Cybersecurity- Information Gathering

The first step of an attack is the collection of information, to know your target well. If you want to know more about OSINT and what are the tools used for information gathering...




As we saw in my article on social engineering ( HERE), the first step of an attack is the information gathering, to know the target.
This can be any type of information: IP addresses, personal data, e-mails ...

We can generally summarize the different types of possible attacks in this way:

  • Destructive attack (Denial of service, deletion of site, ransomware ...)
  • Attack to gain control of the means of communication ...
  • Attack for the purpose of stealing information (databases, etc ...) for profit or espionage purposes.
  • Attack APT (Advanced Persistent Threat) which is a very elaborate attack, neat, prepared, generally targeting large companies, administrations, NGOs, OIV ...

  • What is personal data?

    Personal data is any information relating to a natural person identified or who can be identified, directly or indirectly, by reference to an identification number or to one or more elements that are specific to him.

    Through this article, we will therefore study how information gathering is done, what tools are used to collect information and how to collect them.
    Do not use these tools for malicious purposes without permissions (scanning an ip address if you do not have permission can be considered an attack).
    This article is entirely dedicated to learning.

    What is OSINT ?


    Internet is an ocean of data, the information is easily accessible by all.
    However some individuals can use this information by having malicious intentions (social engineering, phishing, threats, reselling information on the dark web ...)

    There is a lot of data about you on the internet, whether it is data published directly by you (profiles on social networks, posts ...) or indirectly by someone around you.

    OSINT or "Open Source Intelligence" is an intelligence method based on information accessible to all and not classified. Open Source Intelligence is a fundamental element for intelligence operations.

    OSINT uses all forms of publicly available sources, including:

  • Media such as newspapers, radio, television....
  • Social networks (Facebook, LinkedIn, Instagram, Twitter ...), blogs, forums...
  • Public documents, including official government reports such as budgets, press conferences, demographics, contract awards...
  • Academic sources, including articles, conferences, symposiums, etc.
  • Observations and reports...
  • The dark web and the deep web...

  • Generally, the OSINT is done in 3 steps:

  • Know if information is available (access to a document, site ...).
  • Collect information, usually using tools (it's much faster and more accurate than manual collection) that I will present in the next part.
  • Analyze information.
  • Tools for information gathering

  • Google Hacking
  • Shodan
  • Whois
  • The Harvester
  • Censys
  • NMAP
  • Maltego
  • SpiderFoot
  • Checkusernames
  • Lullar
  • Google Hacking

    A Google Dork query is the use of search term that incorporates advanced search operators to find information on a website that is not available using a traditional search. This simplifies and clarifies searches.

    Mainly used to obtain:

  • Usernames and passwords.
  • Email lists.
  • Sensitive documents.
  • Personal, transactional or financial information.
  • Vulnerabilities of websites, servers or plugins.

  • Here is a table that I realized that summarizes the most important operators to do advanced research:






    Shodan is a website specialized in finding objects connected to the Internet, and therefore having a visible IP address on the network. It allows to find a variety of web servers, routers as well as many devices such as printers or cameras.

    For each result, we find the IP address of the server as well as other types of sensitive but accessible information.

    Shodan is also a tool used by security researchers and hackers to search for poorly secured devices and take control of them with a single web browser.
    Many devices use login / password combinations, often left by default, such as admin / admin or admin / 1234...

    If I do a search in Shodan with the IP address (this ip is provided by nmap to test our scans) here is some of the information I get:



    Whois is a search service provided by Internet registries, for example Regional Internet Registries (RIR) or domain name registries to obtain information about an IP address or a domain name.

    It allows:

  • Obtain information on the owner of a domain nam (administrative, technical and possibly billing contact) and on the name servers associated with the domain.
  • Obtain information on the assignment of IP address ranges.

  • This is the tool that will provide us with our first information.

    This tool can be used both on the command line:


    But also with GUI:

    The Harvester

    According to :

    The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

    This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet.

    It is also useful for anyone that wants to know what an attacker can see about their organization.

    This is a complete rewrite of the tool with new features like:

  • Time delays between request
  • All sources search
  • Virtual host verifier
  • Active enumeration (DNS enumeration, Reverse lookups, TLD expansion)
  • Integration with SHODAN computer database, to get the open ports and banners
  • Save to XML and HTML
  • Basic graph with stats
  • New sources
  • Censys


    Censys is a search engine (like Shodan) launched by researchers at the University of Michigan, which collects all the data it can on devices connected to IPv4 on the net. For this, it uses the ZMap open source port scanner and stores everything it retrieves in a database, which is then accessible via the web interface, an API or plain text listings to Download.

    You can search by keywords, IP, domain name, protocol used, certificate ... etc. The information collected is also very comprehensive and can be used to identify potential security issues.


    If I do a search in Censys with the IP address (this ip is provided by nmap to test our scans) here is some of the information I get:




    Nmap is one of the most used tools in the world of security.
    Is a free port scanner created by Fyodor and distributed by It is designed to detect open ports, identify hosted services, and obtain information about the operating system of a remote computer.

    To scan ports on a remote computer, Nmap uses a variety of scanning techniques that rely on protocols such as TCP, IP, UDP, or ICMP.

    For more information on nmap, I made an article about this tool, do not hesitate to see: HERE



    Maltego is an open source software that allows to easily find, and visually, public information such as the different e-mail addresses of a person, phone numbers that may be associated with him, IP addresses, DNS, mail server, webhost, employees of a company and many other things.



    According to the official website of SpiderFoot:

    SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.

    Spiderfoot uses several different public sources such as Shodan, Google, SANS, Whois, PasteBin, etc. It is a cross platform tool, which works through any modern web browser.

    The data returned from a SpiderFoot scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities or other sensitive information that can be leveraged during a penetration test, red team exercise or for threat intelligence.

    Checkusernames In the context of investigations or research of conventional information one may need to research if a person who is already known one of the nicks uses it on several social networks and online services.

    This is a free service that can search in more than 160 social networks.

    Just indicate the nickname already known for this service tells you all those on which it is still available. We will see that he is active for all the others and we will be able to visit them to verify that it is indeed the "target person".





    The Gathering information is the most important step in an attack, it can target potential flaws and define the attack vectors that attackers will use. The list of tools presented here is far from exhaustive, many tools are regularly released.

    Thank you for reading my article, I hope it has been helpful.

    Follow me on Twitter to be informed of my new articles/infographics → twitter(@SecurityGuill)
    If you like my work, feel free to support me with Buy me a coffeeBuy me a coffee