Tier I

Active Info Gathering

Active information gathering involves directly interacting with the target system.

Info Methods & Tools
Host Discovery
Active Info Gathering Icon

Active Information Gathering

Active information gathering involves directly interacting with the target system. It is more intrusive than passive gathering and can potentially be detected by the target.
It can reveal much more detailed and specific information about systems, services, and vulnerabilities.

General Methods & Tools


DNS Zone Transfer


DNS (Domain Name System) translates human-friendly domain names to IP addresses.
Some tools for DNS enumeration and analysis include:

  • dnsenum: Enumerates subdomains, DNS providers, servers, and files
  • dig: Standard DNS lookup and analysis tool
  • fierce: DNS tool with brute-force capabilities for discovering subdomains


Gobuster: URL Enumeration


Gobuster is a directory and file brute-forcing tool used to discover hidden paths on a website.

  • gobuster dir -u <url> -w /usr/share/wordlists/dirb/common.txt: Scan for common directories and files


Nmap: Host Discovery


Nmap is a powerful network scanner used for host discovery and port scanning.
It helps identify devices connected to a network.

Host Discovery Techniques


Host Discovery is a phase of Network Mapping to discover live hosts on a target network.

The most popular techniques of host discovery are:

  • Ping Sweeps (ICMP Echo Requests): sending a ping to a range of IPs to see active ones
  • ARP Scanning: Using Address Resolution Protocol to identify hosts on a LOCAL network
  • TCP SYN Ping: Sending a TCP Syn packet to see if a host is active (if it answers with a TCP Syn Ack packet)
  • UDP Ping: sending a UDP packet
  • TCP ACK Ping: Sending a TCP ACK packet, the host may respond with a TCP RST (Reset)
  • Syn Ack Ping: Sending a TCP SYN ACK packet, similar to above


Nmap Host Discovery


  • sudo nmap -sn <ip address range>: Discover all active hosts within the given range
  • Netdiscover: Alternative tool using ARP requests to find active hosts


Nmap Port Scanning


After discovering hosts, you can scan for open ports and services to understand the attack surface:

  • nmap <ip address>: Basic port scan
  • nmap -Pn <ip address>: Skip host discovery (useful for Windows hosts)
  • nmap -p <port(s)> <ip>: Scan specific port(s)
  • nmap -sV <ip address>: Detect service versions on open ports
  • nmap -O <ip address>: Detect operating system
  • nmap -sC <ip address>: Default script scan for more information
  • nmap -T<0-4> <ip address>: Adjust scan speed (0=paranoid, 5=insane)
  • -oN/-oX: Save output as normal text or XML file


Ping Sweeps (ICMP)


Ping Sweep works by sending a ICMP packet (Type 8 - echo request) to a host.
If the target host replies with a ICMP echo reply (Type 0), then it is alive.

Sender: packet of type 8 and code 0
Receiver (if alive): packet of type 0 and code 0



Ping request:


ping -b -c 5 10.1.0.0
  • -b = scan every port of the network (last digit should be 0)
  • -c 5 = send 5 pings
fping -a -g 10.10.23.0/24
  • fping = improved version of ping that can ping every host in a range
  • -a = show if target is alive
  • -g = generate the targets list

Other functionalities of fping:

  • -S, --src=IP = send the ping from a different IP