Thursday, November 8, 2018

Information Gathering and Attack Strategies

Information gathering is the most important stage during the penetration test, so it is important that we learned to gather as much information as possible during this stage in order to plan a successful attack. In this tutorial, I will be covering some of the ways you can gather information to create an attack plan. Some of the topics I will be covering are as follow

  • Getting a list of subdomains
  • Using Shodan for fun and profit
  • Shodan Honeyscore
  • Shodan plugins
  • Using Nmap to find open ports
  • Bypassing firewalls with Nmap
  • Searching for open directories
  • Performing deep magic with DMitry
  • Hunting for SSL flaws
  • Exploring connections with intrace
  • Digging deep with theharvester
  • Finding technology behind web applications
  • Scanning IPs with masscan
  • Sniffing around with Kismet
  • Testing router with firewalk
Getting a list of subdomains

We don't always have a situation where a client has defined a full detailed scope of what needs to be pentested. So we will use the following mentioned recipes to gather as much information as we can to perform a successful pentest.

1. Fierce is one of the most widely used tools that also came installed with Kali. Fierce can be used to perform a subdomain scan to reveal useful information. We can start by looking at the fierce help menu. So open a terminal and type in fierce -h to see the help menu.

2. To perform a subdomain scan type in the following command

fierce -dns -threads 10

Example: fierce -dns -threads 10


This is a free project by Hacker Target to look up subdomains. It relies on for its results. It can also be used to get the subdomains of a website. We should always prefer to use more than one tool for subdomain enumeration as we may get something from other tools that the first one failed to pick up.
Just type in the domain you wish to look up subdomains and click search to start scanning. 

1. Shodan is the world's first search engine to search for devices connected to the Internet. It was launched in 2009 by John Matherly. Shodan can be used to look up webcams, databases, industrial systems, video games, and many other devices. Shodan mostly collects data on the most popular web services running, such as HTTP, HTTPS, MongoDB, FTP, and many more. 

2. In order to use Shodan we must first create an account. So open a new browser and visit, you will see a page like the one I have below. 

3. Click the green Login or Register button on the top right corner and create an account.

4. For this tutorial, we are going to search for FTP services running on port 21. So go to the search bar and type in port:"21" and press Enter. You will see a screen similar to mine below showing you some of the FTP servers that are available with port 21 opened. 

5. You can narrow the search result down even further by specifying the country like this: port"21" country:"IN" this will show the FTP result for India.

6. Click on the Exploits tab to see all of the potential exploits you can use against some of these servers. 

7. Now we can try the organization filter. It can be done by typing port:"21" country:"IN" org:"BSNL" as shown in the following screenshot:

Shodan has other tags that can be used to perform advanced searches, such as:

net: to scan IP ranges
city: to filter by city

More information can be found here

Shodan Honeyscore

Shodan Honeyscore is another great project built using Python. It helps us figure out whether an IP address we have is a honeypot or a real system. 

1. To use Shodan Honeyscore visit

2. Enter the IP address you want to check and click Check for Honeypot

Shodan Plugins

Shodan is also a plugin for Chrome and Firefox that can be used to check open ports for websites we visit on the go. 

To get the Shodan plugins for Chrome click here. Once you installed the plugin, just visit any website and click on the plugin icon to see information about that website.

Using Nmap To Find Open Ports

Network Mapper or Nmap is a security scanner written by Gordon Lyon. Its used to find hosts and services in a network. It first came out in September 1997. Nmap has various features as well as scripts to perform various test such as finding the OS, service version, brute force default logins, and so on.

Some of the most common types of scan are:

TCP connect( ) scan
SYN stealth scan
UDP scan
Ping scan
Idle scan

How to use Nmap

1. Nmap is already installed on Kali so we only need to execute the correct command to run the tool. Open a terminal and type in

nmap -h and  press Enter

You will now see a screen similar to mine below.

2. To perform a basic scan we can execute the following command

nmap -sV -Pn

3. -Pn implies that we do not check whether the host is up or not by performing a ping request first. The -sV parameter is to list all the running services on the found open ports.

