Information gathering is the most important and first part for hacking or pentesting a target system successfully. As a hacker for hire, the hacker should understand we hacking to gather information as fast as possible. Whenever we get contacted by a client asking for pentest a system, our first step is to gather some information quickly. But How we do this? We will show you very few examples in this tutorial. But let us be frank, We use various information-gathering tools and google to do this. Google is a very powerful information-gathering tool.
We use a whois tool
Whois command used to retrieve basic information for a domain or IP address. There some valuable information can be found for future social engineering.
Domain Name: yahoo.com Registry Domain ID: 3643624_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-12-18T05:45:43-0800 Creation Date: 1995-01-18T00:00:00-0800 Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2083895770 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) Registry Registrant ID: Registrant Name: Domain Admin Registrant Organization: Oath Inc. Registrant Street: 22000 AOL Way Registrant City: Dulles Registrant State/Province: VA Registrant Postal Code: 20166 Registrant Country: US Registrant Phone: +1.4083493300 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: Domain Admin Admin Organization: Oath Inc. Admin Street: 22000 AOL Way Admin City: Dulles Admin State/Province: VA Admin Postal Code: 20166 Admin Country: US Admin Phone: +1.4083493300 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: Domain Admin Tech Organization: Oath Inc. Tech Street: 22000 AOL Way Tech City: Dulles Tech State/Province: VA Tech Postal Code: 20166 Tech Country: US Tech Phone: +1.4083493300 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: ns1.yahoo.com Name Server: ns3.yahoo.com Name Server: ns4.yahoo.com Name Server: ns5.yahoo.com Name Server: ns2.yahoo.com
What information is useful here?
- Organization Name.
- Address.
- Email Address.
- Phone Number.
This information is needed to make a social engineering attack.
DNS Enumeration – Powerful Information Gathering
DNS Enumeration is important part of information gathering. So We quickly try to find all the sub-domain for a target main domain. The main domain might not vulnerable. This is not mean other sub-domains are not vulnerable. So we don’t forget to discover all the sub-domains. Here we quickly use Google and some tools. One example is:
fierce -dns yahoo.com DNS Servers for yahoo.com: ns3.yahoo.com ns1.yahoo.com ns2.yahoo.com ns4.yahoo.com ns5.yahoo.com Trying zone transfer first… Testing ns3.yahoo.com Request timed out or transfer not allowed. Testing ns1.yahoo.com Request timed out or transfer not allowed. Testing ns2.yahoo.com Request timed out or transfer not allowed. Testing ns4.yahoo.com Request timed out or transfer not allowed. Testing ns5.yahoo.com Request timed out or transfer not allowed. Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way… brute force Checking for wildcard DNS… Nope. Good. Now performing 2280 test(s)… 204.71.200.40 old-sh30.us.rmi.yahoo.com 204.71.200.15 bas2-m.snv.yahoo.com 204.71.200.1 bas1-r-vip.snv.yahoo.com 204.71.200.14 bas1-m.snv.yahoo.com 204.71.200.16 et.old-ip.yahoo.com 204.71.200.17 ppt.old-ip.yahoo.com 204.71.200.19 bkt.old-ip.yahoo.com 204.71.200.33 dl3-a.yahoo.com 204.71.200.34 dl3-b.yahoo.com 204.71.200.39 old-sh29.us.rmi.yahoo.com 204.71.200.42 old-e20.yahoo.com 204.71.200.45 a5.yahoo.com 204.71.200.46 a6.yahoo.com 204.71.200.50 old-feed.sports.yahoo.com 204.71.200.51 old-admon1.yahoo.com 204.71.200.54 csalt.yahoo.com 204.71.200.55 csalt.yahoo.com 204.71.200.62 old-uds3.yahoo.com 204.71.200.65 e19.yahoo.com 204.71.200.73 old-rest6.yahoo.com
