Active information gathering can be used to provide very useful results during the reconnaissance phase of a penetration test. With this active approach, the penetration tester makes a direct connection to the actual target to gather specific details that Open Source Intelligence (OSINT) is unable to provide. Using active information gathering, the penetration tester is able to create a very detailed profile of the target, gathering information such as the type of operating system and running services. This information helps to research and identify vulnerabilities in relation to the target, thereby narrowing the scope in choosing specific exploits to unleash against it.
For this entire chapter, we will focus on directly engaging the target to gather specific details about it in order to help us profile any running services. Understanding how to perform active reconnaissance will provide us with vital assistance for the exploitation phase. During the information-gathering phase, you'll be able to identify vulnerabilities and determine suitable exploits to break into a system and network. You will also be able to retrieve sensitive information from network devices and systems.
During the course of this chapter, we will cover the following topics:
- Understanding active information gathering
- DNS interrogation
- Scanning
- Nmap
- Hping3
- SMB, LDAP enumeration, and null sessions
- Web footprints and enumeration with EyeWitness
- Metasploit auxiliary modules