Network Intelligence Gathering

Chintan Gurjar
September 19, 2013 by
Chintan Gurjar

This article is all about different information-gathering techniques on the network. It is the most essential and important task of attackers. Knowing the opponents and their interests can be valuable. Here I am going to show you which are the different ways and techniques one can do the network information/intelligence gathering.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Let's think of any thrilling movie theft. What do robbers do before they break into the bank or anything else? They gather information. They collect each and every bit of information about the bank system, alarm methodology, CCTV interface, the guards' changing time, and a list of weapons that the guards have. After gathering information they make plans and attack or rob the bank. Assume they don't have this information and they rob the bank directly. What will happen? You will find that they are caught by the police.

The same scenario can also be applied in the information security world. Before attacking or testing something, a hacker/tester needs to find information about his/her target. This target can be a network, web application, organization, or person. In our world, finding information is also called footprinting or doxing. Also, the word "reconnaissance" can be used sometimes.

The map below shows the juicy areas in which attackers might be interested. It shows that all those areas will be definitely tested by hackers in order to find vulnerabilities.

Click to Enlarge

Before starting to footprint anything, we need to keep in mind what or who our target is. Is it a small firm? An entire big organization? Or only a single intranet within a company?

Techniques of Intelligence Gathering

  1. Information Available in Air

There is much information that is publicly available, but no one knows about it. We need to find a technique to find which information is available in the air without any authentication. A list of types of such information follows:

  • Archived data of firm
  • Company website (web pages)
  • Privacy policy used in the application
  • Security policy used in the application
  • Client information
  • Testimonials/Reviews
  • Exact location detail
  • Employee information (location, contact, area of Interest, etc.)
  • In older days, Company Webpages used to provide valuable information about their security policy and configuration directly to the client side. Moreover, checking HTML source code for the comments section is very handy and useful trick. Things which are not actually made for the public are easily available via HTML comment tags, which contain ! , -- , < .

    Click to Enlarge

    If you want to download a full website and see the source of each page, there are two utilities for Linux and Windows machine. They are wget (for Linux) and teleport tool. These tools have limitations. They don't find "hidden" files and folders for attackers. So attackers use the OWASP Dirbuster tool. It tries to find the hidden files on the server that are not usually listed in the Google index. There may be an authentication setup in many cases, here Dirbuster can perform a brute force attack and can get the hidden files. But that process is usually not preferred by hackers due to its noisy behavior. Here is the picture of its interface.

    Make sure to check related organizations. For example, if any IT outsourcing company is there, it's very common to find related organizations about it. Make sure to check their blogs and press releases. You will find many other companies and persons posting comments and giving reviews. That's how we can find more related organizations. Also use a Google query, as shown below. You know the company website so the Google query will be like this:

    related: www.chintangurjar1990.com

    Google will list all other organizations that are related to the chintangurjar1990.com company. This information can sometimes be used as a social networking attack, which can be done directly or indirectly.

    Never forget what physical information can reveal. It's very useful information from an attacker's view point. After getting an exact physical location an attacker has various weapons of attacking target the organization. First, she/he can perform dumpster diving, that is, checking rubbish or waste papers and posts dropped from the organization. That material can reveal id numbers, employee names, client names, and much more. One can also perform social engineering attacks on security guards and employees in order to reveal more information. All these non-technical are known as no-tech hacking. This information can reveal unauthorized entries into the company. The best weapon for this information is Google Earth.

    Google Maps is also a great source for information gathering. An attacker can utilize the street view option and can actually see the streets of physical location. Surprisingly, a very unique feature of Google is that it also collects the WI-Fi information for nearby locations. You might have seen Google cars nearby your area that collects the information about all Wi-Fi networks nearby you along with its MAC address. See the image below to recognize it.