Sometimes we use another tool for quick information gathering which is called Dimitry:
dmitry -sen yahoo.com Deepmagic Information Gathering Tool "There be some deep magic going on" HostIP:98.138.219.232 HostName:yahoo.com Gathered Netcraft information for yahoo.com Retrieving Netcraft.com information for yahoo.com Netcraft.com Information gathered Gathered Subdomain information for yahoo.com Searching Google.com:80… HostName:www.yahoo.com HostIP:98.138.219.232 HostName:mail.yahoo.com HostIP:69.147.86.12 HostName:ca.yahoo.com HostIP:98.138.219.232 HostName:uk.yahoo.com HostIP:98.137.246.8 HostName:calendar.yahoo.com HostIP:69.147.86.12 HostName:ca.rogers.yahoo.com ---truncate--- Found 44 possible subdomain(s) for host yahoo.com, Searched 0 pages containing 0 results Gathered E-Mail information for yahoo.com Searching Google.com:80… [email protected] [email protected] [email protected] [email protected] [email protected] ----truncate---- Searching Altavista.com:80… Found 85 E-Mail(s) for host yahoo.com, Searched 0 pages containing 0 results All scans completed, exiting
All found information needs to save for more analysis. After finding sub-domain another tool can be used to gather more information for port 80 is called whatweb. We use this tool because it can take URL list from whatweb, and we like this tool. This is just part of a quick information gathering:
whatweb -i dmn.txt -v WhatWeb report for http://aboutme.google.com Status : 301 Moved Permanently Title : IP : 172.217.1.142 Country : UNITED STATES, US Summary : X-XSS-Protection[0], HttpOnly[NID], Cookies[NID], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], RedirectLocation[https://aboutme.google.com/], HTTPServer[ESF] Detected Plugins: [ Cookies ] Display the names of cookies in the HTTP headers. The values are not returned to save on space.String : NID
[ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header.String : ESF (from server string)
[ HttpOnly ] If the HttpOnly flag is included in the HTTP set-cookie response header and the browser supports it then the cookie cannot be accessed through client side script - More Info: http://en.wikipedia.org/wiki/HTTP_cookieString : NID
[ RedirectLocation ] HTTP Server string location. used with http-status 301 and 302String : https://aboutme.google.com/ (from location)
[ UncommonHeaders ] Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.comString : x-content-type-options (from headers)
[ X-Frame-Options ] This plugin retrieves the X-Frame-Options value from the HTTP header. - More Info: http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29. aspxString : SAMEORIGIN
[ X-XSS-Protection ] This plugin retrieves the X-XSS-Protection value from the HTTP header. - More Info: http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29. aspxString : 0
HTTP Headers: HTTP/1.1 301 Moved Permanently Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 17 Mar 2020 18:48:32 GMT Location: https://aboutme.google.com/ P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Set-Cookie: NID=200=kpKeS2ZeY5qNpBahFSIWzlcxpLcI4g0g8kWN4jD7ffNdvBQmQekzBiJs264s50zP93owC16slSpkNMJKDTwwSJbFalBn4etmPN1uxxVm7nvaQO4XKyDA2RuOPp_Xx4J4uljF4Ued9xO5Dq6sHnH2dMuHS1_p-_6X1MOtOqNWLTw; expires=Wed, 16-Sep-2020 18:48:32 GMT; path=/; domain=.google.com; HttpOnly Connection: close
We use Nmap For More Information Gathering
Network Mapper or Nmap is a Port Scanner. It finds all open ports and identifies what service is running to those ports. Nmap not only scans for open ports but it can scan for vulnerability too. We don’t want to explain in detail what more exactly Nmap can do, as we use these tools primarily for port scanning. We want to give you a few command examples of Nmap.
