Ciphers Security Ethical Hacking Information Gathering Best Information Gathering Tools
Information Gathering Tools

Best Information Gathering Tools

Hello there, today we are going to discuss some of the best information-gathering tools used for gathering information from other sources. I am not ranking them but showing you guys how they work and why I chose them as the best tools, but I didn’t give them any ranking that this is top or down. you can decide what tools are giving you the best-gathered information and rank them as your wise list.

Let me clear you guys in this article we will discuss many things like what is information gathering, what to do with the gathered information, how gathering information helps us to understand targets, and what types of attacks we can do with the gathered information.

this article was created in the context of my own experience with cybersecurity. this will help you in gathering information about someone by using tools on Linux and then find bugs in their system with that information.

Tools for Information Gathering

There are many tools available for gathering different types of information for different types of attacks. But here we will discuss some common tools and their techniques to gather more useful information about your target. And the tools we are going to discuss will help you with passive information gathering of someone’s individual or organization.

We will discuss here some system tools and some online tools to gather information

Tools for information gathering are

  1. nslookup
  2. theHarvester
  3. Knockpy
  4. Maltego

Online tools to gather information are

  1. whois domain tools
  2. Netcraft
  3. Who.is
  4. robtex

Information gathering with nslookup

nslookup is a command-line tool that is used for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record. It is available on most operating systems, including Windows, macOS, and Linux.

nslookup can gather 3 types of information for you, the IP address of the Domain, nameserver details of the domain, and mail server details of the domain.

for getting the IP address of any domain

nslookup [domain-name]

To find the IP address of the domain name “example.com”, you would type nslookup example.com and press enter. The nslookup tool will then query the DNS and display the corresponding IP address on the screen.

Example:-

└─$ nslookup testfire.net 
Server:         10.0.2.3     || your machine IP
Address:        10.0.2.3#53  || your address

Non-authoritative answer: 
Name:   testfire.net 
Address: 65.61.137.117       || IP of testfire.net
└─$ nslookup testphp.vulnweb.com  
Server:         10.0.2.3     || your machine IP
Address:        10.0.2.3#53  || your address

Non-authoritative answer: 
Name:   testphp.vulnweb.com 
Address: 44.228.249.3   || IP of testphp.vulnweb.com

Now here we’re getting the IP address of testfire.net (domain) as 65.62.137.117 and in the above, the IP address 10.0.2.3 is of our Kali machine so don’t get confused with both IPs. Here we are using nslookup to resolve the IP address of any domain.

For getting nameserver details of any domain

nslookup -type=ns [domain-name]

To find the name server of the particular domain name “example.com” you would type nslookup -type=ns and press enter. This will return the nameserver details for the specified domain. For example, if you want to get the nameserver details for the domain testfire.net, you would use the following command:

└─$ nslookup -type=ns testfire.net        
Server:         10.0.2.3 
Address:        10.0.2.3#53 

Non-authoritative answer: 
testfire.net    nameserver = usc3.akam.net. 
testfire.net    nameserver = asia3.akam.net. 
testfire.net    nameserver = ns1-99.akam.net. 
testfire.net    nameserver = eur2.akam.net. 
testfire.net    nameserver = ns1-206.akam.net. 
testfire.net    nameserver = usw2.akam.net. 
testfire.net    nameserver = usc2.akam.net. 
testfire.net    nameserver = eur5.akam.net. 

Authoritative answers can be found from: 
eur2.akam.net   internet address = 95.100.173.64 
eur5.akam.net   internet address = 23.74.25.64 
usc2.akam.net   internet address = 184.26.160.64 
usc3.akam.net   internet address = 96.7.50.64 
usw2.akam.net   internet address = 184.26.161.64 
asia3.akam.net  internet address = 23.211.61.64 
ns1-99.akam.net internet address = 193.108.91.99 
ns1-99.akam.net has AAAA address 2600:1401:2::63 
ns1-206.akam.net        internet address = 193.108.91.206 
ns1-206.akam.net        has AAAA address 2600:1401:2::ce 

Attacks with exposed nameserver details

Having the nameserver details for a domain exposed can potentially allow an attacker to perform various types of attacks. For example, an attacker may be able to use the nameserver details to:

  • Perform DNS spoofing attacks, where they can redirect traffic intended for the target domain to a different server that they control. This can allow the attacker to steal sensitive information, such as login credentials, or to serve malicious content to users who visit the target domain.
  • Launch a distributed denial of service (DDoS) attack, where the attacker sends a large volume of traffic to the nameservers in an attempt to overwhelm them and make the target domain unavailable.
  • Conduct DNS cache poisoning attacks, where the attacker modifies the DNS records in the cache of a nameserver in order to redirect traffic intended for the target domain to a different server that they control. This can allow the attacker to serve malicious content to users who visit the target domain.
  • Perform a Zone transfer attack, where an attacker who is able to perform a successful zone transfer can gain access to the DNS records for a domain, which may include sensitive information such as the IP addresses of the servers that host the domain.

