Ethical hacking tools and techniques: Information gathering

This portion of a tip on network penetration testing and ethical hacking tools and techniques discusses information gathering for security consultants and value-added resellers (VARs).

There are several tools, including public sources such as Whois and Nslookup, that can help you gather information about your target network (that is, your customer). Whois is usually the first stop in reconnaissance. You'll find information like the domain's registrant, its administrative and technical contacts, and a listing of their domain servers. Nslookup is a program used to query Internet domain name servers. It displays information that can be used to diagnose Domain Name System (DNS) infrastructure and find additional IP addresses. It can also use the MX record to reveal the IP of the mail server.

Another information source is ARIN (American Registry of Internet Numbers). ARIN allows you to search the Whois database to locate information on a network's autonomous system numbers (ASNs), network-related handles and other related point-of-contact info. ARIN's Whois function enables you to query the IP address to find information on the target's use of subnet addressing.

The common Traceroute utility is also very handy. Traceroute works by exploiting a feature of the Internet Protocol called Time to Live (TTL). It reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs. As each router processes an IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" ICMP message to the origination. Therefore, routers with DNS entries reveal the name of routers, network affiliation and geographic location.

A utility called Visual Trace by McAfee displays the traceroute output visually either in map view, node view and IP view.

Here are other useful Windows-based tools for information gathering:

  • VisualRoute by VisualWare includes integrated traceroute, ping tests, reverse DNS and Whois lookups, and displays the actual route of connections and IP address locations on a global map.

  • Like Whois, SmartWhois by TamoSoft obtains comprehensive info about the target: IP address, host name or domain, including country, state or province, city, name of the network provider, administrator and technical support contact information. But unlike Whois utilities, SmartWhois can find the information about a computer located in any part of the world, intelligently querying the right database and delivering all the related records within a few seconds.

  • Sam Spade, a freeware tool primarily used to track down spammers, can also be used to provide information about a target. It comes with a host of useful network tools including ping, nslookup, Whois, IP block Whois, dig, traceroute, finger, SMTP, VRFY, Web browser, keep-alive, DNS zone transfer, SMTP relay check and more.

Ethical hacking tools and techniques

 Information gathering
 Port scanning
 Vulnerability scanning
  Password cracking

About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. He is available to answer your security threat questions via Ask the Expert.

Dig Deeper on MSP business strategy

Cloud Computing
Data Management
Business Analytics