Protected by Copyscape

A hacker for hire quick information gathering technique revealed!

Information gathering is the most important and first part for hacking or pentesting a target system successfully. As a hacker for hire, the hacker should understand we hacking to gather information as fast as possible. Whenever we get contacted by a client asking for pentest a system, our first step is to gather some information quickly. But How we do this? We will show you very few examples in this tutorial. But let us be frank, We use various information-gathering tools and google to do this. Google is a very powerful information-gathering tool.

We use a whois tool

Whois command used to retrieve basic information for a domain or IP address. There some valuable information can be found for future social engineering.

Domain Name: yahoo.com
 Registry Domain ID: 3643624_DOMAIN_COM-VRSN
 Registrar WHOIS Server: whois.markmonitor.com
 Registrar URL: http://www.markmonitor.com
 Updated Date: 2019-12-18T05:45:43-0800
 Creation Date: 1995-01-18T00:00:00-0800
 Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800
 Registrar: MarkMonitor, Inc.
 Registrar IANA ID: 292
 Registrar Abuse Contact Email: [email protected]
 Registrar Abuse Contact Phone: +1.2083895770
 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
 Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
 Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
 Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
 Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
 Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
 Registry Registrant ID: 
 Registrant Name: Domain Admin
 Registrant Organization: Oath Inc.
 Registrant Street: 22000 AOL Way
 Registrant City: Dulles
 Registrant State/Province: VA
 Registrant Postal Code: 20166
 Registrant Country: US
 Registrant Phone: +1.4083493300
 Registrant Phone Ext: 
 Registrant Fax: 
 Registrant Fax Ext: 
 Registrant Email: [email protected]
 Registry Admin ID: 
 Admin Name: Domain Admin
 Admin Organization: Oath Inc.
 Admin Street: 22000 AOL Way
 Admin City: Dulles
 Admin State/Province: VA
 Admin Postal Code: 20166
 Admin Country: US
 Admin Phone: +1.4083493300
 Admin Phone Ext: 
 Admin Fax: 
 Admin Fax Ext: 
 Admin Email: [email protected]
 Registry Tech ID: 
 Tech Name: Domain Admin
 Tech Organization: Oath Inc.
 Tech Street: 22000 AOL Way
 Tech City: Dulles
 Tech State/Province: VA
 Tech Postal Code: 20166
 Tech Country: US
 Tech Phone: +1.4083493300
 Tech Phone Ext: 
 Tech Fax: 
 Tech Fax Ext: 
 Tech Email: [email protected]
 Name Server: ns1.yahoo.com
 Name Server: ns3.yahoo.com
 Name Server: ns4.yahoo.com
 Name Server: ns5.yahoo.com
 Name Server: ns2.yahoo.com

What information is useful here?

  • Organization Name.
  • Address.
  • Email Address.
  • Phone Number.

This information is needed to make a social engineering attack.

DNS Enumeration – Powerful Information Gathering

DNS Enumeration is important part of information gathering. So We quickly try to find all the sub-domain for a target main domain. The main domain might not vulnerable. This is not mean other sub-domains are not vulnerable. So we don’t forget to discover all the sub-domains. Here we quickly use Google and some tools. One example is:

 fierce -dns yahoo.com
 DNS Servers for yahoo.com:
         ns3.yahoo.com
         ns1.yahoo.com
         ns2.yahoo.com
         ns4.yahoo.com
         ns5.yahoo.com
 Trying zone transfer first…
         Testing ns3.yahoo.com
                 Request timed out or transfer not allowed.
         Testing ns1.yahoo.com
                 Request timed out or transfer not allowed.
         Testing ns2.yahoo.com
                 Request timed out or transfer not allowed.
         Testing ns4.yahoo.com
                 Request timed out or transfer not allowed.
         Testing ns5.yahoo.com
                 Request timed out or transfer not allowed.
 Unsuccessful in zone transfer (it was worth a shot)
 Okay, trying the good old fashioned way… brute force
 Checking for wildcard DNS…
 Nope. Good.
 Now performing 2280 test(s)…
 204.71.200.40   old-sh30.us.rmi.yahoo.com
 204.71.200.15   bas2-m.snv.yahoo.com
 204.71.200.1    bas1-r-vip.snv.yahoo.com
 204.71.200.14   bas1-m.snv.yahoo.com
 204.71.200.16   et.old-ip.yahoo.com
 204.71.200.17   ppt.old-ip.yahoo.com
 204.71.200.19   bkt.old-ip.yahoo.com
 204.71.200.33   dl3-a.yahoo.com
 204.71.200.34   dl3-b.yahoo.com
 204.71.200.39   old-sh29.us.rmi.yahoo.com
 204.71.200.42   old-e20.yahoo.com
 204.71.200.45   a5.yahoo.com
 204.71.200.46   a6.yahoo.com
 204.71.200.50   old-feed.sports.yahoo.com
 204.71.200.51   old-admon1.yahoo.com
 204.71.200.54   csalt.yahoo.com
 204.71.200.55   csalt.yahoo.com
 204.71.200.62   old-uds3.yahoo.com
 204.71.200.65   e19.yahoo.com
 204.71.200.73   old-rest6.yahoo.com

