The Information Gathering phase is the most critical phase of any penetration test. It is the first phase of every security assessment. Information Gathering focuses on collecting as much information as possible about a target. There are two ways to go about gathering information about a target, active and passive. When conducting active information gathering, there is direct interaction with the target — for example, scanning the target with a tool like Nmap. Passive information gathering, on the other hand, is done by collecting information about the target without directly accessing the target. An example of passive information gathering would be the use of search engines to collect publicly available information about the target. Search Engines can be powerful passive information gathering tools if used correctly as a part of a penetration test engagement.
Google Dorking is an example of using search engines, Google, in this case, of conducting passive information gathering. A Google Dorks List is a list of Google Dork Queries that would search the index of a specific website, or specific file type from unsecured Websites. One usually refers to this list when pulling sensitive information from Google using advanced search terms. For example, using the Google dork query site: example.com inurl:/vb/install/install.php would identify if the vBulletin installation wizard is accessible on the target site, example.com. Vbulletin installation wizards allow users to modify installation parameters and may also reveal SQL username, password, and table installations. One should note that in some instances, using Google dorks might require more information about the target to be effective. The official Google Dorking list is maintained by Offensive Security and can be found on exploitdb.
Shodan is said to be an upgrade from Google and is another powerful search engine that can be leveraged in the information gathering phase. It is said that unlike traditional search engines such as Google, which is used to search the world wide web, Shodan gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet, then Shodan queries it for various publicly available information. The types of devices that are indexed can vary tremendously: ranging from small desktops up to nuclear power plants and everything in between. Similarly, to Google Dork query filters, Shodan also uses its own search filters such as city, country, hostname, and port to name a few. For example, if one wanted to search for Apache servers in San Francisco, that are running on port 8080, that are also running Tomcat, the following Shodan query would be used: Apache city:”San Francisco”port:”8080″ products:”Apache Tomcat/Coyote JSP engine”.
Censys is another search engine that scans the Internet searching for devices and return aggregate reports on how resources (i.e. Devices, websites, and certificates) are configured and deployed. Censys, like Shodan, maintains a complete database of every device exposed on the Internet. It represents a privileged instrument for the hackers that must search for a specific target and need to gather information on its configuration. At the same time, security experts could easily locate poorly protected devices exposed over the internet. Censys uses ZMap, a network scanner that analyzed 4 Billion IP addresses and collect information on a daily basis, and ZGrab, as an application layer scanner. Censys was built with the intent of helping security experts assess the security of;products and services exposed on the Internet.
In concluding, the contribution search engines such as Google, Shodan and Censys lends to the information gathering phase is incredible. These tools allow pen testers to quickly identify security issues that exists within targets without having to directly connecting to them.