Active Information Gathering

Once we have exhausted the possible ways to passively collect information about our target, we will turn to an active collection. These tools and methods are more powerful and can provide us with more information, but at the same time, they may expose you to detection. Let’s have a look at some common techniques.


Wireshark is a protocol analyzer (aka packet analyzer) and the best tool available for analyzing network traffic, and it is highly recommended that everyone become very familiar with its usage. Technically Wireshark takes packet data and gives you many ways to examine and analyze it. You are going to encounter Wireshark very often as a cyber professional, so it’s to your benefit to dive in and make yourself an expert.



Nmap is a network mapper primarily used to identify the existence of network hosts or devices, ports, services and vulnerabilities. It is the tool of choice for network enumeration and will most likely be the first tool to get detected by network defense devices. While there are ways to do this graphically, learning Nmap from the command line will really help you to better appreciate its capabilities and at the same time help you feel more accustomed to working with a command-line interface (CLI).

An ideal enumeration process is:

  • Host Identification
  • Port Identification
  • Service Identification
  • Vulnerability Identification
  • Exploitation

Yes, you can perform these tasks separately or with one command. The point is to keep your attack surface low while being accountable for your traffic. Some commands to perform these tasks are:

nmap -sn
nmap -v -T4 -sS -Pn --top-ports 10 --open
nmap -v -T4 -sT -Pn --top-ports 10 --open
nmap -v -T4 -sV -Pn --top-ports 25 --open
nmap -v -T4 -sV -sC -Pn -F --open
nmap -v -T4 -A -p- --open --randomize-hosts
nmap -v -T4 -p 445 --script=smb-vuln-ms10-061 –open
nmap -v -T4 -sU -sT -sV -p U:53,11,137,161,T:22,139,445 --open

Scanning with Metasploit

Although scanning with Nmap is very popular, you can also use Metasploit auxiliary modules to perform scans. Below are some examples:

  • 21 auxiliary/scanner/ftp/anonymous
  • 21 auxiliary/scanner/ftp/ftp_version
  • 22 auxiliary/scanner/ssh/ssh_version
  • 23 auxiliary/scanner/telnet/telnet_version
  • 25 auxiliary/scanner/smtp/smtp_version
  • 69 auxiliary/scanner/tftp/tftpbrute
  • 79 auxiliary/scanner/finger/finger_users
  • 80 auxiliary/scanner/http/http_version
  • 110 auxiliary/scanner/pop3/pop3_version
  • 111 auxiliary/scanner/misc/sunrpc_portmapper
  • 123 auxiliary/scanner/ntp/ntp_monlist
  • 143 auxiliary/scanner/imap/imap_version
  • 512 auxiliary/scanner/rservices/rexec_login
  • 513 auxiliary/scanner/rservices/rlogin_login
  • 514 auxiliary/scanner/rservices/rsh_login
  • 1521 auxiliary/scanner/oracle/sid_enum
  • 3306 auxiliary/scanner/mysql/mysql_version
  • 5432 auxiliary/scanner/postgres/postgres_version
  • 5900 auxiliary/scanner/vnc/vnc_none_auth
  • 6000 auxiliary/scanner/x11/open_x11
  • 9100 auxiliary/scanner/printer/printer_version_info
  • 50000 auxiliary/scanner/db2/db2_version


This is a command-line scan tool, running on Windows or Linux, which displays NetBIOS information. It may even display logged in users and device purpose. This is helpful when building your initial hosts and users list.

# nbtscan
# nbtscan -v
C:> nbtscan


# smbtree -b
# smbtree -D
# smbtree -S



enum4linux gives a multitude of information from a target machine. This can include usernames, password policies, user and group information, etc. It also shows what commands were used to get that information. This does not work all the time. A basic example of this would be:

# enum4linux



The host command can be used in many ways to identify information for a particular host or website. This is a good way to begin DNS and/or network infrastructure enumeration. For example:

# host has address has IPv6 address 2a03:2880:2110:df07:face:b00c:0:1 mail is handled by 10

An example of a successful search for is the following:

# host is an alias for has the IPv6 address: 2607:f8b0:4004:801::1004

To identify mail servers using the host command:

# host -mx

Nameserver identification:

# host -t ns



Dnsrecon is one of many tools you can use to perform a zone transfer in hopes of enumerating a domain’s DNS enumeration.

# dnsrecon -d -t axfr



Probably the easiest way to perform a zone transfer in Kali is to use the dnsenum tool. Keep in mind that most sites should not allow zone transfers!

# dnsenum


Probably the easiest way to perform a zone transfer in Kali is to use the fierce command. Remember most sites should not allow zone transfers!! The zone file will contain a list of all the DNS names configured in that zone. Basically, it gives you the corporate network layout.

# fierce –dns

IPv6 Enumeration

IPv6 has been out for over 21 years. It is a protocol or method of communication just like IPv4 but with over 340 undecillion more available IP addresses. How many is that? An undecillion is so large it is a 1 followed by 36 zeros! Think of it as if for every road, highway, or path that exists there is another one directly under it that not many people know about. Now add over 340 undecillion more!

Please be very careful with these IPv6 tools. Spend some time researching and practicing more from the atk6 toolset.atk6-alive6

Alive6 is a tool you can use to identify IPv6 hosts on the local network segment:

# atk6-alive6 -l eth0
Scroll to Top