4. Another flag we can use is -A, which automatically performs OS detection, version detection, script scanning, and traceroute. The command is: nmap -A -Pn x.x.x.x

5. To scan an IP range or multiple IPs, we can use this command:
nmap -A -Pn x.x.x.0/24

Using Nmap Scripting Engine

The Nmap Scripting Engine (NSE) allows users to create their own scripts to perform different tasks automatically. These scripts are executed side by side when a scan is run. They can be used to perform more effective version detection, exploitation of the vulnerability, and so on. The command for using a script is:

nmap -Pn -sV --script dns-brute


Here the script dns-brute tries to fetch the available subdomains by brute forcing it against a set of common subdomain names.

Bypassing firewall with Nmap

Many time during a pentest, you will come across systems that are protected by firewalls or an Intrusion Detection Systems (IDS). Nmap provides many different ways to bypass firewalls to perform port scans on a network. In this part of the tutorial, we will learn some of the ways to bypass firewalls.

TCP ACK scan

The ACK scan (-sA) sends acknowledge packets instead of SYN packets and the firewall does not create logs of ACK packets as it will treat ACK packets as responses to SYN packets. It is mostly used to map the type of firewall being used.

How to perform an ACK scan

Open a terminal and type in nmap -sA

Let us look at the comparison of how a normal scan differs from an ACK scan:

ACK scan result:

The scan results of filtered and unfiltered ports depend on whether a firewall being used is stateful or stateless. A stateful firewall checks if an incoming ACK packet is part of an existing connection or not. It blocks it if the packets are not part of any requested connection. Hence, the port will show up as filtered during a scan. Whereas, in the case of a stateless firewall, it will not block the ACK packets and the ports will show up as unfiltered.

TCP Windows Scan

Windows scan (-sW) is almost the same as an ACK scan except it shows open and closed ports.

How to use Nmap TCP scan

1. To run the TCP scan type in nmap -sW

where is any IP address.

Normal Scan vs. TCP Scan

TCP scan revealed much more detail compared to a normal scan.

Idle Scan

Idle scanning is an advanced technique where no packets sent to the target can be traced back to the attacker machine. This scanning technique requires a zombie host to be specified.

To use the Idle scan type in 

nmap -sI

How does Idle Scan work?

Idle scan works on the basis of a predictable IPID or an IP fragmentation ID of the zombie host. First, the IPID of the zombie host is checked and then a connection request is spoofed from that host to the target host. If the port is open, an acknowledgment is sent back to the zombie host which resets (RST) the connection as it has no history of opening such a connection. Next, the attacker checks the IPID on the zombie again; if it has changed by one step it implies an RST was received from the target. But if the IPID has changed by two steps it means a packet was received by the zombie host from the target host and there was an RST on the zombie host, which implies that the port is open.

Searching for open directories

In the previous part of this tutorial, we discussed how to find open ports on a network IP or domain name. We often see developers running web servers on different ports. Sometimes developers may also leave directories misconfigured that may contain useful information for us. We have already covered dirsearch at the top of this tutorial; here we will look at an alternatives tool to dirsearch.

The dirb Tool

The dirb tool is a tool that can be used to brute force open directories. Although it is generally shown and does not support multi-threading, it is still a great way to find directories and subdirectories that may have been left open due to a misconfiguration.

How to use dirb

1. Type in the command dirb to start the search.

2. Other option you can use in dirb that can come in handy. 

-a: to specify a user agent
-c : to specify a cookie
-H: to enter a custom header
-X: to specify the file extension

Performing deep magic with DMitry

The Deepmagic Information Gathering Tool (DMitry) us an open source, command line tool made usng C. It has the ability to gather information on subdomains, email address, whois info, and many more. 

How to use DMitry

1. In the terminal type in dmitry -h to see a list of options and what the tool can do for you.

2. Now we will try to perform an email, whois, TCP port scan, and subdomain search by using the following command.

dmitry -s -e -w -p

Searching for flaws within SSL

Most of the web applications today use SSL to communicate with the server. The sslscan is a tool to check for flaws or misconfiguration. 

