Active and Passive Information Gathering Techniques — Part 3

Active Information Gathering

Active Information Gathering we can gather more information about targets by actively interacting with them. However, unlike passive information gathering, doing this without authorization can be illegal. Can be use DNS Enumeration, Port Scanning, OS Fingerprinting techniques. Similar to passive information gathering, goal of active information gathering is to gather information as much as possible.

Port scanning- Nmap/Zenmap

Nmap is the most popular port scanner available. It offers many different scanning techniques including:

Host Discovery
TCP ports
UDP ports
Other IP Protocols

Due to the firewall actions and security measures on operating systems, some of the scan results might not be accurate.

Scan for TCP Ports

SYN Scan: root@kali:~#nmap -sS

FIN Scan: root@kali:~#nmap -sF

ACK Scan: root@kali:~#nmap -sA

TCP connect () scan: root@kali:~#nmap -sT

Scan for UDP Ports

The –sU option sends empty UDP packet and waits to receive ICMP “port unreachable” message in return.

root@kali:~#nmap -sU

Scan for Protocols

root@kali:~#nmap -sO

Determine Service applications

Nmap provides a simple method for identifying RPC services (-sR) and a more complex method that can identify a much greater number of services (-sV) version information.

root@kali:~#nmap -sR

root@kali:~#nmap -sV

Identify a host’s OS (OS Fingerprinting)

root@kali:~#nmap -O

DNS Enumeration - dnsenum

DNSenum is a tool that it was designed with the purpose of enumerating DNS information about a domain.

Get the host’s addresses
Get the namservers
Get the MX record
Trying Zone Transfers
BIND Version
Get extra names and subdomains via google scraping
Brute force subdomains from file, can also perform recursion on subdomain that have NS records
Perform reverse lookups on netranges
Write to domain_ips.txt file ip-blocks

dnsenum -enum


Netcat is considered the Swiss-army knife in information security. Basically, it’s capable of numerous additional tasks like chatting, file transfer, port scanning, banner grabbing, opening remote shells to even setting up a honey pot.

Banner Grabbing

Service banners are often used by system administrators for inventory taking of systems and services on the network. The service banners identify the running service and often the version number too. Banner grabbing is a technique to retrieve this information about a particular service on an open port and can be used during a penetration test for performing a vulnerability assessment. When using Netcat for banner grabbing we can actually make a raw connection to the specified host on the specified port. When a banner is available, it is printed to the console.

nc [ip address] [port]

nc 21

Web server interaction

Netcat can also be used to interact with web servers by issuing HTTP requests.

nc 80

To retrieve the top-level page on the web server we can issue.

nc 80
GET / HTTP/1.0

File transfers with Netcat

nc –lvp 8080 > receive.txt

nc -lvp 8080 > /root/Desktop/transfer.txt

nc 8080 < /root/Desktop/transfer.txt

The Harvester

The objective of this tool is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.


Metagoofil is an excellent Information gathering tool that can be used for extracting tons of Information from Word Documents, PDF’s, Excel Sheets , .jpg Images and lots of other formats . Metagoofil therefore can provide a lots of fruitful information during the penetration testing just by scanning the files gathered.

Scan for documents from a domain (-d that are PDF files (-t pdf), searching 100 results (-l 100), download 25 files (-n 25), saving the downloads to a directory (-o kalipdf), and saving the output to a file (-f kalipdf.html):

metagoofil -d -t pdf -l 100 -n 25 -o kalipdf -f kalipdf.html




Cyber Security Researcher, Academic, Ethical Hacking and Digital Forensic Trainer, Cisco Network Academy Instructor

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

P2P network’s usefulness

HackTheBox Event Horizon (Forensics Challenge) Writeup

What is Non Fungible Token (NFT)?

megaBONK NFT Collaboration with CyberFi

Does Honey Compromise Your Privacy?

OPEN BSC token migration

TryHackMe Alfred Writeup

The US Suffers from a Major Cyberattack as China Turns Against Alibaba

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kalpa Kalhara Sampath

Kalpa Kalhara Sampath

Cyber Security Researcher, Academic, Ethical Hacking and Digital Forensic Trainer, Cisco Network Academy Instructor

More from Medium

Try Hack Me : DogCat

Hack The Box — Lame Writeup

Vulnerability Assessment and Penetration to Linux OS with Nessus

OhSINT — TryHackMe Walkthrough

WindowsXP default wallpaper