Sometimes we use another tool for quick information gathering which is called Dimitry:

dmitry -sen yahoo.com
 Deepmagic Information Gathering Tool
 "There be some deep magic going on"
 HostIP:98.138.219.232
 HostName:yahoo.com
 Gathered Netcraft information for yahoo.com
 Retrieving Netcraft.com information for yahoo.com
 Netcraft.com Information gathered
 Gathered Subdomain information for yahoo.com
 Searching Google.com:80…
 HostName:www.yahoo.com
 HostIP:98.138.219.232
 HostName:mail.yahoo.com
 HostIP:69.147.86.12
 HostName:ca.yahoo.com
 HostIP:98.138.219.232
 HostName:uk.yahoo.com
 HostIP:98.137.246.8
 HostName:calendar.yahoo.com
 HostIP:69.147.86.12
 HostName:ca.rogers.yahoo.com
---truncate---
 Found 44 possible subdomain(s) for host yahoo.com, Searched 0 pages containing 0 results
 Gathered E-Mail information for yahoo.com
 Searching Google.com:80…
 [email protected]
 [email protected]
 [email protected]
 [email protected]
 [email protected]
 ----truncate----
 Searching Altavista.com:80…
 Found 85 E-Mail(s) for host yahoo.com, Searched 0 pages containing 0 results
 All scans completed, exiting

All found information needs to save for more analysis. After finding sub-domain another tool can be used to gather more information for port 80 is called whatweb. We use this tool because it can take URL list from whatweb, and we like this tool. This is just part of a quick information gathering:

whatweb -i dmn.txt -v
 WhatWeb report for http://aboutme.google.com
 Status    : 301 Moved Permanently
 Title     : 
 IP        : 172.217.1.142
 Country   : UNITED STATES, US
 Summary   : X-XSS-Protection[0], HttpOnly[NID], Cookies[NID], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], RedirectLocation[https://aboutme.google.com/], HTTPServer[ESF]
 Detected Plugins:
 [ Cookies ]
         Display the names of cookies in the HTTP headers. The 
         values are not returned to save on space. 
     String       : NID
 [ HTTPServer ]
         HTTP server header string. This plugin also attempts to 
         identify the operating system from the server header. 
     String       : ESF (from server string)
 [ HttpOnly ]
         If the HttpOnly flag is included in the HTTP set-cookie 
         response header and the browser supports it then the cookie 
         cannot be accessed through client side script - More Info: 
         http://en.wikipedia.org/wiki/HTTP_cookie 
     String       : NID
 [ RedirectLocation ]
         HTTP Server string location. used with http-status 301 and 
         302 
     String       : https://aboutme.google.com/ (from location)
 [ UncommonHeaders ]
         Uncommon HTTP server headers. The blacklist includes all 
         the standard headers and many non standard but common ones. 
         Interesting but fairly common headers should have their own 
         plugins, eg. x-powered-by, server and x-aspnet-version. 
         Info about headers can be found at www.http-stats.com 
     String       : x-content-type-options (from headers)
 [ X-Frame-Options ]
         This plugin retrieves the X-Frame-Options value from the 
         HTTP header. - More Info: 
         http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
         aspx
     String       : SAMEORIGIN
 [ X-XSS-Protection ]
         This plugin retrieves the X-XSS-Protection value from the 
         HTTP header. - More Info: 
         http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
         aspx
     String       : 0
 HTTP Headers:
         HTTP/1.1 301 Moved Permanently
         Content-Type: application/binary
         Cache-Control: no-cache, no-store, max-age=0, must-revalidate
         Pragma: no-cache
         Expires: Mon, 01 Jan 1990 00:00:00 GMT
         Date: Tue, 17 Mar 2020 18:48:32 GMT
         Location: https://aboutme.google.com/
         P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
         Server: ESF
         Content-Length: 0
         X-XSS-Protection: 0
         X-Frame-Options: SAMEORIGIN
         X-Content-Type-Options: nosniff
         Set-Cookie: NID=200=kpKeS2ZeY5qNpBahFSIWzlcxpLcI4g0g8kWN4jD7ffNdvBQmQekzBiJs264s50zP93owC16slSpkNMJKDTwwSJbFalBn4etmPN1uxxVm7nvaQO4XKyDA2RuOPp_Xx4J4uljF4Ued9xO5Dq6sHnH2dMuHS1_p-_6X1MOtOqNWLTw; expires=Wed, 16-Sep-2020 18:48:32 GMT; path=/; domain=.google.com; HttpOnly
         Connection: close

We use Nmap For More Information Gathering

Network Mapper or Nmap is a Port Scanner. It finds all open ports and identifies what service is running to those ports. Nmap not only scans for open ports but it can scan for vulnerability too. We don’t want to explain in detail what more exactly Nmap can do, as we use these tools primarily for port scanning. We want to give you a few command examples of Nmap.

