Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

information gathering

Information Gathering: Steps in Penetration Testing-1

Our previous post discussed critical steps in hacking/penetration testing. The first step is the information-gathering step. Information gathering is essential for a tester because initial data about the target(s), perimeter security details, public-facing services, and many more used technology details can be gathered at this step. We will explain important sub-steps and valuable information in this post, but detailed information about the techniques is left to the keen reader.

Information gathering has two sub-categories: Passive information-gathering tools and techniques and active information-gathering tools and techniques. In passive methods, there are a lot of tools and techniques. In this post, we try to explain the most popular ones.

Passive Information Gathering

If a technique is considered passive in cyber security, it (most probably) doesn’t leave log data, trace, and origin of the request. Tools and techniques used in this sub-category contain publicly available services such as search engines, whois, DNS, e-mail, web pages, etc.

Finding IP Subnets

Public-facing, internal IP addresses are the prime candidates for an attack. There are a lot of tools for finding IP address details. Nmap can be considered for this category, but the approach Nmap uses mainly fits into the active information-gathering scope. Other than directly accessing the websites or sending packets there are online tools that can provide IP address information about the target. Couple of examples are:

  • pentest-tools (useful for network-based information gathering )
  • online-domain-tools (combination of domain-specific tools and network tools)
  • nmmapper (a good suit of tools for OSINT)
  • (there is a whole separate section for “Information Gathering”)

Domains and sub-domain Names

Domain name refers to our target organization. For instance, our target is example corp. Then, by just gathering information about we can collect a lot of valuable information. However, companies and hosting firms collect access information and in the event of a cyber attack, they provide this information to investigation entities. We need to leave no trace while we collect information about our target. One valuable tool is Whois information about the domain. Information that can be collected by Whois queries are:

  • The hosting company
  • e-mail address of the domain owner
  • Where the DNS entries are held
  • Physical address and phone number of the domain owner.
    • Please note that all of this information can be hidden at the request of the domain owner.
    • provides Whois privacy service against information gathering by Whois queries.
# installing whois in Kali Linux
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install whois

Whois in action

After installing ( in Kali Linux, it is already installed ), by just typing “Whois” to the terminal, you can query Whois information on any website.

There are valuable websites that can be used to collect Whois information about the target. A couple of them are:

Discovering Domains from an IP Address

In Whois scenario, we have a known domain name and we tried to collect information about that domain name without directly accessing that target. If we have a public IP address, than we want to collect whether there is a domain associated with it or not we can use dig tool in Kali Linux, and nslookup in Windows.

dig -x <ip address>

A Complete Tool provides a piece of detailed information about a domain, IP address. It is useful to use it for gathering information about a target during the pen-testing.

Discovering e-mail Addresses

Another important data about our target is the e-mail addresses associated with it. An e-mail address is important for understanding account names of the Active Directory, guessing other employees’ e-mail address, and (obviously) sending phishing e-mails. The most prominent tool is theharvester. Theharvester provides detailed information about target, including DNS, SHODAN results, search engines and even port scans.

# an example command
theHarvester -d <> -l 100 -v -e -b google

Aside from theHarvester there are tools and websites that are developed to collect valid email addresses from the HTML content and domain data.

Client and Third Party Software Discovery for the Target

If we can collect third-party and client-side tools that are used in our target, then we can search for known vulnerabilities for exploitation purposes. One way to do that is to collect e-mails that have attachments, trying to grab banner information of enterprise systems. During the active scanning and enumeration, we can populate this bullet better. But this is worth a try if we can by using passive information gathering.

Search Engines

Search engines are the perfect source for information gathering. We can use Shodan, pastebin,, Bing, Google, Yandex, Pipl, tineye and many more.

We will continue the information-gathering discussion with active tools and techniques. Keep in mind that there are couple of paid options for information gathering such as netcraft, hackertarget, etc. I hope this post helps you for your pen-testing journey.

Emre Caglar Hosgor