OffSec Live: PEN-200

Today we’ll be focusing on passive information gathering (which should really be the first thing you do).

The big conceptual difference between “active” and “passive” information gathering is whether your activity “looks normal” to the defenders. So, browsing a website is passive (though it’s not strictly so), as is using third-party tools that would not alert the defenders (so Shodan, Google, and Netcraft are passive, but online port scanners are not).


The whois tool can also be used on IP addresses (in which case it will do a reverse lookup):

whois $IP_ADDRESS 

Google Hacking

Google search operators/hacks:


You can get a lot of additional server and DNS information using This can also turn up subdomains.

Harvesting Email

“The Harvester” is a tool for harvesting email addresses and subdomains from public websites.



Give it an IP, get back open ports, service versions, etc. There’s a lot of overlap with Netcraft, though not enough to make either tool redundant.

Shodan supports a lot of different filters for different services, IoT devices, vulnerabilities, etc.

Stack Overflow

See if you can find accounts that are linked to your target, and then look for the questions they’ve asked. Sometimes the “answers” are not actually secure, and can be exploited!