Information Gathering

Information Gathering is the systematic process of collecting, analyzing, and cataloging data about a target system, network, or organization. This critical phase transforms raw data into actionable intelligence by uncovering the target's architecture, identifying potential vulnerabilities, and mapping security mechanisms. Whether conducting a penetration test, security assessment, or threat analysis, effective information gathering determines the success of subsequent operations by providing the strategic and technical context needed for informed decision-making.

The Information Gathering Process

Information gathering follows a structured methodology:

1. Define Scope: Establish clear boundaries for what information to collect

2. Collect Data: Use multiple techniques and tools to gather information

3. Validate Information: Verify accuracy through cross-referencing sources

4. Analyze Findings: Identify patterns, vulnerabilities, and opportunities

5. Document Results: Create organized reports for future reference

6. Continuous Monitoring: Update information as the target evolves

Types of Information to Gather

Network Infrastructure

• IP address ranges and CIDR blocks

• Domain names and subdomains

• DNS server configurations

• Network topology and routing

• Firewall and security device placement

• Content Delivery Networks (CDNs)

Systems and Services

• Operating systems and versions

• Running services and open ports

• Application versions and patch levels

• Web servers and frameworks

• Database systems

• API endpoints

Organizational Information

• Company structure and departments

• Employee names, roles, and contact information

• Email address formats

• Physical locations and office addresses

• Business partners and vendors

• Technology stack and tools in use

Security Posture

• Security products deployed (firewalls, IDS/IPS, antivirus)

• Authentication mechanisms

• Security policies and procedures

• Incident response capabilities

• Compliance requirements (PCI-DSS, HIPAA, GDPR)

NMAP (Network Mapper)

NMAP is the industry-standard open-source tool for network discovery and security auditing, created by Gordon "Fyodor" Lyon. Originally released in 1997, NMAP has evolved into the most comprehensive and flexible network scanning tool available, used by security professionals, system administrators, and penetration testers worldwide. Its versatility stems from its extensive scanning techniques, scriptable interface (NSE), and cross-platform compatibility.

Core Capabilities of NMAP

1. Host Discovery

Identify which systems are online and reachable on a network without performing port scans.

Techniques:

• Ping Scan: ICMP echo requests

• TCP SYN Discovery: Sends SYN packets to common ports

• TCP ACK Discovery: Uses ACK packets to bypass simple firewalls

• UDP Discovery: Sends UDP packets to detect hosts

• ARP Scan: Layer 2 discovery for local networks (most reliable for LAN)

Example:

2. Port Scanning

Determine which ports are open, closed, or filtered on target systems.

Scan Types:

• TCP SYN Scan (-sS): Stealthy, doesn't complete TCP handshake (requires root)

• TCP Connect Scan (-sT): Completes full TCP connection (works without root)

• UDP Scan (-sU): Scans UDP ports (slower, often filtered)

• Comprehensive: -sS -sU scans both TCP and UDP

Port Specifications:

• Specific ports: -p 22,80,443

• Port ranges: -p 1-1000

• All ports: -p- (1-65535)

• Top ports: --top-ports 100

• Protocol-specific: -p T:80,443,U:53,161

3. Version Detection

Identify the specific application and version running on open ports by analyzing service responses and fingerprints.

Example:

Sample Output:

4. Operating System Detection

Determine the operating system and hardware characteristics through TCP/IP stack fingerprinting.

Example:

Essential NMAP Command Reference

Basic Scans

Timing Templates

NMAP offers timing templates (-T0 through -T5) to control scan speed:

• T0 (Paranoid): Extremely slow, IDS evasion (5 minutes between probes)

• T1 (Sneaky): Slow, IDS evasion (15 seconds between probes)

• T2 (Polite): Slows down to use less bandwidth

• T3 (Normal): Default timing

• T4 (Aggressive): Fast scan, assumes reliable network

• T5 (Insane): Very fast, may sacrifice accuracy

Output Formats

Advanced Techniques

NMAP Scripting Engine (NSE)

NSE extends NMAP's capabilities with hundreds of scripts for vulnerability detection, exploitation, and advanced enumeration.

Script Categories

• auth: Authentication testing

• broadcast: Network discovery via broadcast

• brute: Brute force attacks

• default: Default safe scripts (-sC)

• discovery: Additional network discovery

• dos: Denial of service testing

• exploit: Exploitation attempts

• intrusive: May crash services

• malware: Malware detection

• safe: Won't affect target

• version: Enhanced version detection

• vuln: Vulnerability detection

Using NSE Scripts

Popular NSE Scripts

Practical NMAP Workflow

Phase 1: Quick Discovery

Phase 2: Port Scanning

Phase 3: Service Enumeration

Phase 4: Vulnerability Assessment

Hands-on Exercise

Exercise 1: Network Discovery

1. Scan your local network to identify active hosts: nmap -sn 192.168.1.0/24

2. Compare results with ARP scan: sudo nmap -PR 192.168.1.0/24

3. Document: Which method found more hosts? Why might this be?

Exercise 2: Service Fingerprinting

1. Identify a test system (your own VM or authorized lab)

2. Run: nmap -p- -sV -sC <target>

3. Analyze output:

   • What services are running?

