Lets suppose any thriller stealing movie. Think what does robbers do before they hack the bank or anything else? They gather the information. They collect each and every information about bank system, alarm methodology, CCTV interface, Guards changing time, list of weapons having with guards.After gathering information they make plan and attack or rob the bank. You all are clever. So assume they don't have these much of information and they are going to rob bank directly, what will happen ? You will find them caught with by police.
Same scenario also applied in information security world. Before attacking or testing something a hacker/tester needs to find the information about his/her target. Now this target can be a network, web application, organization or a person. In our world finding information is also called as footprinting or doxing. Also the term reconnaissance can be used sometimes.
The greater advantage of information gathering is that its completely passive. We are not attacking actual target to gather information about it. It means you are not accessing all information in illegal way. Its completely legal and no need of signed document.
Here is the list of web links and tools which we can use as a tool for the footprinting. Every tool has it's uniqueness and can be used for multiple purposes.
- FOCA - It has an ability to retrieve metadata from any document downloaded from website. That information can disclose the logon name of the creator's computer or network. Also it might revel the internal IP address or that organization.
- Google Groups - One can find person's email address and area of interest by searching in google groups.
- Sam Spade - It collects IP information, dns information, version of OS information and header of website.
- WHOIS - It works same as sam spade and additionally it gives some more features which are not available in samspade.
- Maltego - It can be used for intelligence gathering and it has nice way of representation also it represents interlinked accounts, persons, websites and email ids.
- Necrosoft NScan - It can be used for advance dig tools as well as windows scanning.
- Paros Proxy - It captures web server information via headers also it discloses possible vulnerabilities in web pages and website.
- White Pages - It can be used for reverse phone lookup with address information as well.
- Wget - Its a tool as well as its an inbuilt command for all *.nix systems. It can be used to download all http, https files from the web server.
- Netcat ( A swiss Army Knife) - It can read and write data on network over ports.
Apart from all these tools there are certain things that every tester must keep in mind. Commands like dig, netcat and wget are already inbuilt in all *.nix (all linux) systems. One should keep on practice these commands in their regular life.
Competitive Intelligence : This term has to be understand by any tester. Let's suppose you are going to start a food business exactly near your neighbor's food business. Your neighbor's business is well settled and running quite good. Now how will you make your business better then it !!? Common sense is that, you will gather information about your neighbor's business that which type of food specialty are they providing, which are the offers they provide, what are the prices they apply. Then you will try to make those things better then your neighbor's ones. Thus how you will increase your business. So the information you gather is called competitive intelligence. You are doing information gathering for competition between your business and your neighbor's business. Being a security tester, one should able to get the information about the other organization. That information can be, number of employees, products they develop, website constructions, web tools they use, their hosting server and every other information of them.
There are also other numerous techniques of information gathering but these tricks are usually used and widely giving results to us of our target.