Information Gathering Using Kali Linux for Penetration Testing


Information Gathering is a crucial step in penetration testing .  Ideally the penetration testing begins with Information and needs a lot of effort at this step . In this tutorial we will explore some of the tools used for Information Gathering that are available in Kali Linux .



Here we will be using the tool called Harvester . Harvester Builds a list of email addresses for users at the target organization. The list of email addresses will then be verified to confirm they are valid. Start by using to find email addresses related to the organization. The script takes a domain name and searches Google, Bing, PGP servers, and a few other services to find email addresses, IP addresses, subdomains, and any virtual hosts on any shared IP addresses. When launching the script, specify the target domain with the -d flag, use the -b flag to specify the sources to query, usually ‘all’, and use the -f flag to save the results to an HTML file.

[email protected]:~# theharvester -d -b all -f vanshit 
******************************************************************* * * * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ * * | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| * * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | * * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| * * * 
* TheHarvester Ver. 2.2a * 
* Coded by Christian Martorella * 
* Edge-Security Research * 
* [email protected] * 
Full harvest.. 
[-] Searching in Google.. 
Searching 0 results... 
Searching 100 results...



Next, find the target organization’s SMTP server. For this we use the DIG Utility available in Linux .

dig MX

Finally, query one of the SMTP servers to verify that the email addresses are valid. Use Telnet to connect to the SMTP server on port 25 and use the EXPN or VRFY commands. If those are not available, then attempt to send an email and use the RCPT TO command. Valid email addresses should receive a 250 OK response. Invalid email addresses will not.

telnet 25


Here we will create a list of targets and to gather information about them such as, name, title, email addresses, location, usernames, and interests.

Spreadsheets are helpful for keeping track of this information. Before doing these exercises, create a spreadsheet using Excel, LibreOffice, or Google Docs. The spreadsheet should include each of the columns mentioned above.

LinkedIn is a popular social media site for professionals and is a great place to start the list. The first step is to run a Google search. inurl:pub “at <organisation name>"

This will return a list of public LinkedIn profiles for individuals who work at or have worked at the target organization. For each person in the list, confirm he or she currently works at the target organization and add him or her to the spreadsheet. Next, search Facebook for publicly available information about the target organization and individuals.

Search for the organization’s name and the name, email address, and username of the target individuals. “<search terms>”

Next, search Twitter for publicly available information about the target organization and individuals. Search for the organization’s name and the name, email address, and username of the target individuals. “<search terms>”

Other web sources useful for gathering information about target individuals include, and


Metagoofil tool is used to find documents on the target organizations domain and to extract metadata from those documents. The meta data is the data about the data hidden within the file .  Metagoofil can be a bit flaky but it still provides useful information. Start by finding metadata in Microsoft word docs.

[email protected]:~# metagoofil -d -t doc -l 200 -n 50 -o /root/
-f /root/file.html 
[+] List of users found:
Lydia Jallow 
M. Renee Brown 
Renee Brown Doug 
Kelley powell_c 
Johnson Caroline 
[+] List of software found:
Microsoft Word 10.0 
Microsoft Office Word 
Microsoft Office Word 
Microsoft Office Word 
[+] List of paths and servers found: 
[+] List of e-mails found:

In this case, Metagoofil found a few users and a couple of versions of Microsoft Office. All of the
downloaded files are saved in the directory specified by the -o flag. If all goes well, a report
should be generated as well.The file versions are particularly helpful when planning client
-side attacks.

Some other Important Information Gathering Tools Worth exploring in Kali : 


“Recon-ng is a full-featured Web Reconnaissance framework written in Python, [which] provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.”

To get the best results from recon-ng, it is necessary to register for API keys at sites like LinkedIn, Google, Twitter, and Shodan. Those API keys can then be added to the Recon-ng configuration database.


“The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.”

Maltego has a community edition and a paid edition. The community edition can be accessed after creating a free account at Paterva.

Though there are many other tools present in the Kali Linux for Information gathering and you can feel completely free to explore those tools , but this is it for this tut .  If you face difficulty with any of the Kali tools or any other tools for that matter , please put it in the comments section .

I will surely help you with it . 

If this post was helpful please Like and Share . Keeps us Motivated !