Best Tools for Information Gathering

Abdullah Baghuth
5 min readDec 20, 2020


Information Gathering (Reconnaissance)

In this write-up, I’ll go through the best tools used by penetration tester to do Information Gathering.

Identifying Our Target:

Before we begin we have to establish a client to attack, so I picked up Tesla from bugcrowd programs.

please double check when you read this if tesla still exists or not, if for any reason Tesla passed out you must pick up other client.any other behavior out of this scope it’s in your risk.

There are so many tools to do reconnaissance but here we try to have a realistic approach and a realistic methodology when you came to do a penetration test, so when we first start will look up items on the website regarding users, email format, and breach credentials. is a domain search, we can search this will give us a list of people on the organization and will give us the most command pattern of the Email addresses. in top of this may not all of them works there so we can go to LinkedIn and check if that person really works there.

knowing the email format ‘{f}{last}’ is supper important liter on when we perform attacks. say we have a login form if you know the form of the email address we can send a bunch of valid email addresses to it as user name and then we can use something like password spraying which we just take the commonly used passwords.


theHarvester is a tool build in with kali Linux it helps us to identify some usernames and even some subdomains.

$theHarvester -d -l 500 -b google

  • -d : to specify the domain name.
  • -l : limit the number of search results, default=500.
  • -b : to specify the source to get information from, note that some of these sources required API key.


sublist3r is a tool to identify subdomains, if we look in scope will see * the char * means any domain or subdomain ended with is in scope this will give us more range to look around and will not limit us only in to search for these subdomains we can use sublist3r.

[-] Total Unique Subdomains Found: 187

this website uses certificate fingerprint to identify domain names, Organization Name, etc.

instead of using wildcard ‘*’ we have to use % so when we search about will be like

this is great because it will not look only for subdomains it looks also for sub of subdomains.

not all these subdomains will work in search engines but it worth knowing about them, to check if these work or not you can use tomnomnom httprobe tool. always check the help and man menu by -h ,— help or man<tool _name> to see more details about any tools in Linux.


this goes out and it looks at what type of tech Tesla is running.

it gives all the stiff that can see Google analytics salesforce, the Widgets they are running, and also the Frameworks. this is a great resource that can get more information from it.


Wappalyzer is extinction for firefox it gives you an indication right away of what’s going on. it’s still passive recon. as we are not doing anything that would be out of the norm.


WhatWeb identifies recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.

whatweb is tool preinstalled in kali so we can run it as following

$whatweb <target url>

8-Burp Suite

Burp Suite is a web proxy that means it has the capability to intercepting traffic for us. by putting the URL of the website in the scope then navigate the website and burp suite will give you a nice site map.

9-Google Fu

what makes you really good pentester is the ability to google. being able to look this stuff up in your own and able to find your own resources and find solutions to your problems are going to make you way better.

in this, I will show you just a few things that we can use to search for and how we can start narrowing down some results.

you can use that will give us all sites end with, but what if I don’t want in this case you can use -www this will exclude from poping up this also another way to find subdomains, what if we want only pdf files that belong to tesla then we can add type file:pdf.

the point of doing this is we are looking at potentially sensitive files out there or more information to make your work easier. like backup files credentials source codes etc.


By search on social media especially in LinkedIn, you can find so much stuff about the company that you looking for or even employees of this company. we can click any picture and look for things like badge photos or desktop fixtures or even ID cards.

other thing that is excellent in LinkedIn is you can see all people who work there, and take the names I hope you remember the format of the email that we find it before so we can do so much stuff with that.

Linkedin shows people who visited your profile, so make sure to use fake account or any other trick to avoid that.

I hope this is carried out a lot of benefits and information to you, stay safe Bye Bye.