Reference project: https://github.com/infosecn1nja/Red-Teaming-Toolkit
Information gathering is the most crucial step in all attack activities. As the saying goes, "Know yourself, know your enemy, and you will never be defeated." Therefore, in order to know the enemy, information gathering is necessary. Information gathering here means understanding everything about the target and obtaining all information about the target. The more we understand the target, the more attack techniques we can use, the larger the attack surface, and the higher our success rate. Information gathering can be divided into two categories: active information gathering and passive information gathering.
Active Information Gathering#
Active information gathering refers to using our own means of information gathering to actively probe the target's boundary system resources to obtain the information we want. All information is discovered by ourselves actively. If the target has corresponding perception means, our behavior can be detected.
EyeWitness
The power of this tool lies in its ability to capture screenshots of applications based on the RDP protocol, VNC protocol, and HTTP protocol. It can also automatically attempt to log in using default passwords. For HTTP protocol, it can display the headers of the web pages requested, making it convenient for users to view.
AWSBucketDump
This tool can quickly enumerate AWS S3 buckets. The principle of this tool is similar to subdomain enumeration, but it is specifically for AWS S3 buckets.
AQUATONE
The main function of this tool is to collect enterprise subdomains. It includes a large collection of domain collection dictionaries. It can also scan the collected domains, search for common web endpoints and HTTP headers, and save the results in output reports for easy viewing and analysis of the attack surface.
spoofcheck
This tool mainly checks whether the SPF and DMARC records of email domain name resolution have weak configurations that can be deceived. If the DMARC configuration fails, an alert is issued.
Nmap
A powerful network scanner for scanning live hosts in a network and the types of services running on the hosts.
dnsrecon
This is a DNS enumeration script.
Passive Information Gathering#
Passive information gathering is to use information that others have already collected, without the need for us to probe on our own. We only need to obtain the information we want from the information already collected by others. The target cannot perceive such operations.
skiptracer
This is an OSINT mining framework. OSINT stands for Open Source Intelligence, which is an intelligence collection method of the Central Intelligence Agency (CIA) of the United States. It seeks and obtains valuable intelligence from various publicly available information resources. This tool usually combines data obtained from some paid tools, such as Maltego, or data obtained from open source tools, such as Recon-NG.
ScrapedIn
This tool can use the LinkedIn API for information gathering and mining of desired data.
FOCA
This tool can automatically collect Microsoft Office, Open Office, or PDF files through Google, Bing, and DuckDuckGo search engines, and analyze the files to find metadata or hidden data.
theHarvester
This tool can gather target's subdomains, email addresses, host IP addresses, banner information, etc. from different public resources such as Google, Bing, Baidu, etc.
Metagoofil
This tool can extract metadata related to the target from public files such as PDF, doc, xls, ppt, etc.
SimplyEmail
This tool is based on theHarvester and can quickly collect target's email addresses. It is a framework that allows customization of plugins to enhance the functionality of this tool.
truffleHog
This tool can search for secrets in git repositories, dig deep into history and branches to find leaked sensitive information.
Just-Metadata
This tool can collect a large amount of intelligence information about IP addresses and try to infer unseen associated information.
typofinder
This tool can find the type of a domain name and also view the country where the corresponding IP is located.
Information Gathering Tool Frameworks
Below are several tool frameworks specifically used for information gathering. They are more intelligent and powerful, with similar core information, but different collection methods. The choice of which tool to use depends on personal preference.
Maltego
This is an internet intelligence aggregation tool. It can collect domain information, IP information, or personal information such as email, blogs, mobile numbers, etc. It can also present this information to users in the form of topology diagrams.
https://www.paterva.com/web7/downloads.php
SpiderFoot
This is an open-source fingerprint information collection tool that can collect domain names, IP addresses, and other information.
datasploit
This tool is a framework that can find domain names, email addresses, usernames, mobile numbers, and other information from multiple data sources. It can also output the collected data in different formats for display.
Recon-ng
This is a tool written in Python specifically for collecting web-related information.