Recent

Gather Information on websites

What is information gathering

Information gathering is an art of gathering information about your target. Before hacking into websites or Systems you have to gain as much information as possible about your target.

Information Gathering is very first phase of penetration testing.If the information gathered shows a poorly defended computer system, an attack will be launched, and unauthorized access will be gained. However, if the target is highly protected, the hacker will think twice before attempting to break in. It will be dependent upon the tools and systems that protect the target. Again, the key here is the amount of information he has gathered beforehand.

WIth Kali Linux we have many great tools for gathering information effectively.

Open your terminal :

Extract basic Information of website

Whois extracts basic information of the website like ,nameservers ,registrar name,admin email,phone numner(only if not protected),domain expiry date etc.

root@seven:~# whois microsoft.com
Registry Registrant ID: 
Registrant Name: Domain Administrator
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way, 
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Phone: +1.4258828080
Registrant Phone Ext: 
Registrant Fax: +1.4259367329
Registrant Fax Ext: 
Registrant Email: domains@microsoft.com
Registry Admin ID: 

Get the Ip Addresses of website

It's always good idea to find all the available ip addresses of your target in this way you always know what website you are targeting.

Host tool return you all the available ip addresses of a host.

root@seven:~# host  microsoft.com
microsoft.com has address 104.40.211.35
microsoft.com has address 104.43.195.251
microsoft.com has address 23.100.122.175
microsoft.com has address 23.96.52.53
microsoft.com has address 191.239.213.197

Addition Information with -a

The -a (all) option is equivalent to setting the -v option and asking host to make a query of type ANY.

root@seven:~# host -a microsoft.com

;microsoft.com.			IN	ANY

;; ANSWER SECTION:
microsoft.com.		1594	IN	A	191.239.213.197
microsoft.com.		1594	IN	A	104.40.211.35
microsoft.com.		1594	IN	A	104.43.195.251
microsoft.com.		1594	IN	A	23.100.122.175
microsoft.com.		1594	IN	A	23.96.52.53
microsoft.com.		19594	IN	NS	ns1.msft.net.
microsoft.com.		19594	IN	NS	ns2.msft.net.
microsoft.com.		19594	IN	NS	ns3.msft.net.
microsoft.com.		19594	IN	NS	ns4.msft.net.
microsoft.com.		1594	IN	SOA	ns1.msft.net.
 msnhst.microsoft.com. 2015122303 7200 600 2419200 3600
microsoft.com.		1594	IN	MX	10
 microsoft-com.mail.protection.outlook.com.
microsoft.com.		1594	IN	TXT	
"v=spf1 include:_spf-a.microsoft.com include:_
spf-b.microsoft.com include:_spf-c.microsoft.com 
Received 649 bytes from 192.168.150.2#53 in 1020 ms

A quick Nmap scan

Nmap is a versatile tool for networking scanning. A quick Nmap scan scans for basic services running on the server..

root@seven:~# nmap  linuxxcomputing.com

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 06:24 EST
Nmap scan report for linuxxcomputing.com (107.180.0.245)
Host is up (0.032s latency).
rDNS record for 107.180.0.245: ip-107-180-0-245.ip.secureserver.net
Not shown: 986 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp

Scan for ipv4,ipv6,FTP ,sub-domains and more

dnsmap is a an awesome tool.It scans for ipv4,ipv6,FTP and sub-domains and more .It returns all the possible ip addresses . .

root@seven:~# dnsmap microsoft.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] searching (sub)domains for microsoft.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests

accounts.microsoft.com
IP address #1: 64.4.16.215

beta.microsoft.com
IP address #1: 65.55.58.14

billing.microsoft.com
IP address #1: 168.62.198.20

blogs.microsoft.com
IP address #1: 23.96.115.47

c.microsoft.com
IP address #1: 134.170.188.139

catalog.microsoft.com
IP address #1: 134.170.185.174

cd.microsoft.com
IP address #1: 104.43.234.236

connect.microsoft.com
IP address #1: 65.55.58.14

cs.microsoft.com
IP address #1: 23.97.49.121

customers.microsoft.com
IP address #1: 134.170.184.162

da.microsoft.com
IP address #1: 131.228.121.70

demo.microsoft.com
IP address #1: 168.62.208.108

developers.microsoft.com
IP address #1: 134.170.188.221
IP address #2: 134.170.185.46

There is an another useful too for collecting information on websites. dig (domain information groper) is a flexible tool for interrogating DNS name servers.

root@seven:~# dig www.microsoft.com

These are some basic techniques to collect information on a website.For more and flexible techniques use the following tools:

Maltego
It is Graphical tool for collecting information on websites.Easily on of the best tool available.

Nmap
is a versatile tool it detects operating system,ids and ports and more.

Theharvester
gathers sub-domains,ip addresses and emails etc.