Quick Contact

    Information Gathering

    In this section, we will discuss various techniques to gather information about the client using the Whois Lookup, Netcraft, and Robtex. Then we will see how we can attack a server by targeting websites that are hosted on that server. Moving towards the information-gathering section, we will learn about subdomains and how they can be useful for performing attacks. Later we are going to look for files on the target system to gather some information and also analyze that data.

    Now, we will do information gathering before we start trying to exploit. Therefore, we are going to gather as much information as we can about the IP of the target, the technology that is used on the website, the domain name info, which programming language is used, what kind of server is installed on it, and what kind of database is being used. We will gather the company’s information and its DNS records. We will also see subdomains that are not visible to other people and we can also find any files that are not listed. Now we can use any of the information-gathering tools that we used before, for example, we can use Maltego and just insert an entity as a website, and start running actions. We can also use Nmap, or even Nexpose, and test the infrastructure of the website and see what information we can gather from that.

    Whois Lookup

    In this section, we are going to have a look at is Whois Lookup. It is a protocol that is used to find the owners of internet resources, for example, a domain, a server, an IP address. In this, we are not actually hacking, we are just retrieving information from a database about owners of stuff on the internet. For example, if we wanted to register a domain name like zaid.com we have to supply information about the person who is signing in like address, and then the domain name will be stored in our name and people will see that Zaid owns the domain name. That is all we are going to do.

    If we googleWhois Lookup, we will see a lot of websites providing the services, so we are going to use http://whois.domaintools.com, and enter our target domain name as isecurity.org, and press Search button as shown in the following screenshot:

    In the following screenshot, we can see that we get a lot of information about our target website:

    We can see the email address that we can use to contact the domain name info. Usually, we will be able to see the company’s address that has registered the domain name, but we can see that this company is using privacy on their domain. If the company is not using any privacy, we will be able to see their address and much more information about the actual company.

    We can see when the domain name was created, and we can also see the IP address of isecurity.org. If we ping the IP, we should get the same IP address as mentioned in the following screenshot.

    If we run ping.www.isecurity.org, the same IP address will be returned:

    In the above screenshot, we can see the IP Location, Domain Status, and we can also access the History, but we need to register for that. Now, again we can use this information to find exploits.

    In the following screenshot, in the Whois Record, we can find more information about the company that registered this domain:

    This is basic information, but it is very helpful in the long run, just to know what their IP is, what our target is, and what services they are using. We can see the name server that is being used, and we can also see which company they are provided by.

    Copyright 1999- Ducat Creative, All rights reserved.