   • Are any versions outdated?

   • What do the NSE scripts reveal?

Exercise 3: Comparing Scan Types

1. Run TCP SYN scan: sudo nmap -sS <target>

2. Run TCP Connect scan: nmap -sT <target>

3. Run UDP scan: sudo nmap -sU --top-ports 20 <target>

4. Document: Compare speed, results, and system logs

Exercise 4: NSE Script Exploration

1. List available HTTP scripts: ls /usr/share/nmap/scripts/ | grep http

2. Read script documentation: nmap --script-help http-enum

3. Run against test web server: nmap --script=http-enum -p 80,443 <target>

4. Analyze discovered paths and directories

Interpreting NMAP Results

Port States

• open: Service is actively accepting connections

• closed: Port is accessible but no service listening

• filtered: Firewall/filter is blocking probe (inconclusive)

• unfiltered: Port is accessible but state undetermined

• open|filtered: Cannot determine if open or filtered (UDP scans)

• closed|filtered: Cannot determine if closed or filtered (rare)

Common Port Numbers

NMAP Best Practices

Performance Optimization

• Use -T4 for most scans on reliable networks

• Scan top ports first: --top-ports 1000

• Parallelize: Scan multiple targets simultaneously

• Exclude unresponsive hosts with initial ping scan

• Use --min-rate and --max-rate for rate control

Stealth and Evasion

• Use SYN scans (-sS) instead of connect scans

• Randomize scan order: --randomize-hosts

• Fragment packets: -f

• Slow timing: -T0 or -T1

• Spoof source: -S <spoofed_ip> -e <interface>

Legal and Ethical Considerations

• Always obtain written authorization before scanning

• Stay within defined scope (IP ranges, ports)

• Use appropriate timing to avoid DoS

• Document all scan activities with timestamps

• Respect bandwidth and system resources

Common Errors and Troubleshooting

"You requested a scan type which requires root privileges"

Cause: SYN scan, OS detection, or certain features require root Solution: Use sudo nmap or run as administrator

"Note: Host seems down"

Causes: Host is actually down, firewall blocking, ICMP disabled Solutions:

• Use -Pn to skip host discovery

• Try different discovery methods: -PS, -PA, -PU

• Check with ping and traceroute

Slow UDP Scans

Cause: UDP is connectionless, requires timeouts Solutions:

• Scan only essential UDP ports: --top-ports 20

• Increase parallelism: --min-parallelism 100

• Use faster timing: -T4

No Version Information Detected

Causes: Service on non-standard port, custom software Solutions:

• Increase version intensity: --version-intensity 9

• Try -A for aggressive detection

• Manual banner grabbing with Netcat

Enumeration

Enumeration is the aggressive phase of information gathering where you extract granular details from identified services and systems. Unlike reconnaissance, which casts a wide net, enumeration drills deep into specific targets to extract user accounts, shares, configurations, and other sensitive data. This phase bridges scanning and exploitation by providing the specific details needed to compromise systems.

The Enumeration Process

1. Identify service/protocol (from port scanning)

2. Query service for detailed information

3. Extract data systematically

4. Validate findings through cross-referencing

5. Document for exploitation phase

Enumeration Techniques by Service

NetBIOS/SMB Enumeration (Windows Networks)

Purpose: Extract Windows network information including shares, users, groups, and policies.

Ports: 137 (NetBIOS Name), 139 (NetBIOS Session), 445 (SMB)

Tools and Commands:

Information Extracted:

• Workgroup/domain name

• Operating system and version

• User accounts and groups

• Password policies

• Network shares and permissions

• Logged-in users

• RID cycling results

Example enum4linux Output Analysis:

SNMP Enumeration

Purpose: Extract device configurations, network topology, and system information from SNMP-enabled devices.

Port: 161 (UDP)

Tools and Commands:

Common Community Strings (try these):

• public (read-only, most common)

• private (read-write)

• manager

• admin

Information Extracted:

• Device hostnames and descriptions

• Network interface configurations

• Routing tables

• Running processes

• Installed software

• User accounts

• TCP/UDP connections

LDAP Enumeration (Directory Services)

Purpose: Extract organizational structure, user accounts, and configurations from LDAP directories (Active Directory).

Ports: 389 (LDAP), 636 (LDAPS), 3268 (Global Catalog)

Tools and Commands:

Information Extracted:

• Domain structure and organization units

• User accounts with attributes (email, phone, title)

• Group memberships

• Computer accounts

• Password policies

• Service accounts

• Privileged user groups (Domain Admins, Enterprise Admins)

SMTP Enumeration (Mail Servers)

Purpose: Verify email addresses and extract user information from mail servers.

Port: 25 (SMTP), 587 (Submission)

Techniques:

Information Extracted:

• Valid email addresses

• Mail server version and configuration

• Mailing list memberships

• User account existence

DNS Enumeration

Purpose: Discover subdomains, map network infrastructure, and identify services.