How to use sslscan

1. Open the terminal and type in sslscan -h to open the help menu. 

2. To run a tool against a host type in

sslscan number

example: sslscan

3. An alternative to sslscan is TLSSLed which can also be used to check for SSL vulnerabilities.

Exploring Connection With Intrace

The intrace tool is a great tool to enumerate IP hops on existing TCP connections. It can be useful for bypassing firewall and gather information about a network.

How to use intrace

To use intrace type in intrace -h -p port -s SizeOfPacket

Example: intrace -h -p 443 -s 4

Information Gathering with theharvester

Theharvester is a tool that can help you gather a lot of information about a company. It can be used to find information like email accounts, subdomains, and many more. In this next tutorial, we will learn how to use theharvester to gather information about a company.

How to use theharvester

To start using theharvester open the terminal and type in 

theharvester -d domain/name -l 20 -b all

Example: theharvester -d packpub -l 10 -b linkedin

-d is for the domain name or the keyword we want to search, -l is for limiting the number of search results, and -b is the source we want the tool to use while gathering information. The tool supports Google, Google CSE, Bing, Bing API, PGP, LinkedIn, Google Profiles, people123, Jigsaw, Twitter, and Google Plus sources.

Finding the technology behind the Web Application

There is no point starting a pentest against a web application without knowing what the actual technology behind it is. For example, it would be absolutely useless to run dirsearch to look for files with the extension .php when the technology is actually ASP.NET. So, in this next tutorial, we will learn to use a simple tool called whatweb to understand the technology behind a web app. It comes by default in Kali. It can also be installed manually from the URL

How to use whatweb

1. Open a terminal, type in whatweb and press Enter

2. To scan a web application just type in whatweb

Example: whatweb

Scanning IP address with masscan

The masscan tool is a very fast port scan tool. This tool is a good alternative with Nmap when we know exactly what ports we are looking for in a network. This tool, however, does not support default port scanning, all ports must be specified using the -p flag.

To use the tool open the terminal and type in masscan x.x.x.x/24 -p 80, 443, 23

Example: masscan -p 80, 443, 23

We can also specify the packet rate by using the --max-rate flag. By default, the rate is 100 packets per second. Using this is not recommended as it will put a lot of load on the network device.

Sniffing with Kismet

Kismet is a layer 2 wireless network detector. It comes in hand because while performing a pentest in a corporate environment, we may need to look at wireless networks as well. Kismet can sniff 802.11a/b/g/n traffic. It works with many wireless cards that support raw monitoring modes.

In this part of the tutorial, we will learn how to use Kismet to monitor Wi-Fi networks.

1. To start Kismet just type in kismet in the terminal and press Enter

Once the GUI appeared choose Yes to start the server.

2. Choose Yes again on this screen

3. Next, we need to specify a source interface, in our case it is wlan0, so we will type that in. Make sure the interface is in monitor mode before initializing it in Kismet:

4. Let Kismet scan the air for wireless network nearby. If it picks up any it will display on the screen like below. 

5. By default, Kismet listens on all of the channels so you will have to specify which channel you want by selecting the entry Config Channel from the Kismet menu.

5. On this screen we can type in the channel we want Kismet to listen on. 

6. Kismet also allows us to see the signal to noise ratio. We can see that by selecting Channel Details under the Windows menu

7. This signal to noise ratio is very helpful during times of wardriving.

Testing routers with Firewalk

The firewalk tool is a network security reconnaissance tool that helps us figure out whether our routers are actually doing the job they are supposed to do. It attempts to find out what protocols a router or firewall will allow and what it will block.

This tool is useful during pentesting because it verifies and validates firewall policies in a corporate environment.

How to use Firewalk

1. We have to install firewalk because it is not installed by default on Kali. To install firewalk open the terminal and type in apt-get install firewalk and press Enter

2. To run firewalk simply type in 

firewalk -S 1-23 -i eth0

-i is for specifying the network interface, -S is for specifying the port numbers we want to test, and the next two are the router's IP address and the host's IP address that we want to check against our router.

By Himanshu Sharma - Kali Linux - An Ethical Hacker's Cookbook


  1. Well , thanks for copy pasting the second chapter from my book "Kali Linux - An ethical Hackers Cookbook". I would really appreciate if you could give some credits to the original author too .