# Intelligence Gathering - More information gathered, more vectors of attack may be able to use - Better knowledge of target, more likely to succeed - Better target company knows what is common knowledge, better it can prepare. ## Open-source Intelligence (OSINT) - Gathers information from publicly available sources and analyses it, producing intelligence - May not be up to date, accurate or complete. - Could be deliberately manipulated to provide false intelligence. - Many companies may fail to take into account public information, and how it could be gathered, organised and made searchable - Physical (locations / relationships) - Logical (business partners, job openings, meeting minutes, professional licenses) - Org chart (important people) - Electronic (document metadata, marketing information) - Infrastructure (email addresses, technologies used) - Many employees fail to realise information published on the public domain about themselves. - Social Media - GDPR gives right to ask to remove. # Limits - Gathering information to identify entry points - physical, electronic, human... - and try to map out internal structure - physical, network, organisational - and external dependencies - outsourcing, financial - It does not involve trying to test or use entry points - "potential vulnerability" more interesting - cyclic lifecycle, we can do more recon later # Levels - Level 1 - Automated tools to gather information - Generally a simple list of what exists - Level 2 - Combination of tools and manual searching / analysis - Good understanding of physical locations, business relationships, organisation charts, naming policies, etc. - Level 3 - Heavy use of manual techniques - Deep understanding of business and how it operates - Highly strategic and planned, time consuming # Considerations in Commercial Pentest - Keep to RoE - Avoid legal issues and avoid scope creep - Avoid being sidetracked by interesting sideroads - Have a Goal - What is relevant to the target you have been engaged to attack - Have a deadline - Make sure time allocated to use intelligence # Passive vs Active Reconnaissance ## Passive - Collecting data using publicly available information without direct contact with target - Open web resources, public company information - How they operate, how large they are, contact info, etc. ## Active - Direct interaction with target by any means to gather information - Port scanning, vulnerability scanning, etc - Illegal without permission. ## Semi-Passive - Collecting data with methods that appear like normal internet traffic and behaviour. - Looking at metadata in published documents and files. Not actively seeking hidden content. # Semester 1 Assignment - Choose company - Should be small, but not too small - Likely IT business - Passive recon using OSINT sources - Include some semi-passive recon - Write report, outlining what has been found and why company should be aware. - Look for: - Corporate - Personal - Technical information - http://www.pentest-standard.org/index.php/Intelligence_Gathering ## How to Obtain Information - Google Dorking, search for information to see who else has it, and what else they have. - Information Gathering tools built into Kali - Google for OSINT sources. - Google Hacking Database (GHDB) - Maltego - DMitry - Dnmap - Ike-scan (Discover IPsec VPNs) - P0f (Passive traffic fingerprinting) ### Note on Packet Sniffing - Some tools rely on network inspection between you and target - "Active Packet Sniffing" means specific things cause traffic to flow to you - "Passive Packet Sniffing" means you inspect the traffic that happens to come past sniffer. -