    Employee details are also very good information to have in your database as a hacker or an attacker. Most organizations generally use first name followed by the domain name. For example, if my organization name is www.chintangurjar1990.com and my name is Chintan Gurjar, then the company would probably choose chintan@chintangurjar1990.com as my email id. One can often predict this, but the harvester tool can also be used to find out a company's employee information. That tool provides names of all employees working within the company and their email ids as well. Images below show the use of the harvester tool in all nix systems

    Click to Enlarge

    Hackers/attackers use this information as usernames in order to gain access to any authorized network, router, etc. Hackers may use below sources listed below to find phone numbers, physical addresses of any employees:

    1. www.phonenumbers.com
    2. www.411.com
    3. www.yellowpages.com

    With a phone number, one can also use social engineering techniques. Other information can be found from websites such as these:

    1. www.ussearch.com
    2. www.zabasearch.com
    3. www.pipl.com

    Never forget to check an employee's information on social networking websites, where people may share their feelings, emotions, best friends, enemies, thinking style, likes, dislikes, bank details, etc. Those things can be very valuable targets for attackers. I don't need to give any list of social network websites, as you know them already. In addition, people's technical interests and their resumes or career activities can be found on Linkedin.com, Dice.com, Jigsaw.com, Careerbuilder.com, etc.

    Sometimes a company organizes seminar, workshops, and other events. An attacker can attend these events in order to meet organizations and to check a company's reputation and influence. One can perform social engineering attacks on those employees.

    Sometimes some information is removed from websites for security reasons, so it's always good to check the Archived Information of any website. Who knows, you may get some information that doesn't exist now on the original website. To check that information you should go to www.archive.org. There is a "Wayback Machine" where you can input the URL of a website and check year by year to see how the website has grown up and developed. Here is the information how to use it.

    There is a new good search engine named SHODAN. SHODAN is described as "Google for Hackers." It finds the systems in the world that don't have proper secure mechanisms for authenticity and authorization. It can scan your home network to SCADA systems as well. It doesn't matter because the interface is web-based or network-based. It has the ability to scan every system.

    Apart from these, there are many Google queries that can reveal all configuration information even in a clear text. The best resource for that is GHDB (Google Hacking Database). The source of this database is provided in the reference. Here is an example of a Google query which discloses the configuration of a web server.

    Now that you have the information, what if someone asks you to relate all this information? The attacker won't be happy to have only piece of information. She/he needs to relate all that information in order to find a weak link or a loophole. The tool Maltego is an intelligence-gathering tool. It gathers the data and correlates it. It has a very nice way of graphically representing all the data it gathers. There are various features of Maltego. People who work in forensic investigation often use this tool to find correlation of targets with his/her sources. Here, the term "target" has a very broad meaning. The target can be any device, location, infrastructure, person, or social network. The example below shows a sample scan of this website. The use of this tool is mentioned in the references.

    Up to here, this was all about publicly available information. Now the technical stuff starts. First, we will find the domain's information, along with its administrator information and registration, etc. To do this, we need to find check WHOIS databases. We will start looking up our domain information with whois.iana.org website.

    As we can see from the above picture, by just giving the domain IP a whole bunch of information about the website is displayed. It reveals the domain, organization, name server details, fax number, phone number, and much more detail. Sometimes we may able to see the administrator's detail as well, including his/her name, address, and contact information. That might useful for social engineering and success authorization of any entry point. We can find the same information using terminal as well in all nix systems, as shown below:

    Click to Enlarge

    As you can see here, we have simply used the "whois" command and the network address for which we want to get information, followed by the "–h" option and the source of the information; "–h" stands for the host from we want to the information on our target. There are certain tools that can provide the same information. Those tools are SuperScan, NetScan, and SamSpade. The use of some of these tools is described in the picture below.

    Click to Enlarge

    Identifying the network is not everything. We also need to identify the path of the network that it uses to reach our end. Which are the world's routers from which it gets bounced to us? By doing this we can design the network topology. However, the number of routers and their names will be different in every attempt. It won't be the same for all time. To fulfill this task, we can apply the tracerouting technique. It uses the TTL field in the IP packet. Each router has to decrease the TTL field at the time of leaving packet. Thus the TTL field becomes one hop counter. Thus how we can discover the exact path of an IP address or domain. The procedure is shown below:

    Windows Use

    We can do the same thing in Linux with traceroute command. We can also use SamSpade if we want a little bit of a graphical representation of data. As for the result, we can see that 1 to 14 are called hops. The packet is transferred from one hop to these several hops without being blocked. In most of the scenarios, the hop before the last hop is usually a firewall, IDS & IPS. It can also be a packet-filtering mechanism.

