## Penetration Testing Techniques - Information Gathering: Our First Key
As a penetration testing team, we always consider information gathering to be the most critical first step in the entire testing process. It's like the clue collection phase before a detective investigates a case - the more comprehensive the information we obtain, the more targeted our subsequent penetration will be. Today, we'll share how professional penetration testers conduct systematic information gathering.
### Our Information Gathering Methodology
Before beginning any test, we follow a standardized information collection process:
1. **Passive Information Gathering**: Obtaining information without directly contacting the target system
2. **Active Information Gathering**: Acquiring detailed information by directly probing the target system
3. **Intelligence Analysis and Integration**: Transforming fragmented collected information into actionable intelligence
### Passive Collection: The Silent Intelligence Network
Our most commonly used passive collection methods include:
- **Search Engine Techniques**:
- Using Google dork syntax: `site:example.com filetype:pdf`
- Searching for associated subdomains through Bing
- Utilizing IoT search engines like Shodan and Censys
- **DNS Information Mining**:
```bash
# Typical DNS enumeration commands
dig example.com ANY
host -t mx example.com
dnsenum example.com
```
- **Historical Data Queries**:
- Viewing website historical snapshots through Wayback Machine
- Searching for leaked code and configuration files on GitHub
- Checking domain WHOIS information change records
### Active Scanning: The Art of Precise Probing
After completing passive collection, we carefully conduct active scanning:
1. **Network Topology Mapping**:
```bash
# Classic Nmap scan command
nmap -sS -Pn -T4 -A -v -oA full_scan 192.168.1.0/24
```
2. **Service Fingerprint Identification**:
- Using Nmap's `-sV` parameter to identify service versions
- Analyzing website technology stacks through Wappalyzer
- Using specialized identification tools for particular services (like industrial control protocols)
3. **Web Application Information Gathering**:
```bash
# Directory brute-force example
dirb https://example.com -w /usr/share/wordlists/dirb/common.txt
```
### Our Professional Toolkit
In daily work, we rely on these core tools:
| Tool Type | Common Tools | Primary Purpose |
|-----------------|----------------------------------|-----------------------------------|
| Network Scanning| Nmap, Masscan, Zmap | Port scanning and service discovery|
| Web Info Gathering| Burp Suite, OWASP ZAP, dirsearch| Web app directory and vulnerability scanning|
| Subdomain Enumeration| Sublist3r, Amass, Assetfinder | Discovering target's digital assets|
| Metadata Extraction| Exiftool, Metagoofil | Extracting sensitive info from documents|
| Automation Framework| Recon-ng, SpiderFoot | Integrating multiple info collection channels|
### Real Case: A Complete Information Gathering Process
Recently, during an authorized test for an enterprise, we discovered major security risks through systematic information gathering:
1. First found a forgotten test subdomain (test.example.com) through passive collection
2. Conducted port scanning on this subdomain and discovered an unauthorized Jenkins service
3. Found internal Git server credentials through Jenkins' build history
4. Ultimately obtained core business code using these credentials
### Our Professional Recommendations
Based on years of experience, we recommend enterprises to:
1. **Conduct regular self-inspections**: Use these techniques to discover your own exposure surfaces
2. **Follow the principle of minimization**: Only expose necessary services and information
3. **Monitor changes**: Establish digital asset change monitoring mechanisms
4. **Employee training**: Improve developers' security awareness
Remember, in penetration testing, the quality of information gathering directly determines the depth and effectiveness of the test. We always believe that an excellent security expert must first be an outstanding "information hunter."
> Disclaimer: The techniques described in this article should only be used for legally authorized security testing. Unauthorized scanning and penetration may violate laws.