Information Gathering Techniques for Penetration Testing [Updated 2023]

Information Gathering is the first and foundation step in the success of penetration testing.  The more useful information you have about a target, the more you can find vulnerabilities in the target and find more serious problems in the target by exploiting them (to demonstrate). In this article, I am discussing information gathering techniques for penetration testing of IT infrastructure.

(1) Whois Lookup (

It helps in identifying the owner of a target, hosted company, and location of servers, IP address, Server Type, etc. You need to just the domain name and you may will get the juicy information.

Click Here for Active Reconnaissance Tools used for Penetration Testing

(2) Identify technologies of the target web application

It helps in identifying technologies used in the development of web applications. It also helps in determining the outdated modules of software used in development. Later you can search exploits on to further demonstrate the exploitation of issues in the web application. I am listing out resources that can be used to identify technologies of target:

(3) Robtex (

This resource is perfect for gathering information related to DNS. Click Here to know more methods of performing DNS Enumeration.

Click Here to Test DNS Zone Transfer

(4) Subdomain Enumeration

Subdomain Enumeration is a technique to identify unused subdomains registered with the organization. Many tools available for subdomain enumeration like Knockpy, sublist3r, etc. are some of them.

  • Download Link (Knockpy):
  • Download Link (Sublist3r):

The below video helps in installation and explains the usage of knockpy tool.

(5) Shodan (

It is considered the first search engine to identify assets that are connected t0 the internet. It helps identify the misconfigured IoT devices (like a camera), IT infrastructure and monitor an organization's network security.

(6) Certificate Transparency (CT) (

Certificate Authority (CA) needs to publish all SSL/TLS certificates which they issue. This portal is open for the public and anyone can see the CT logs and identify certificates issue for a particular domain.

Click Here to know Passive Reconnaissance Techniques for Penetration Testing

(7) Discovering Sensitive Files

Many tools are available for finding the URL of sensitive files. One such tool is dirb which is a web content discovery tool.


Click Here to know Passive Reconnaissance Techniques For Penetration Testing

(8) American Registry for Internet Numbers (ARIN)

ARIN organization manages the IP address numbers for the U.S. and its assigned territories. By using the below URL, you will get a lot of information related to an organization's systems configuration from public domain sources.


(9) Autonomous System Number (ASN)

To identify ASN for the organization, use by keyword.

(10) Port Scanning

To identify web ports and other useful information such as Operating System, device type, MAC addresses etc. by proving URL or IP.

Click Here to know 12 iOS Application Security Testing Tools 

Google: Ultimate Tool for Information Gathering

By using multiple google search options, you can find sensitive data lying unattended on the internet. Click Here to know more awesome queries that help you to get juicy information. filetype:pdf


For successful penetration testing, the above tools and resources help in expanding the horizon of the successful test. Also, it provides exposure to hidden targets that may be useful while assessing.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

1 Response

  1. homepage says:

    There is definately a great deal to know about this issue. I love all of the points you’ve made.

Leave a Reply

Your email address will not be published. Required fields are marked *