,730
Your location.

44
00:03:30,270 --> 00:03:30,930
Um.

45
00:03:31,290 --> 00:03:34,110
IP geolocation mapping.

46
00:03:35,720 --> 00:03:37,850
Map being here.

47
00:03:38,000 --> 00:03:40,310
IP Geolocation.

48
00:03:40,460 --> 00:03:44,180
IP Geolocation Map.

49
00:03:44,180 --> 00:03:45,260
Google.

50
00:03:49,020 --> 00:03:49,590
I be.

51
00:03:51,150 --> 00:03:53,730
Geo location map.

52
00:03:53,890 --> 00:03:57,330
HTML enable geolocation.

53
00:03:57,330 --> 00:04:05,550
These these plugins these NSA scripts enable geolocation of remote IP addresses by leveraging external

54
00:04:05,550 --> 00:04:07,350
services or databases.

55
00:04:07,350 --> 00:04:10,950
So getting information in this lecture, we are in this section.

56
00:04:10,950 --> 00:04:14,880
We are also going to learn how to get information from who is records.

57
00:04:14,880 --> 00:04:21,690
So who is records contain valuable details about domain registrations, owners ownership information

58
00:04:21,690 --> 00:04:23,670
and registration dates.

59
00:04:23,670 --> 00:04:30,570
So NSA scripts load security professionals to query who is servers and extract relevant information

60
00:04:30,570 --> 00:04:32,340
for their assessments.

61
00:04:32,820 --> 00:04:39,180
In this section, we will also learn about how to obtain a trace root geolocation information.

62
00:04:39,180 --> 00:04:46,290
So a trace road is a network diagnostic tool that maps the path between a machine and a target.

63
00:04:46,290 --> 00:04:54,430
So NSA scripts provide geolocation information for each hop in the trace route, aiding in network analysis

64
00:04:54,430 --> 00:04:59,950
and understanding the targets, information and infrastructure.

65
00:04:59,950 --> 00:05:05,110
So we will also query Shodan to obtain target information.

66
00:05:05,110 --> 00:05:14,040
So Shodan is a specialized search engine that scans and indexes of internet internet connected devices,

67
00:05:14,050 --> 00:05:15,460
NSA here.

68
00:05:15,460 --> 00:05:22,210
So we can also the Shodan is we can also use the Shodan online here Shodan here.

69
00:05:22,210 --> 00:05:23,920
So here this Shodan.

70
00:05:23,920 --> 00:05:31,390
As I said, Shodan is a special specialized search engine that scans and indexes Internet connected

71
00:05:31,390 --> 00:05:38,680
devices and NSC script allows security professionals to query Shodan's database and gather information

72
00:05:38,680 --> 00:05:44,890
about specific targets, including open ports, running services and potential vulnerabilities.

73
00:05:45,850 --> 00:05:48,850
So sorry here.

74
00:05:48,850 --> 00:05:55,090
So we will also in this section, we will also learn how to collect valid email accounts and IP addresses

75
00:05:55,090 --> 00:05:56,740
from web servers.

76
00:05:56,890 --> 00:06:05,710
NSA scripts can identify valid email accounts associated with the web server, which can be useful for

77
00:06:05,710 --> 00:06:08,080
social engineering or targeted attacks.

78
00:06:08,080 --> 00:06:14,800
So these scripts also extract IP addresses linked to the web server, providing further insights into

79
00:06:14,800 --> 00:06:16,480
the target's infrastructure.

80
00:06:16,480 --> 00:06:25,690
In this section of our course, we will learn about how to discover hostnames pointing to the same IP

81
00:06:25,690 --> 00:06:28,030
address, which is DNS related.

82
00:06:28,030 --> 00:06:34,810
NSA scripts can help identify multiple hostnames that resolve to the same IP address, so this information

83
00:06:34,810 --> 00:06:39,220
can reveal subdomains or alternative ways to access the target.

84
00:06:39,250 --> 00:06:41,380
Expanding the attack surface.

85
00:06:41,380 --> 00:06:47,380
We will also learn how to discover host names by brute forcing DNS records because brute forcing DNS

86
00:06:47,380 --> 00:06:55,450
records involves systematically generating and querying possible host names to find the valid associated,

87
00:06:55,960 --> 00:06:58,420
uh, valid ones associated with the targets.

88
00:06:58,420 --> 00:07:06,040
So NSA scripts streamline this process, saving time and effort during the assessment.

89
00:07:06,640 --> 00:07:13,000
And lastly, in this section we will learn how to match services with public vulnerability and adversaries

90
00:07:13,000 --> 00:07:15,340
and picking the low hanging fruit.

91
00:07:15,340 --> 00:07:22,510
So NSA scripts compare the services identified on the target with a public vulnerability to adversaries.

92
00:07:22,510 --> 00:07:27,940
This has identified known vulnerabilities that can be easily exploited.

93
00:07:28,000 --> 00:07:34,090
Focusing on low hanging fruits maximizes the efficiency of the assessment.

94
00:07:34,090 --> 00:07:39,820
In conclusion, the information gathering phase is a critical aspect of any security assessment.

95
00:07:39,820 --> 00:07:48,430
By leveraging tools like Nmap and its NSA scripts, security professionals can gather valuable information

96
00:07:48,430 --> 00:07:53,050
about a target's assets attack surface and potential vulnerabilities.

97
00:07:53,050 --> 00:07:59,410
The practical examples provided demonstrate the various techniques available for IP address geolocation

98
00:07:59,410 --> 00:08:06,880
who is record retrieval traceroute analysis Shodan Querying email account, the IP address collection

99
00:08:06,880 --> 00:08:10,780
hostname discovery and matching services with public vulnerability adversaries.

100
00:08:10,810 --> 00:08:18,190
Incorporating these techniques into the security assessment enhances the ability to identify and mitigate

101
00:08:18,190 --> 00:08:20,230
the risks effectively.