There are 2 ways of gathering information. You can go for passive reconnaissance or active reconnaissance. Recon can be done online but there is no reason that it can't be done offline.
During passive recon you go after the information that is out there? It is either out there intentionally or leaked. You do not engage any contact with the other party. You try to discover information about the organization, the employees, the third parties, the systems, naming conventions, ... anything that you can lay your hands on.
The active form of information gathering is the part where you engage a limited form of contact. Nothing intrusive but just enough to get a better view on the other party.
I don't know who you are and if the knowledge in this article can get you in trouble with the law but I suggest you only try these techniques on your own infrastructure or one for which you have the necessary (written) permissions.
The idea behind this articles is to get feedback, so give me your side on the story. If you think I am wrong, tell me and if you agree or want to add something let me know too.
Organizations do not exist on their own. In the real world you got suppliers, customers, users, ... you get the idea. One of the ways to reveal this is just visit the website of your target and look for company info.
To look for an example I got on one of the large ISP's in Belgium their website and found this out:
- The members of the different boards: names and functions
- The have a daughter that is a hosting company
- Locations of different company locations
- Their logos and for what they are used
- Customer service, communication department info
- Phone numbers
- The use of webeventservices.com for communication
- The email address of the VP Corporate Counsel is firstname.lastname@example.org
- The list of the different analysts in all major financial institions that follow the company and conviently their email addresses
- department names
- Jobs and these contain information about the systems they use
Cognos (7, Series 8, Powerplay, BCM), BO, SPSS, SAS, MS Outlook, MS Office, Salesforce.com (CRM), IBM Ascential Datastage, Oracle databases, Java, J2EE, MS Sharepoint 2007, Windows 2000 Server & Advanced Server, Windows 2000 Professional, Windows 2003 Server, Windows Vista, VMWare, Juniper & Alcatel backbone routers, linux, solarix, AIX, DNS, DHCP, POP3, SMTP, http, LDAP, IBM & Sun application servers (java), ...
This information was gathered just by looking around on their website, but the next step I use is by looking at jobsites if I can find anything on that company. For this example I used one of the most popular job sites in Belgium called vacature.com and it returned 12 job openings. On another jobsite called monster.be I found other information and stuff like what the interim offices they use.
To manage all the information I gather I use mind-mapping software. Since I like open source I looked for a good open source one and personally I like Freemind.
Next post will be about BiLE from Sensepost. A nice tool suite to get more info about relations between websites.