    This is a normal router and our process has succeeded within a few seconds. Some firms are aware of these kinds of tests from the client side. That is why they keep complex routers such as Cisco's latest routers, which work sometime as load balancers. These kinds of complex routers have ACLs (access control lists). If it is enabled, then one cannot do tracerouting and other common testing from the client side. In that case, one can still find the data by sending our packet with a port 53, DNS. So our command will be a traceroute as follows:

    traceroute –p 53 resources.infosecinstitute.com

    After checking out Tracerouting another important thing to interrogate is DNS Enumeration. That is the most important part of network intelligence gathering. Generally, this DNS is used to map host names to IP addresses and vice versa. DNS must be configured securely otherwise someone can get each and every bit of information about the complete organization via the zone information. Zone Transfer is the most common and the potential vulnerability lies in a misconfigured server. That can disclose valuable information to the target.

    If this vulnerability exists in the server, it allows a 2nd server to update itself from its primary server. That is why attackers only perform zone transfers on secondary servers. Thus, many servers give all of a zone's information to anyone who asks it.

    Performing zone transfer can be done by the simple method shown below:

    First of all, you need to have your target's primary and secondary DNS servers. To see that, we can give the following command:

    dig infosecinstitute.com

    The result is shown below:

    Now we will apply our zone transfer on the 2nd server over our primary server. The command is as follows:


    If you are lucky, you will see whole zone's list in front of you. How one can find any juicy information from any of that? If you receive a message that the query was refused or something like that shown in the below picture, it means zones are configured in the proper manner to disallow transferring zones to authenticated users.

    Another method for performing or checking zone transfer is to check with the Host Command which is shown as below:

    host –l –v –t any chintangurjar1990.com

    Here we used 3 options "l," "v," and "t." The most essential and important option is "l." It stands for "listing." The L option lists every host lying within the domain by using AXFR. "t" stands for the query type and "v" stands for verbose mode, which gives verbose output.

    One of the best tools for performing zone transfers along with DNS enumeration is dnsrecon. Use of this tool is shown below. If you are lucky and you get zone transfer, it will look like the picture below:

    If the security of network configuration is good, then it will probably look like below. You will get a message that Zone Transfer Failed! Other tools such as dnsmap, dnsenum, and fierce can also help you to transfer a zone along with DNS enumeration.

    With the Fierce tool, you can also check the same. The command to use this tool is shown below:

    fierce –dns chintangurjar1990.com

    Finding information about the target's MX records (Mail Exchange Server Records) can be the great source of determining IDS, IPS, and a firewall placed there. It's a common tradition that the mail exchange server is also configured on the same network where the original firewall is placed. MX records can be checked via dig command as shown in below picture.


    Thus we can see how attackers can do network information gathering by using various tools and techniques. These are some basic and widely available tools and methods I have shown; however, new tools are launched week by week. Next time I will focus on "Scanning the Network Part" after collecting this information.

    FREE role-guided training plans

    FREE role-guided training plans

    Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


    Chintan Gurjar
    Chintan Gurjar

    Chintan Gurjar is a System Security Analyst and researcher from London working in Lucideus Tech Pvt Ltd. He has written articles for Europe based magazine namely “Hakin9”, "PentestMag" and India based magazine “Hacker5”. He has done a valuable research in cryptography overhead mechanism. Chintan Gurjar has completed B.Tech in computer science from India and currently pursuing his post graduate degree in computer security & forensics from London (UK). During his academics, he has submitted a small scale research paper on Cryptography Overhead Mechanism in IPsec Protocol. He has also submitted Network Security Auditing and Network services administration and management report. He is very keen to spread cyber awareness world wide. In future he would like to work for his Country’s government in a forensics investigation field.