Port: 53 (TCP/UDP)

Tools and Commands:

Information Extracted:

• All DNS records (A, AAAA, MX, TXT, NS, CNAME, SOA)

• Subdomains and related domains

• Mail servers

• Name servers

• SPF, DKIM, DMARC records

• IPv4 and IPv6 addresses

NFS Enumeration (Network File System)

Purpose: Discover exported file systems and mount points on Unix/Linux systems.

Port: 2049

Tools and Commands:

Database Enumeration

Purpose: Extract database versions, schemas, users, and accessible data.

Common Ports: 1433 (MSSQL), 3306 (MySQL), 5432 (PostgreSQL), 1521 (Oracle)

Tools and Commands:

Comprehensive Enumeration Toolkit

Essential Tools

Enumeration Workflow Example

Hands-on Enumeration Exercises

Exercise 1: SMB Enumeration

1. Set up a Windows VM or lab environment

2. Run: enum4linux -a <target_ip>

3. Analyze output:

   • What is the domain/workgroup?

   • What users exist?

   • What shares are accessible?

   • What is the password policy?

Exercise 2: DNS Enumeration

1. Choose a domain (your organization or authorized target)

2. Run: dnsenum example.com

3. Attempt zone transfer: dig @ns1.example.com example.com AXFR

4. Document:

   • How many subdomains found?

   • Was zone transfer successful?

   • What services were identified?

Exercise 3: Web Enumeration

1. Identify a web server (authorized testing only)

2. Run: nikto -h http://target.com

3. Run: gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

4. Analyze:

   • What directories/files were found?

   • What vulnerabilities were identified?

   • What server version is running?

Enumeration Best Practices

Systematic Approach

• Enumerate all discovered services, not just "interesting" ones

• Document all findings in structured format

• Cross-reference information from multiple sources

• Validate findings before relying on them

Stealth Considerations

• Enumeration is noisy and logged by target systems

• Use appropriate timing and rate limiting

• Consider detection risk vs. information value

• Authenticated enumeration is less suspicious than anonymous

Legal and Ethical

• Enumeration often crosses from passive to active

• Always operate within authorized scope

• Some enumeration techniques may trigger security alerts

• Document all enumeration activities with timestamps

Defensive Countermeasures

Organizations can limit enumeration effectiveness:

• Disable unnecessary services: Close SMB, SNMP on public-facing systems

• Use strong community strings: Change default SNMP communities

• Implement null session restrictions: Block anonymous SMB enumeration

• Disable LDAP anonymous binds: Require authentication

• Configure DNS properly: Disable zone transfers, use split-horizon DNS

• Remove verbose error messages: Don't reveal system details

• Monitor enumeration attempts: Alert on suspicious query patterns

Additional Tools for Information Gathering

Subdomain Discovery

• Sublist3r: Python tool aggregating multiple search engines

• Amass: Comprehensive subdomain enumeration

• Assetfinder: Fast subdomain discovery

• Subfinder: Modern subdomain enumeration tool

Web Application Analysis

• Nikto: Web server vulnerability scanner

• Gobuster: Directory and DNS busting tool

• Ffuf: Fast web fuzzer

• WhatWeb: Web technology identifier

• Wappalyzer: Technology profiler (browser extension)

Credential Harvesting

• theHarvester: Email and subdomain harvester

• LinkedIn2Username: Generate username lists from LinkedIn

• Hunter.io: Email address finder (web service)

Metadata Analysis

• ExifTool: Read metadata from images, PDFs, documents

• FOCA: Fingerprinting Organizations with Collected Archives

• Metagoofil: Metadata extractor for public documents

Key Takeaways

• Information gathering is systematic, not random exploration

• NMAP is the foundational tool for network reconnaissance

• Enumeration provides the granular details needed for exploitation

• Different services require different enumeration techniques

• Always operate within legal and authorized boundaries

• Combine automated tools with manual verification

• Document everything for future reference and reporting

• Defenders should enumerate their own systems regularly

Resources

Books

• "Nmap Network Scanning" by Gordon Fyodor Lyon - The definitive NMAP guide

• "The Web Application Hacker's Handbook" by Dafydd Stuttard - Web enumeration techniques

• "Penetration Testing" by Georgia Weidman - Comprehensive methodology

Official Documentation

• NMAP Documentation: https://nmap.org/book/man.html

• NMAP NSE Scripts: https://nmap.org/nsedoc/

• Enum4linux: https://github.com/CiscoCXSecurity/enum4linux

• NET-SNMP Tools: http://www.net-snmp.org/

Online Resources

• HackTricks: https://book.hacktricks.xyz/ - Enumeration cheatsheets

• PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings

• Pentesting Tools Cheat Sheet: https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/

Practice Platforms

• HackTheBox: Enumeration-heavy CTF challenges

• TryHackMe: Guided enumeration rooms

• VulnHub: Vulnerable VMs for practice

• PentesterLab: Web application enumeration exercises