For getting mail server details of any domain

nslookup -type=mx [domain-name]

To find the mail server of the particular domain name “example.com” you would type nslookup -type=mx and press enter. This will return the mail server details for the specified domain. For example, if you want to get the mail server details for the domain, example.com, you would use the following command:

└─$ nslookup -type=mx gmail.com  
Server:         10.0.2.3 
Address:        10.0.2.3#53 

Non-authoritative answer: 
gmail.com       mail exchanger = 5 gmail-smtp-in.l.google.com. 
gmail.com       mail exchanger = 10 alt1.gmail-smtp-in.l.google.com. 
gmail.com       mail exchanger = 30 alt3.gmail-smtp-in.l.google.com. 
gmail.com       mail exchanger = 40 alt4.gmail-smtp-in.l.google.com. 
gmail.com       mail exchanger = 20 alt2.gmail-smtp-in.l.google.com. 

Authoritative answers can be found from: 
gmail.com       nameserver = ns1.google.com. 
gmail.com       nameserver = ns3.google.com. 
gmail.com       nameserver = ns2.google.com. 
gmail.com       nameserver = ns4.google.com. 

Attacks with exposed Mail records details

There are several potential attacks that a malicious actor could perform with access to exposed email records. Here are a few examples:

  1. Spamming: The attacker could use the email addresses to send large volumes of spam or phishing emails. This could inundate the victims’ inboxes with unwanted messages and potentially trick them into divulging sensitive information.
  2. Spear phishing: The attacker could use the information in the email records to craft targeted phishing emails that appear to come from a trusted source. This could make the emails more convincing and increase the likelihood of victims falling for the scam.
  3. Social engineering: The attacker could use the information in the email records to try to gain the trust of the victims and then trick them into divulging sensitive information. This could be done through email, phone, or in-person interactions.
  4. Identity theft: The attacker could use the information in the email records to steal the victims’ identities and commit financial fraud or other crimes.
  5. SMTP open relay: An SMTP open relay is a type of vulnerability in an email server that allows unauthorized users to send messages through the server. This is a serious security issue because it can be exploited by attackers to send spam or phishing emails, potentially on a large scale.

Information gathering with theHarvester tool

theHarvester is a popular open-source tool used for information gathering and reconnaissance in the initial phase of a penetration testing or red teaming engagement. It can be used to gather email addresses, subdomains, and hostnames related to a specific domain. This information can then be used to identify potential targets and vulnerabilities in the organization’s network.

It can be used to gather various types of information related to a specific domain, including:

  1. Email addresses: theHarvester can search public sources such as search engines and social media networks to find email addresses associated with the target domain.
  2. Subdomains: theHarvester can use DNS records and other public sources to identify subdomains of the target domain.
  3. Hostnames: theHarvester can use DNS records and other public sources to identify hostnames associated with the target domain.
  4. IP addresses: theHarvester can use DNS records and other public sources to identify IP addresses associated with the target domain.

Basic Syntax for information gathering with theHarvester

theharvester -d [domain] -b [source] -l [limit] -f [file]

theHarvester -d [domain] -l [limit] -S[start from port\dns]

Check That theHarvester tool is installed or not by running these command

└─$ theHarvester                               
*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.2.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
*******************************************************************
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v]
                    [-e DNS_SERVER] [-r] [-n] [-c] [-f FILENAME] [-b SOURCE]
theHarvester: error: the following arguments are required: -d/--domain

Let’s try it by giving a random target to it:-

└─$ theHarvester -d testfire.net -b bing -l 200
*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.2.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
*******************************************************************

[*] Target: testfire.net 

        Searching 0 results.
[*] Searching Bing. 
                                                                                                          
[*] No IPs found.                                                                                         
                                                                                                          
[*] No emails found.                                                                                      
                                                                                                          
[*] Hosts found: 2                                                                                        
---------------------                                                                                     
demo.testfire.net:65.61.137.117                                                                           
www.testfire.net:65.61.137.117                                                                            
                                      

Here theHarvester returns you the details of the domain testfire.net from the Bing search engine. Here it is showing only hosts were found in the search.

Note:- in the recent update of theHarvester tool they removed the source google. So here now we can’t able to get results from Google searches.

Kockpy Tool for passive information gathering

Knockpy is a Python-based tool used for information gathering and reconnaissance. It is specifically designed to enumerate subdomains on a target domain by using a variety of techniques, including DNS brute-forcing, permutation generation, and Google scraping.

