d

Information Gathering: The Complete Documentation

• This category contains 4 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Distributed Information Gathering

Published on 1999-09-09, by hybrid, ©Phrack Magazine.

Information gathering refers to the process of determining the characteristics of one or more remote hosts (and/or networks). Information gathering can be used to construct a model of a target host, and to facilitate future penetration attempts.

Overview of Passive Information Gathering Techniques for Network Security (An)

Published on 2006-09-02, by J. Treurniet, ©Defence R&D Canada.

To ensure the security of a network effectively, the network manager must be continuously informed of the status and composition of the network, as well as the activities that are taking place on it. Real-time awareness is the ultimate goal. Traditionally, “active” discovery methods are used periodically to attain some degree of near-real-time awareness.

Active discovery methods are methods that introduce traffic onto the network, such as ICMP ping, SNMP queries, and TCP SYN portscans. There are two drawbacks to using these techniques. The first, common to any active sensing technique, is counter-detection. The second drawback is the potential introduction of large amounts of traffic onto the network, which can, at peak times, be a burden on the network. For example, a simple ping sweep on a class B network can introduce up to 3.6 megabytes of traf.c per sweep. If one were to also scan for all 65535 ports using TCP SYN packets, this number skyrockets to over 170 gigabytes per sweep.

To address these drawbacks, “passive” techniques can be integrated into network discovery algorithms. Passive techniques strictly listen to traffic and do not introduce traffic to the network. A strategically placed network sniffer can collect the passing traffic further processing to yield the desired information.

Passive Information Gathering - The Analysis of Leaked Network Security Information

Published on 2004, by Gunter Ollmann, ©Next Generation Security Software Ltd.

Most organisations are familiar with Penetration Testing (often abbreviated to, "pentesting") and other ethical hacking techniques as a means to understanding the current security status of their information system assets. Consequently, much of the focus of research, discussion, and practice, has traditionally been placed upon active probing and exploitation of security vulnerabilities. Since this type of active probing involves interacting with the target, it is often easily identifiable with the analysis of firewall and intrusion detection/prevention device (IDS or IPS) log files.

However, too many organisations fail to identify the potential threats from information unintentionally leaked, freely available over the Internet, and not normally identifiable from standard log file analysis. Most critically, an attacker can passively gather this information without ever coming into direct contact with the organisations servers – thus being essentially undetectable.

Very little information has been publicly discussed about arguably one of the least understood, and most significant stages of penetration testing – the process of Passive Information Gathering. This technical paper reviews the processes and techniques related to the discovery of leaked information. It also includes details on both the significance of the leaked information, and steps organisations should take to halt or limit their exposure to this threat.

Passive Network Discovery for Real Time Situation Awareness

Published on 2004, by Annie De Montigny-Leboeuf and Frédéric Massicotte, ©Communication Research Centre Canada.

Network security analysts are confronted with numerous ambiguities when interpreting alerts produced by security devices. Even with the increased accuracy of these tools, analysts still have to sort through a tremendous number of potential security events in order to maintain the desired level of assurance. This paper describes how passive network discovery and persistent monitoring can provide significant contextual information valuable to network security professionals responsible for protecting the network. Techniques discussed include the capability to discover active nodes, their operating systems, the role they carry out, their system uptime, the services they offer, the protocols they support, and their IP network configuration. An attractive feature of this approach is that it focuses on mechanisms that do not rely on access to user data. While this is rarely a concern for the intruder, it can be of the utmost importance to the security analyst. One of the main interests in using a passive approach is that the information gathering process has no impact on the bandwidth or on the monitored assets. This is in contrast with active scanning techniques that are often noisy and intrusive. Passive techniques can be used at all times, allowing near real-time awareness of the security posture of ever-changing networks, and thus helping network administrators remain in control and anticipate upcoming security problems. A network monitoring prototype has been developed to test the techniques described in this paper.