Example for basic port scan:
$nmap -v 192.168.27.141 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:21 EDT Initiating ARP Ping Scan at 15:21 Scanning 192.168.27.141 [1 port] Completed ARP Ping Scan at 15:21, 0.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:21 Completed Parallel DNS resolution of 1 host. at 15:21, 0.27s elapsed Initiating SYN Stealth Scan at 15:21 Scanning 192.168.27.141 [1000 ports] Discovered open port 21/tcp on 192.168.27.141 Discovered open port 80/tcp on 192.168.27.141 Discovered open port 22/tcp on 192.168.27.141 Completed SYN Stealth Scan at 15:21, 0.07s elapsed (1000 total ports) Nmap scan report for 192.168.27.141 Host is up (0.000078s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:84:C4:33 (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)
Example of Operating System Detection:
nmap -v -O 192.168.27.141 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:21 EDT Initiating ARP Ping Scan at 15:21 Scanning 192.168.27.141 [1 port] Completed ARP Ping Scan at 15:21, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:21 Completed Parallel DNS resolution of 1 host. at 15:21, 0.27s elapsed Initiating SYN Stealth Scan at 15:21 Scanning 192.168.27.141 [1000 ports] Discovered open port 22/tcp on 192.168.27.141 Discovered open port 21/tcp on 192.168.27.141 Discovered open port 80/tcp on 192.168.27.141 Completed SYN Stealth Scan at 15:21, 0.08s elapsed (1000 total ports) Initiating OS detection (try #1) against 192.168.27.141 Retrying OS detection (try #2) against 192.168.27.141 Retrying OS detection (try #3) against 192.168.27.141 Retrying OS detection (try #4) against 192.168.27.141 Retrying OS detection (try #5) against 192.168.27.141 Nmap scan report for 192.168.27.141 Host is up (0.00042s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:84:C4:33 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/17%OT=21%CT=1%CU=33892%PV=Y%DS=1%DC=D%G=Y%M=000C29%T OS:M=5E712349%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=Z%II=I OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6 OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Uptime guess: 29.701 days (since Sun Feb 16 21:31:50 2020) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/bin/../share/nmap OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds Raw packets sent: 1111 (52.918KB) | Rcvd: 1071 (46.290KB)
Example of all ports, service version, os, traceroute detection:

[email protected]:/home/exploiter# nmap -A -p- 192.168.27.141 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:25 EDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 1.03 seconds [email protected]:/home/exploiter# nmap -A -p- -Pn 192.168.27.141 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:25 EDT Nmap scan report for 192.168.27.141 Host is up (0.00042s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |-rw-r--r-- 1 ftp ftp 325 Dec 04 13:05 backupPasswords | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.27.140 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2f:26:5b:e6:ae:9a:c0:26:76:26:24:00:a7:37:e6:c1 (RSA) | 256 79:c0:12:33:d6:6d:9a:bd:1f:11:aa:1c:39:1e:b8:95 (ECDSA) | 256 83:27:d3:79:d0:8b:6a:2a:23:57:5b:3c:d7:b4:e5:60 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-generator: WordPress 5.3 |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Not so Vulnerable – Just another WordPress site |_http-trane-info: Problem with XML parsing of /evox/about 65535/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works MAC Address: 00:0C:29:84:C4:33 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/17%OT=21%CT=1%CU=38633%PV=Y%DS=1%DC=D%G=Y%M=000C29%T OS:M=5E71244B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=Z%II=I OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6 OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.42 ms 192.168.27.141
In this scan, we can see the FTP software version, Http Server version, and The Operating System. This information is very very important to find a vulnerability. For example, with this info we can search for a public exploit, 0day exploits even install the software as of the version of the target machine and start fuzzing for code execution vulnerability.
This is just a quick information gathering technique whenever we start penetration testing a new target. Gradually we use more advance tools for deeper information. Hacking or penetration testing is much harder if a hacker does not have enough information.
We hope, in this post, you have learned some good techniques for information gathering. If you need to hire a hacker, always look for the right one who knows what he or they are doing! If want to learn hacking you can install vulnhub machine and try to hack them!
Thanks for Reading!