Gather Information on websites
What is information gathering
Information gathering is an art of gathering information about your target. Before hacking into websites or Systems you have to gain as much information as possible about your target.
Information Gathering is very first phase of penetration testing.If the information gathered shows a poorly defended computer system, an attack will be launched, and unauthorized access will be gained. However, if the target is highly protected, the hacker will think twice before attempting to break in. It will be dependent upon the tools and systems that protect the target. Again, the key here is the amount of information he has gathered beforehand.
WIth Kali Linux we have many great tools for gathering information effectively.
Open your terminal :
Extract basic Information of website
Whois extracts basic information of the website like ,nameservers ,registrar name,admin email,phone numner(only if not protected),domain expiry date etc.
root@seven:~# whois microsoft.com Registry Registrant ID: Registrant Name: Domain Administrator Registrant Organization: Microsoft Corporation Registrant Street: One Microsoft Way, Registrant City: Redmond Registrant State/Province: WA Registrant Postal Code: 98052 Registrant Country: US Registrant Phone: +1.4258828080 Registrant Phone Ext: Registrant Fax: +1.4259367329 Registrant Fax Ext: Registrant Email: email@example.com Registry Admin ID:
Get the Ip Addresses of website
It's always good idea to find all the available ip addresses of your target in this way you always know what website you are targeting.
Host tool return you all the available ip addresses of a host.
root@seven:~# host microsoft.com microsoft.com has address 22.214.171.124 microsoft.com has address 126.96.36.199 microsoft.com has address 188.8.131.52 microsoft.com has address 184.108.40.206 microsoft.com has address 220.127.116.11
Addition Information with -a
The -a (all) option is equivalent to setting the -v option and asking host to make a query of type ANY.
root@seven:~# host -a microsoft.com ;microsoft.com. IN ANY ;; ANSWER SECTION: microsoft.com. 1594 IN A 18.104.22.168 microsoft.com. 1594 IN A 22.214.171.124 microsoft.com. 1594 IN A 126.96.36.199 microsoft.com. 1594 IN A 188.8.131.52 microsoft.com. 1594 IN A 184.108.40.206 microsoft.com. 19594 IN NS ns1.msft.net. microsoft.com. 19594 IN NS ns2.msft.net. microsoft.com. 19594 IN NS ns3.msft.net. microsoft.com. 19594 IN NS ns4.msft.net. microsoft.com. 1594 IN SOA ns1.msft.net. msnhst.microsoft.com. 2015122303 7200 600 2419200 3600 microsoft.com. 1594 IN MX 10 microsoft-com.mail.protection.outlook.com. microsoft.com. 1594 IN TXT "v=spf1 include:_spf-a.microsoft.com include:_ spf-b.microsoft.com include:_spf-c.microsoft.com Received 649 bytes from 192.168.150.2#53 in 1020 ms
A quick Nmap scan
Nmap is a versatile tool for networking scanning. A quick Nmap scan scans for basic services running on the server..
root@seven:~# nmap linuxxcomputing.com Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-19 06:24 EST Nmap scan report for linuxxcomputing.com (220.127.116.11) Host is up (0.032s latency). rDNS record for 18.104.22.168: ip-107-180-0-245.ip.secureserver.net Not shown: 986 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp
Scan for ipv4,ipv6,FTP ,sub-domains and more
dnsmap is a an awesome tool.It scans for ipv4,ipv6,FTP and sub-domains and more .It returns all the possible ip addresses . .
root@seven:~# dnsmap microsoft.com dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for microsoft.com using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests accounts.microsoft.com IP address #1: 22.214.171.124 beta.microsoft.com IP address #1: 126.96.36.199 billing.microsoft.com IP address #1: 188.8.131.52 blogs.microsoft.com IP address #1: 184.108.40.206 c.microsoft.com IP address #1: 220.127.116.11 catalog.microsoft.com IP address #1: 18.104.22.168 cd.microsoft.com IP address #1: 22.214.171.124 connect.microsoft.com IP address #1: 126.96.36.199 cs.microsoft.com IP address #1: 188.8.131.52 customers.microsoft.com IP address #1: 184.108.40.206 da.microsoft.com IP address #1: 220.127.116.11 demo.microsoft.com IP address #1: 18.104.22.168 developers.microsoft.com IP address #1: 22.214.171.124 IP address #2: 126.96.36.199
There is an another useful too for collecting information on websites. dig (domain information groper) is a flexible tool for interrogating DNS name servers.
root@seven:~# dig www.microsoft.com
These are some basic techniques to collect information on a website.For more and flexible techniques use the following tools:
It is Graphical tool for collecting information on websites.Easily on of the best tool available.
is a versatile tool it detects operating system,ids and ports and more.
gathers sub-domains,ip addresses and emails etc.