So far in the ethical hacking course, we presented different tools to collect specific data during an information-gathering process.
In this post, we present some tools that already provide a report with a combination of information collected with different techniques.
The OSINT Framework includes information-gathering tools and websites in one central location. Some tools listed in the framework cover more disciplines than information security.
The OSINT framework is not meant to be a checklist, but reviewing the categories and available tools may spur ideas for additional information gathering opportunities.
Maltego is a very powerful data mining tool that offers a great combination of search tools and strategies.
The learning curve for it can be high, but its impressive capability is worth it.
It has both a commercial and a free community edition. The free Kali Linux version limits the results it returns, but we can still use it to gather a good deal of interesting information very quickly. The paid version offers more results, more functionality, and better performance.
This tool uses information publicly available on the Internet, so it is perfectly legal to do reconnaissance on any entity.
It searches thousands of online data sources and uses transformations to convert one piece of information into another. For example, if we are performing a user information gathering campaign, we could submit an email address, and through various automated searches, transform that into an associated phone number or street address.
During an organizational information gathering exercise, we could submit a domain name and transform that into a web server, then a list of email addresses, then a list of associated social media accounts, and then into a potential password list for that email account.
The combinations are endless, and the discovered information is presented in a scalable graph that allows easy navigation.
Shodan is a search engine that crawls devices connected to the Internet. This includes the servers that run websites but also devices like routers and IoT devices.
Shodan searches for Internet-connected devices, interacts with them, and displays information about them.
You can register a free account in Shodan which provides limited access.
We can use Shodan to search for a domain, for example, hostname:domain.com. The tool will list the IPs, services, and banner information. For each IP address found, it can retrieve a summary of the host (ports, services, and technologies used).
Shodan will also reveal if there are any published vulnerabilities for any of the identified services or technologies.
The information gathered with this tool is obtained passively without interacting with the client’s web site.
Recon-ng is a module-based framework for web-based information gathering.
It displays the results of a module to the terminal but it also stores them in a database. Then, it feeds the results of one module into another, allowing us to quickly expand the scope of our information gathering.
You can find a good tutorial to learn how to use this tool in the Secure Network Management site.
Finally, Part 3 explains how to use the modules and reporting tools.