Information Gathering

Mostafa Elguerdawi
3 min readSep 26


Hello hackers, I’m Mostafa Elguerdawi this will be first write-up about Penetration Testing series.

In this Write-up we will talk about first phase in pentesting, Information gathering.

Information Gathering

  • Information gathering and Footprinting is a first step that an attacker collect information about his/her target.

What Is Network Footprinting?

  • It’s a process about identify and understanding the security risks in organization.
  • There is two types of Information gathering, Active and Passive
  • Active footprinting is about collect data about target with interact with target
  • Passive footprinting is the opposite, its about collect data without direct interaction with target like information in public search engines.

What Is Reconnaissance?

  • Step that attacker collect data about target system, This include Active(target infrastructure) and Passive(public resources).
  • Footprinting is a part of Reconnaissance.
  • Data can be collected from Reconnaissance such as : Employees details(emails, phone numbers, social media accounts), Network infrastructure(network type such as LAN,MAN, and WAN, IP address range), Domain Information(Registrar, Registration Date, Expiry Date).

Footprinting Methodology

  • First step is to identify the Objective of the assessment like for security assessment and risk analysis.
  • After identify the goal of this assessment, Second we need to start to collect data.

Domain Information

  • In this step we start to get information about domain like owner of the domain, IP Address, Registrar, Registration and Expiry Date.
  • We can use WHOIS to get information about the Domain.
  • WHOIS is an internet protocol that display and search information about domain name from Registrars worldwide.

DNS Footprinting

  • DNS Footprinting is a technique that is used by an attacker to gather DNS information about the target system. DNS Footprinting allows the attacker to obtain information about the DNS Zone Data
  • There is some records that we can find from DNS Footprinting like A, MX, and CNAME.
  • A record is the IPv4 for the target
  • MX is the mail server record specifies an SMTP email server
  • CNAME alias record used to alias a hostname to another hostname
  • We can use some tools for DNS Footprinting like host, nslookup, and dig.
  • Subdomains: Enumerate any subdomains discovered we can use dnsenum tool
  • Associated Services: Identify any services or applications linked to DNS records, this will be done with some tools, First we need to get domain A record using host tool, then scan this IP using tool like nmap.

Web Footprinting

  • Detail the results of web footprinting, such as:
  • Web Server Information: We can do that with a lot of methods like HTTP Headers using command curl -I or using nmap scan, netcat(nc <http-port>).
  • Directory and File Structure using web archive or Fuzzing directory using ffuf tool.
  • Technologies in Use: List content management systems (CMS), frameworks, or scripting languages used, We can do that using web extension like wapalyzer, OR using some tools like whatweb and WafW00f.
  • Extract Metadata from web pages, if available, We can use this code:
import requests
from bs4 import BeautifulSoup

# Replace with the URL of the web page you want to extract metadata from
url = input("Enter URL >>> ")

# Send an HTTP GET request to the URL
response = requests.get(url)

# Check if the request was successful
if response.status_code == 200:
# Parse the HTML content of the web page
soup = BeautifulSoup(response.text, "html.parser")

# Extract metadata tags such as <title>, <meta>, etc.
title = soup.find("title").text.strip() if soup.find("title") else None
description = soup.find("meta", {"name": "description"})["content"] if soup.find("meta", {"name": "description"}) else None
keywords = soup.find("meta", {"name": "keywords"})["content"] if soup.find("meta", {"name": "keywords"}) else None

# Print or use the extracted metadata
print(f"Title: {title}")
print(f"Description: {description}")
print(f"Keywords: {keywords}")

print(f"Failed to retrieve the web page. Status code: {response.status_code}")

Network and WHOIS Enumeration

  • Network Range and CIDR: Using this Site we can get CIDR range and ASN number for any domain.
  • Find subdomains using CIDR and ASN: ammas intel -asn <ASN> OR ammas intel -cidr <CIDR-Rang> OR amass intel -whois -d <>