Reference project: https://github.com/infosecn1nja/Red-Teaming-Toolkit
Information gathering is the most critical step in all attack activities. As the saying goes, "know yourself, know your enemy, and you will never be defeated." Therefore, in order to know the enemy, we must gather information. Here, information gathering refers to understanding everything about the target and obtaining all information about the target. The more we understand the target, the more attack techniques we can use, the larger the attack surface, and the higher our success rate. Information gathering can be divided into two categories: active information gathering and passive information gathering.
Active Information Gathering#
Active information gathering refers to using our own means of information gathering to actively probe the target's boundary system resources to obtain the information we want. All information is discovered by ourselves. If the target has corresponding perception methods, our behavior can be detected.
EyeWitness
The power of this tool lies in its ability to capture screenshots of applications based on the RDP protocol, VNC protocol, and HTTP protocol. It can also automatically attempt to log in with default passwords. For HTTP protocol, it can display the headers of the web page requested, making it convenient for users to view.
AWSBucketDump
This tool can quickly enumerate AWS S3 buckets. The principle of this tool is similar to subdomain enumeration, but it is specifically for AWS S3 buckets.
AQUATONE
The main function of this tool is to collect enterprise subdomains. It includes a large collection of domain collection dictionaries. It can also scan the collected domains, search for common web endpoints and HTTP headers, and save the results in an output report for easy viewing and analysis of the attack surface.
spoofcheck
This tool mainly checks whether the SPF and DMARC records of email domain name resolution have weak configurations that can be deceived. If the DMARC configuration fails, an alert is issued.
Nmap
A powerful network scanner that scans for live hosts in a network and the types of services running on the hosts.
dnsrecon
This is a DNS enumeration script.
Passive Information Gathering#
Passive information gathering is to use information that others have already collected, without the need for us to probe on our own, just need to obtain the information we want from the information already collected by others. The target cannot perceive such operations.
skiptracer
This is an OSINT mining framework. OSINT stands for Open Source Intelligence, which is an intelligence collection method of the Central Intelligence Agency (CIA) of the United States. It seeks and obtains valuable intelligence from various publicly available information resources. This tool usually combines data obtained from some paid tools, such as Maltego, or data obtained from open source tools, such as Recon-NG.
ScrapedIn
This tool can use the LinkedIn API for information gathering and mining of desired data.
FOCA
This tool can automatically collect Microsoft Office, Open Office, or PDF files through Google, Bing, and DuckDuckGo search engines, and analyze them to find metadata or hidden data in the files.
theHarvester
This tool can collect target's subdomains, email addresses, host IPs, banner information, etc. from different public resources such as Google, Bing, Baidu, etc.
Metagoofil
This tool can extract metadata related to the target from public files such as PDF, doc, xls, ppt, etc.
SimplyEmail
This tool is based on theHarvester and can quickly collect target's email addresses. It is a framework that allows custom plugins to enhance the functionality of this tool.
truffleHog
This tool searches for secrets in git repositories, digging deep into history and branches to find leaked sensitive information.
Just-Metadata
This tool can collect a large amount of intelligence information about IP addresses and try to infer unseen associated information.
typofinder
This tool can find the type of a domain name and also view the country where the corresponding IP is located.
Information Gathering Tool Frameworks
Below are several tool frameworks specifically used for information gathering. They are more intelligent and powerful, with little difference in core information, but different collection methods. The choice of tools depends on personal preferences.
Maltego
This is an internet intelligence aggregation tool. It can collect domain information, IP information, or personal information such as email, blog, mobile number, etc. And it can present these information to users in the form of topology maps.
https://www.paterva.com/web7/downloads.php
SpiderFoot
This is an open-source fingerprint information collection tool that can collect domain names, IP addresses, and other information.
datasploit
This tool is a framework that can find domain names, email addresses, usernames, mobile numbers, and other information from multiple data sources. It can also output the collected data in different formats for display.
Recon-ng
This is a tool written in Python specifically for collecting web-related information.