WEBVTT

00:00.490 --> 00:01.540
Hello, my name is Stefan.

00:01.550 --> 00:02.950
Welcome to this lecture.

00:02.950 --> 00:08.080
In this lecture, we are going to learn about information gathering phase reconnaissance.

00:08.140 --> 00:13.600
The information gathering phase is a crucial step in any security assessment.

00:13.600 --> 00:20.020
Bug bounty hunters and security professionals emphasize the importance of this phase as it lays the

00:20.020 --> 00:22.930
foundation for the entire process.

00:22.930 --> 00:28.810
During the information gathering, the goal is to discover assets and enumerate the attack surface of

00:28.810 --> 00:33.640
the target to obtain as much relevant information as possible.

00:33.640 --> 00:40.000
Every piece of information gathered can potentially contribute to the success of the security assessment.

00:40.030 --> 00:48.370
In this lecture, we are various data points are collected, including usernames, passwords, hostnames,

00:48.370 --> 00:53.470
IP addresses, external providers, internal services and version banners.

00:53.500 --> 01:00.440
These details provide insights into the target's infrastructure and potential vulnerabilities.

01:00.440 --> 01:07.850
The information obtained during this phase becomes invaluable for subsequent stages of the security

01:07.880 --> 01:08.690
assessment.

01:08.690 --> 01:13.460
So there are numerous reconnaissance tasks that can be performed during an assessment.

01:13.500 --> 01:20.360
And one powerful tool for information gathering is Nmap Scripting Engine.

01:20.360 --> 01:21.710
NSC.

01:22.010 --> 01:30.440
NSC offers internal results obtained from scans as well as external data sources that complement other

01:30.440 --> 01:38.180
standalone tools by utilizing all available resources, security professionals and ethical hackers increase

01:38.180 --> 01:44.180
their chances of finding critical information that could compromise a target's security.

01:44.210 --> 01:50.660
Paying attention to the small details is crucial during this phase, as it can yield significant dividends.

01:50.660 --> 01:56.480
And Nmap is a well known for its robust information gathering capabilities, such as operating system

01:56.480 --> 02:00.430
fingerprinting, port enumeration and service discovery.

02:00.440 --> 02:07.040
However, with the inclusion of NSC and Map scripting engine, additional information gathering task

02:07.040 --> 02:08.480
can be performed.

02:08.480 --> 02:13.880
These tasks include obtaining additional IP address information, checking for malicious activities

02:13.880 --> 02:20.510
associated with the host, using external databases, discovering new targets through the external databases,

02:20.540 --> 02:27.860
brute forcing DNS records, parsing SSL certificates and collecting valid email accounts.

02:27.860 --> 02:31.940
So let's explore some practical examples of these techniques here.

02:31.940 --> 02:33.560
So here we will.

02:33.560 --> 02:38.600
In this section we will do we will perform IP address geolocation.

02:38.600 --> 02:46.940
So geo locating an IP address can help system administrators and threat intelligence analysts identify

02:46.940 --> 02:49.880
the geographical origin of a network connection.

02:49.880 --> 02:56.540
NSA scripts such as IP here so IP geolocation.

02:56.540 --> 02:57.950
Maxmind.

02:58.220 --> 03:01.220
IP geolocation.

03:03.050 --> 03:04.280
Oh, actually, let's write it.

03:04.700 --> 03:08.030
Write it down on the notepad here.

03:08.030 --> 03:09.950
So the NSA scripts.

03:09.980 --> 03:14.510
IP Geo Location Maxmind.

03:14.540 --> 03:23.810
IP geo Location IP info Database DB IP Geo Location.

03:23.810 --> 03:27.410
Geo Plugin IP Geolocation.

03:28.290 --> 03:29.730
Your location.

03:30.270 --> 03:30.930
Um.

03:31.290 --> 03:34.110
IP geolocation mapping.

03:35.720 --> 03:37.850
Map being here.

03:38.000 --> 03:40.310
IP Geolocation.

03:40.460 --> 03:44.180
IP Geolocation Map.

03:44.180 --> 03:45.260
Google.

03:49.020 --> 03:49.590
I be.

03:51.150 --> 03:53.730
Geo location map.

03:53.890 --> 03:57.330
HTML enable geolocation.

03:57.330 --> 04:05.550
These these plugins these NSA scripts enable geolocation of remote IP addresses by leveraging external

04:05.550 --> 04:07.350
services or databases.

