Information gathering

Information gathering is one of the first steps during an engagement. The goal of information gathering is to increase understanding of the target infrastructure, business practices, and information available via open source. The information gathered during this step are used to inform later stages of the engagement.

The following is a sample checklist for researching a target.

Review the target's public facing website and social media accounts

• What does the target do?

• How is the organization structured?

• Take note of contact information for key personnel (leadership/management, IT personnel, etc.)

• Collect phone and fax numbers, email addresses, usernames, position titles, pictures, etc.

• Identify email address structures used by the target.

• Identify internal business practices.

• Pay particular attention to "about" pages, as these often contain names, social media links, and email addresses.

Use basic tools to gain additional information about the target's network

• Perform whois and DNS enumeration to identify target registrar and DNS information

• Use Netcraft and Google Dorks to attempt to identify technologies used by the target

• Use Shodan to search for additional internet connected computers and devices

• Used FOCA to scrape metadata from the target domain(s)

• Use SSL server test to analyze SSL configuration

• Check security headers with securityheaders.com

• Check open job postings for mentions of specific technologies

Gather information about target personnel

• Harvest usernames - use tools like Hunter.io, phonebook.cz, and theHarvester to search target domain for usernames, emails, etc.

• Use social media tools to profile identified personnel

Check public repositories for additional target information

• GitHub, GitLab, SourceForge, Pastebin