Information Gathering

You don’t go directly to the web site. You start by reviewing the publicly available information. You decide upon a goal.

The Passive Information Gathering whitepaper by Gunter Ollmann, Professional Services Director at Next Generation Security Software, Ltd., is good orientation. There may be useful information already leaked. It may not be reliable information, but there’s a good chance you can save yourself a lot of time without touching the web site.

Retain the information for future reference.

The Sam Spade utilities look up DNS and domain information. Frequently under revision, but one stable source is

Use Maltego and Pipl to learn published information scattered across the Internet. Maltego uses nslookup, SecretSniff, Robtex. Pipl uses a different set of sources.

Collect and document information about the company’s Internet presence. This would include:

  • Internet Service Registration – The global registration and maintenance of IP address information
  • Domain Name System – Local and global registration and maintenance of host naming
  • Search Engines – The specialist retrieval of distributed material relating to an organization or their employees
  • Email Systems – The information contained within each email delivery process
  • Naming Conventions – The way an organization encodes or categorizes the services their online hosts provide and the email address conventions (which often reflect userid conventions).
  • Website Analysis – The information intentionally and unintentionally made public, that may pose a risk to security

hpHosts consolidates a lot of information about web sites. vURL can be used to review the company’s web pages through proxies.

AS Numbers Query (

Retain the information for future reference.

What have others found? See Un1c0rn.

Does NTP report the hosts which have queried NTP? It could be used for further network enumeration.

– Border Gateway Protocol (BGP) Queries
– About BGP:12
AS numbers are used to identify the autonomous systems that a route has already passed through, which prevents routing advertisement loops; and to determine the origin of routes. Folks often use AS-PATHs in their route selection policy to, for example, use a particular transit provider that is known to have good connectivity to AOL; or not use someone who may have poor connectivity to them.
A good way to understand things in the real world is to use Looking Glasses by ISPs. For example, go to or and do a bgp query with another providers IP as the argument. you will see how the possible paths to the specific IP, and you will see the AS numbers (networks) it has to go thru inorder to reach that IP. (find target’s AS number) (query BGP via web)

1. Reconnaissance
2. Scanning & enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks

nmap (the most utilized penetration testing tool)

Metasploit framework Metasploit: A Penetration Tester’s Guide

Don’t Pick the Lock, Steal the Key – Password Auditing with Metasploit

Armitage – A GUI for Metasploit

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

SinFP3 is an operating system fingerprinting tool

Pushpin will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address.  Example Usage:

python ./ -c 42.3534688,-71.0611556 –all

For latitude and longitude, see


eEye Retina

Core Impact

netcat: an asynchronous port scanner (a load balancer can shape traffic and slow down scans; that is, has IPS functions)

For more specialized penetration testing tools, see

BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments.

And also consider this version of the steps for penetration testing with 10 (instead of 5) steps:

Find open directories with Google by searching for ” Name Last modified Size Description”:


One Response to Information Gathering

  1. […] Information Gathering Advertisement LD_AddCustomAttr("AdOpt", "1"); LD_AddCustomAttr("Origin", "other"); LD_AddCustomAttr("theme_bg", "ffffff"); LD_AddCustomAttr("theme_text", "333333"); LD_AddCustomAttr("theme_link", "0066cc"); LD_AddCustomAttr("theme_border", "5581C0"); LD_AddCustomAttr("theme_url", "114477"); LD_AddCustomAttr("LangId", "1"); LD_AddCustomAttr("Autotag", "technology"); LD_AddSlot("wpcom_below_post"); LD_GetBids(); Like this:LikeBe the first to like this post. […]