This document provides information about information gathering and tools that can be used for information gathering. It discusses gathering information from existing sources and examples to understand issues and how others have addressed them. The document also describes the Maltego tool which can be used to gather and represent information in a meaningful way by identifying relationships. Finally, it outlines the Nmap security scanning tool, its objectives, functions, and how it can be used to map networks and discover hosts and open ports.

1. Information Gathering
Prepared By : Mr. Abhijeet A. More
OWNER OF PERFECT TRAINING CENTER

2. Information Gathering

3. Information Gathering
 Information gathering refers to gathering information
about the issue you‟re facing and the ways other
organizations and communities have addressed it
 You can gather information using both existing sources
and natural examples

4. Information Gathering
 Synthesis here refers to analyzing what you‟ve learned
from your information gathering, and constructing a
coherent program or approach by taking ideas from a
number of sources and putting them together to create
something that meets the needs of the community and
population you‟re working with
 Synthesis involves extracting the functional elements of
both the analysis of the issue and approaches to it
 Functional elements are those that are indispensable either
to understanding the issue, or to implementing a particular
program

5. Why gather information?
 It will help you avoid reinventing the wheel.
 It will help you to gain a deep understanding of the issue




so that you can address it properly.
You need all the tools possible to create the best program
you can.
It‟s likely that most solutions aren‟t one size fits all.
It can help you ensure your program is culturally sensitive.
Knowing what‟s been done in a variety of other
circumstances and understanding the issue from a number
of different viewpoints may give you new insights and new
ideas for your program.

6. Information Gathering Tools
Maltego
www.paterva.com
Maltego is an intelligence and forensics application. It
allows for the mining and gathering of information as well
as the representation of this information in a meaningful
way.

7. What is Maltego?
 Maltego is a unique platform developed to deliver a clear
threat picture to the environment that an organization
owns and operates
 Maltego‟s unique advantage is to demonstrate the
complexity and severity of single points of failure as well as
trust relationships that exist currently within the scope of
your infrastructure

8. About Maltego
 Maltego is an intelligence and forensics application. It
allows for the mining and gathering of information as well
as the representation of this information in a meaningful
way.
 Coupled with its graphing libraries Maltego allows us to
identify previously unknown relationships between
information, persons and information about persons.
 As such, it is a useful tool in the IT security field to map an
organization's people and relationships. A valuable aid in
exploring the social-engineering attack vector in pentesting investigations.

9. Tools
 Nmap (Network Mapper) is a security scanner originally
written by Gordon Lyonused to discover hosts and services on
a computer network, thus creating a "map" of the network. To
accomplish its goal, Nmap sends specially crafted packets to
the target host and then analyzes the responses, etc.

10. NMAP

11. NMAP Objective
 Find open TCP and/or UDP listeners on a single or range of
TCP/IP Addresses
 Find out software versions
 Find out operating system type
 Don‟t get caught doing it
 Learn what you have on your network

12. Is Nmap the best tool?
 Yes it is
 Long history of development and support
 Active user base, used in many products
 Continuous development and improvements
 “Industry Standard” port scanner
 It‟s free, open and well documented.
 Stay current! (4.00 as of this doc)

13. History of Nmap
 First released September 1, 1997 in Phrack 51 “The Art of






Portscanning”
http://www.insecure.org/nmap/p51-11.txt
Many updates since then:
OS Detection (Phrack 54)
Idle scanning
Version scanning
ARP Scanning

14. Host Discovery
 TCP SYN Probe (-PS<portlist>)
 TCP ACK Probe (-PA<portlist>)
 UDP Probe (-PU<portlist>)
 ICMP Echo Request/Ping (-PE)
 ICMP Timestamp Requset (-PP)
 ICMP Netmask Request (-PM)
 ARP Probes (-PR)

15. Most valuable TCP „ping‟ Ports?
 80 (HTTP)
 25 (SMTP)
 22 (SSH)
 443 (HTTPS)
 21 (FTP)
 113 (AUTH)
 23 (TELNET)
 53 (DNS)
 554 (RTSP)
 1723 (PPTP)

16. TCP SYN or ACK Probes?
 Send both!
 Purpose is to find hosts that are up
 We do not care whether the port is active yet

17. Most valuable UDP “Ping” Port
 Pick a high numbered one
 Anything that responds with ICMP is up
 Most things respond with ICMP

18. Most Valuable ICMP “Ping” Types
 Echo Request (-PE)

…plus either Timestamp (-PP)

…or Netmask (-PM)

19. ARP Ping Probing
 Useful only on same subnet
 VERY reliable and much faster
 Sends raw ethernet ARP requests
 Automatically used if host/network is on the local subnet
 Unless --send-ip option specified

20. Intense Discovery!
 # nmap –sP –PE –PP –PS21,22,23,25,80,113,21339


–PA80,113,443,10042 –source-port 53 –n
–T4 –iR 10000
 [ … lots of IPs … ]
 Host a.b.c.d appears to be up.
 Host w.x.y.z appears to be up.
 Nmap finished: 10000 IP addresses (699 hosts up) scanned
in 2016.564 seconds

21. Tools
 Whois Lookup
 www.dnsstuff.com
 www.centralops.net

22. Thank you!!