Knockpy can be used to quickly identify subdomains that may be vulnerable to attack, allowing security researchers and penetration testers to focus their efforts on the most promising targets. Additionally, Knockpy can also be used to perform basic information gathering on a target domain, such as identifying the DNS server and MX records. Overall, Knockpy is a powerful and effective tool for information gathering and reconnaissance.

For installing knockpy click here

The basic syntax for knockpy.py:-

python3 knockpy.py [domain-name]

Knockpy v5.3.0

  _  __                 _                
 | |/ /                | |   v5.3.0            
 | ' / _ __   ___   ___| | ___ __  _   _ 
 |  < | '_ \ / _ \ / __| |/ / '_ \| | | |
 | . \| | | | (_) | (__|   <| |_) | |_| |
 |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
                            | |     __/ |
                            |_|    |___/ 

Let’s try to gather information on the target domain testfire.net

└─$ python3 knockpy.py testfire.net

  _  __                 _                
 | |/ /                | |   v5.3.0            
 | ' / _ __   ___   ___| | ___ __  _   _ 
 |  < | '_ \ / _ \ / __| |/ / '_ \| | | |
 | . \| | | | (_) | (__|   <| |_) | |_| |
 |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
                            | |     __/ |
                            |_|    |___/ 

local: 10757 | google: 4 | duckduckgo: 1 | virustotal: 0 
                                                                                                           
Wordlist: 10762 | Target: testfire.net | Ip: 65.61.137.117 
                                                                                                           
08:21:59

Ip address      Code Subdomain                            Server                               Real hostnam
--------------- ---- ------------------------------------ ------------------------------------ ------------
65.61.137.117   200  altoro.testfire.net                  Apache-Coyote/1.1                                
65.61.137.117   200  demo.testfire.net                    Apache-Coyote/1.1                                
65.61.137.117   200  demo2.testfire.net                   Apache-Coyote/1.1                                
65.61.137.117   200  evil.testfire.net                    Apache-Coyote/1.1                                
65.61.137.117   200  ftp.testfire.net                     Apache-Coyote/1.1                    testfire.net
65.61.137.117   200  localhost.testfire.net               Apache-Coyote/1.1                                
65.61.137.117   200  www.testfire.net                     Apache-Coyote/1.1                    testfire.net
                                                                                                           
08:23:01                                                                                                   
                                                                                                           
Ip address: 1 | Subdomain: 7 | elapsed time: 00:01:02 

here we got some information about the target’s IP address, subdomain, server version and type, and hostname

Maltego for information gathering

maltego

Maltego is a tool used for information gathering and analysis. It is specifically designed to visualize complex relationships between entities on a network, such as individuals, organizations, websites, and infrastructure. Maltego uses a concept called “transforms” to gather data from various sources and transform it into a visual graph, allowing users to easily identify and analyze patterns and connections.

Maltego can be used for various types of information gathering, including open-source intelligence (OSINT), cyber threat intelligence (CTI), and social network analysis (SNA). It allows users to quickly and easily gather and analyze data from a variety of sources, including social media, the Dark Web, and public databases.

Online tools for information gathering

whois domain tools

WHOIS is a network protocol used to query databases that store information about registered domain names and their associated owners or administrators. The WHOIS protocol allows users to query a WHOIS server to obtain information about a specific domain name, such as the registered owner, contact information, and the domain’s expiration date.

Netcraft

Netcraft also offers a range of other online tools and services, including a phishing site reporting service, a website attack detection service, and an SSL certificate monitoring service. These tools are used by businesses, security researchers, and individuals to protect their web-based assets and ensure the security of their online presence.

The Netcraft Toolbar is available for the Chrome, Firefox, and Safari web browsers, and can be installed as an extension from the respective browser’s app store.

Who.is

The website “who.is” is a service that provides a user-friendly interface for performing whois lookups. With this website, users can enter a domain name or IP address and the website will display the information that is associated with it. This can be useful for quickly looking up information about a domain without having to use the whois command on the command line. However, please note that the information provided by “who.is” may not be as comprehensive or up-to-date as the information provided by the official registrar or registry for a given domain.

Robtex

Robtex is a website that provides a variety of online tools and services related to networking and security. Some of the services offered by Robtex include DNS lookup, whois lookup, and IP address lookup. The website also provides information about internet infrastructures, such as data center locations and network topology. Additionally, Robtex offers security tools, such as a port scanner and a password checker, to help users ensure the safety of their online accounts and networks. Overall, Robtex is a useful resource for those who work in the fields of networking, security, and internet infrastructure.

If you have any queries regarding the above content, or you want to update anything in the content, then contact us with your queries. You can directly post your question in the group.

Connect with us on these platforms

Exit mobile version