Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,420 --> 00:00:01,110 Welcome back. 2 00:00:01,560 --> 00:00:07,090 It is time we're learning details what is information gathering and how can we perform it? 3 00:00:07,800 --> 00:00:13,860 We already know that information gathering is the first step in penetration testing, and it is an act 4 00:00:13,860 --> 00:00:16,460 of gathering data about our target. 5 00:00:17,340 --> 00:00:21,450 It can be any type of data that we might find useful for the future attack. 6 00:00:22,000 --> 00:00:26,370 And if you remember, there are two types of information gathering. 7 00:00:27,030 --> 00:00:31,920 We got active information gathering and passive information gathering. 8 00:00:33,000 --> 00:00:39,000 And we talked briefly about them, but now it is time to fully explain what both of them are. 9 00:00:40,020 --> 00:00:42,840 So let's start with active information gathering. 10 00:00:44,200 --> 00:00:51,550 In active information gathering, we use our Kleenex machine and we try to get as much data or as much 11 00:00:51,550 --> 00:00:55,710 information about our target while interacting with them. 12 00:00:56,870 --> 00:01:03,800 It could be a target website that we need to test, so we need to find as many things about it as we 13 00:01:03,800 --> 00:01:10,580 can, or it could also be a network that we are testing or perhaps an entire company. 14 00:01:11,530 --> 00:01:18,220 The main point is that with active information gathering, we directly get that data from the target. 15 00:01:19,830 --> 00:01:26,370 This could mean directly exchanging packets with the target by visiting and enumerating their website, 16 00:01:26,920 --> 00:01:30,710 or it could also mean talking to an employee that works there. 17 00:01:31,680 --> 00:01:38,250 We could maybe call them over mobile phone to try to get them to tell us something important, but this 18 00:01:38,250 --> 00:01:40,650 part is also considered social engineering. 19 00:01:41,490 --> 00:01:47,490 Nonetheless, any action where you exchange something with the target is active information gathering. 20 00:01:48,570 --> 00:01:55,770 This can be legal to an extent, if you start performing some advanced scans or fingerprinting on the 21 00:01:55,770 --> 00:02:01,440 target, you most likely won't get in trouble, but you should still not do it without permission. 22 00:02:02,280 --> 00:02:08,490 And it is important to mention that usually active information gathering will provide us with much more 23 00:02:08,490 --> 00:02:14,850 important data than passive information gathering since we are directly interacting with the target. 24 00:02:15,960 --> 00:02:21,700 On the other hand, we got massive information gathering and it is similar. 25 00:02:21,750 --> 00:02:25,770 We got our callisthenics machine and our target. 26 00:02:26,950 --> 00:02:34,720 But we also have an intermediate system or what I like to call a middle source and what this middle 27 00:02:34,720 --> 00:02:35,480 source is. 28 00:02:35,500 --> 00:02:40,860 Well, basically, it could be anything from a search engine to a website. 29 00:02:41,230 --> 00:02:42,790 It could also be a person. 30 00:02:43,000 --> 00:02:49,240 But what matters is that information we get is going through that metal source. 31 00:02:50,400 --> 00:02:56,340 For example, if we want to find out something about a certain target and we Google that target to find 32 00:02:56,340 --> 00:03:02,520 some pages that contain information about it, this is considered passive information gathering. 33 00:03:03,460 --> 00:03:10,180 OK, good, but what are the goals of this, what exactly are we searching for, which information could 34 00:03:10,180 --> 00:03:11,860 be of value to us? 35 00:03:12,860 --> 00:03:20,570 Usually the first thing we search to identify a target is their IP address or IP addresses, if the 36 00:03:20,570 --> 00:03:23,120 target has multiple addresses that belong to them. 37 00:03:24,050 --> 00:03:29,600 This could be, for example, a company that has servers and buildings all around the world. 38 00:03:30,410 --> 00:03:37,310 And if we were to test this company, we would also be interested in their employees to for example, 39 00:03:37,640 --> 00:03:43,910 we will want to gather their emails, which could be useful for a future attack to gain access to that 40 00:03:43,910 --> 00:03:44,390 company. 41 00:03:44,840 --> 00:03:49,570 Or we could possibly want to gather their phone numbers, which could also be useful. 42 00:03:50,120 --> 00:03:56,510 But most importantly, and what we're mainly interested in are technologies that the target has. 43 00:03:57,520 --> 00:04:02,680 If it was a company, we would want to know how many networks they have, what softwares are running 44 00:04:02,680 --> 00:04:08,320 on their machines, what operating systems they have, if it was a website, we would also want to know 45 00:04:08,650 --> 00:04:12,400 how that website was built, which programming languages it has. 46 00:04:12,790 --> 00:04:20,110 Does it have JavaScript or, for example, just one software on one machine that is outdated or that 47 00:04:20,110 --> 00:04:24,730 has unknown vulnerability that could be exploited is our way in. 48 00:04:26,150 --> 00:04:33,110 So now that we know what we are looking for during this first step, it is time we see what tools and 49 00:04:33,110 --> 00:04:38,370 programs can we use to find out as much information as possible about our target. 50 00:04:39,260 --> 00:04:39,860 Let's do it. 5744