04:07.350 --> 04:10.950
So getting information in this lecture, we are in this section.

04:10.950 --> 04:14.880
We are also going to learn how to get information from who is records.

04:14.880 --> 04:21.690
So who is records contain valuable details about domain registrations, owners ownership information

04:21.690 --> 04:23.670
and registration dates.

04:23.670 --> 04:30.570
So NSA scripts load security professionals to query who is servers and extract relevant information

04:30.570 --> 04:32.340
for their assessments.

04:32.820 --> 04:39.180
In this section, we will also learn about how to obtain a trace root geolocation information.

04:39.180 --> 04:46.290
So a trace road is a network diagnostic tool that maps the path between a machine and a target.

04:46.290 --> 04:54.430
So NSA scripts provide geolocation information for each hop in the trace route, aiding in network analysis

04:54.430 --> 04:59.950
and understanding the targets, information and infrastructure.

04:59.950 --> 05:05.110
So we will also query Shodan to obtain target information.

05:05.110 --> 05:14.040
So Shodan is a specialized search engine that scans and indexes of internet internet connected devices,

05:14.050 --> 05:15.460
NSA here.

05:15.460 --> 05:22.210
So we can also the Shodan is we can also use the Shodan online here Shodan here.

05:22.210 --> 05:23.920
So here this Shodan.

05:23.920 --> 05:31.390
As I said, Shodan is a special specialized search engine that scans and indexes Internet connected

05:31.390 --> 05:38.680
devices and NSC script allows security professionals to query Shodan's database and gather information

05:38.680 --> 05:44.890
about specific targets, including open ports, running services and potential vulnerabilities.

05:45.850 --> 05:48.850
So sorry here.

05:48.850 --> 05:55.090
So we will also in this section, we will also learn how to collect valid email accounts and IP addresses

05:55.090 --> 05:56.740
from web servers.

05:56.890 --> 06:05.710
NSA scripts can identify valid email accounts associated with the web server, which can be useful for

06:05.710 --> 06:08.080
social engineering or targeted attacks.

06:08.080 --> 06:14.800
So these scripts also extract IP addresses linked to the web server, providing further insights into

06:14.800 --> 06:16.480
the target's infrastructure.

06:16.480 --> 06:25.690
In this section of our course, we will learn about how to discover hostnames pointing to the same IP

06:25.690 --> 06:28.030
address, which is DNS related.

06:28.030 --> 06:34.810
NSA scripts can help identify multiple hostnames that resolve to the same IP address, so this information

06:34.810 --> 06:39.220
can reveal subdomains or alternative ways to access the target.

06:39.250 --> 06:41.380
Expanding the attack surface.

06:41.380 --> 06:47.380
We will also learn how to discover host names by brute forcing DNS records because brute forcing DNS

06:47.380 --> 06:55.450
records involves systematically generating and querying possible host names to find the valid associated,

06:55.960 --> 06:58.420
uh, valid ones associated with the targets.

06:58.420 --> 07:06.040
So NSA scripts streamline this process, saving time and effort during the assessment.

07:06.640 --> 07:13.000
And lastly, in this section we will learn how to match services with public vulnerability and adversaries

07:13.000 --> 07:15.340
and picking the low hanging fruit.

07:15.340 --> 07:22.510
So NSA scripts compare the services identified on the target with a public vulnerability to adversaries.

07:22.510 --> 07:27.940
This has identified known vulnerabilities that can be easily exploited.

07:28.000 --> 07:34.090
Focusing on low hanging fruits maximizes the efficiency of the assessment.

07:34.090 --> 07:39.820
In conclusion, the information gathering phase is a critical aspect of any security assessment.

07:39.820 --> 07:48.430
By leveraging tools like Nmap and its NSA scripts, security professionals can gather valuable information

07:48.430 --> 07:53.050
about a target's assets attack surface and potential vulnerabilities.

07:53.050 --> 07:59.410
The practical examples provided demonstrate the various techniques available for IP address geolocation

07:59.410 --> 08:06.880
who is record retrieval traceroute analysis Shodan Querying email account, the IP address collection

08:06.880 --> 08:10.780
hostname discovery and matching services with public vulnerability adversaries.

08:10.810 --> 08:18.190
Incorporating these techniques into the security assessment enhances the ability to identify and mitigate

08:18.190 --> 08:20.230
the risks effectively.