Active Information Gathering

Active Information Gathering

• Active information gathering consists of an initial series of active
probes of the target site. Its purpose is to check which systems are
available, what information can be gathered about them, and which
vulnerabilities might be present.
• Network Reconnaissance: The purpose of this phase is to determine
the network topology of the target network. Tracerouting of all
paths to all relevant IP addresses and look for odd paths. At this
point one should also check whether a device belonging to a 'trusted
partner' could provide an alternative route into the target system.
• Ping sweeps: Network ping sweeps allow mapping out networks
and determining which systems are 'alive' and responsive.
• ICMP queries: By sending ICMP packets to the target systems, one
can gather valuable information, such as the network masks and
timestamps.
• Port scans: one should perform a full TCP and UDP port scan on all
externally visible devices, including firewalls.
• Operating System fingerprinting: Mainly based on TCP/IP stack
fingerprinting, it is possible to derive which operating systems are
installed on the devices probed. This information is useful during
the ultimate vulnerability-mapping phase, since vulnerabilities are
very much operating system dependent.
• Automated discovery: Finally, automated tools are used to verify
the results obtained during the previous steps. There are a number
of graphical utilities that combine some of the network mapping
techniques described above.
• Enumeration: In this phase, one tries to identify valid user accounts
and poorly protected resource shares. The goal is also to identify all
the services on all the ports that are open. At this stage, superficial
queries are made that give an indication whether a specific exploit
could be used or not. One should also investigate how hardened
the Internet-facing systems appear to be, and whether unnecessary
services are disabled.