Example for basic port scan:

$nmap -v 192.168.27.141
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:21 EDT
 Initiating ARP Ping Scan at 15:21
 Scanning 192.168.27.141 [1 port]
 Completed ARP Ping Scan at 15:21, 0.05s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 15:21
 Completed Parallel DNS resolution of 1 host. at 15:21, 0.27s elapsed
 Initiating SYN Stealth Scan at 15:21
 Scanning 192.168.27.141 [1000 ports]
 Discovered open port 21/tcp on 192.168.27.141
 Discovered open port 80/tcp on 192.168.27.141
 Discovered open port 22/tcp on 192.168.27.141
 Completed SYN Stealth Scan at 15:21, 0.07s elapsed (1000 total ports)
 Nmap scan report for 192.168.27.141
 Host is up (0.000078s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh
 80/tcp open  http
 MAC Address: 00:0C:29:84:C4:33 (VMware)
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
            Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)

Example of Operating System Detection:

nmap -v -O 192.168.27.141
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:21 EDT
 Initiating ARP Ping Scan at 15:21
 Scanning 192.168.27.141 [1 port]
 Completed ARP Ping Scan at 15:21, 0.04s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 15:21
 Completed Parallel DNS resolution of 1 host. at 15:21, 0.27s elapsed
 Initiating SYN Stealth Scan at 15:21
 Scanning 192.168.27.141 [1000 ports]
 Discovered open port 22/tcp on 192.168.27.141
 Discovered open port 21/tcp on 192.168.27.141
 Discovered open port 80/tcp on 192.168.27.141
 Completed SYN Stealth Scan at 15:21, 0.08s elapsed (1000 total ports)
 Initiating OS detection (try #1) against 192.168.27.141
 Retrying OS detection (try #2) against 192.168.27.141
 Retrying OS detection (try #3) against 192.168.27.141
 Retrying OS detection (try #4) against 192.168.27.141
 Retrying OS detection (try #5) against 192.168.27.141
 Nmap scan report for 192.168.27.141
 Host is up (0.00042s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh
 80/tcp open  http
 MAC Address: 00:0C:29:84:C4:33 (VMware)
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
 TCP/IP fingerprint:
 OS:SCAN(V=7.80%E=4%D=3/17%OT=21%CT=1%CU=33892%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
 OS:M=5E712349%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=Z%II=I
 OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
 OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
 OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
 OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
 OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
 OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
 OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
 OS:N%T=40%CD=S)
 Uptime guess: 29.701 days (since Sun Feb 16 21:31:50 2020)
 Network Distance: 1 hop
 TCP Sequence Prediction: Difficulty=259 (Good luck!)
 IP ID Sequence Generation: All zeros
 Read data files from: /usr/bin/../share/nmap
 OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds
            Raw packets sent: 1111 (52.918KB) | Rcvd: 1071 (46.290KB)

Example of all ports, service version, os, traceroute detection:

Hacker for hire revealed Information gathering technique!
 [email protected]:/home/exploiter# nmap -A -p- 192.168.27.141
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:25 EDT
 Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
 Nmap done: 1 IP address (0 hosts up) scanned in 1.03 seconds
 [email protected]:/home/exploiter# nmap -A -p- -Pn 192.168.27.141
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:25 EDT
 Nmap scan report for 192.168.27.141
 Host is up (0.00042s latency).
 Not shown: 65531 closed ports
 PORT      STATE SERVICE VERSION
 21/tcp    open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |-rw-r--r--    1 ftp      ftp           325 Dec 04 13:05 backupPasswords | ftp-syst:  |   STAT:  | FTP server status: |      Connected to ::ffff:192.168.27.140 |      Logged in as ftp |      TYPE: ASCII |      No session bandwidth limit |      Session timeout in seconds is 300 |      Control connection is plain text |      Data connections will be plain text |      At session startup, client count was 2 |      vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   2048 2f:26:5b:e6:ae:9a:c0:26:76:26:24:00:a7:37:e6:c1 (RSA) |   256 79:c0:12:33:d6:6d:9a:bd:1f:11:aa:1c:39:1e:b8:95 (ECDSA) |  256 83:27:d3:79:d0:8b:6a:2a:23:57:5b:3c:d7:b4:e5:60 (ED25519)
 80/tcp    open  http    nginx 1.14.0 (Ubuntu)
 |_http-generator: WordPress 5.3
 |_http-server-header: nginx/1.14.0 (Ubuntu)
 |_http-title: Not so Vulnerable – Just another WordPress site
 |_http-trane-info: Problem with XML parsing of /evox/about
 65535/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 MAC Address: 00:0C:29:84:C4:33 (VMware)
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
 TCP/IP fingerprint:
 OS:SCAN(V=7.80%E=4%D=3/17%OT=21%CT=1%CU=38633%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
 OS:M=5E71244B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=Z%II=I
 OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
 OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
 OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
 OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
 OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
 OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
 OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
 OS:N%T=40%CD=S)
 Network Distance: 1 hop
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 TRACEROUTE
 HOP RTT     ADDRESS
 1   0.42 ms 192.168.27.141

In this scan, we can see the FTP software version, Http Server version, and The Operating System. This information is very very important to find a vulnerability. For example, with this info we can search for a public exploit, 0day exploits even install the software as of the version of the target machine and start fuzzing for code execution vulnerability.

This is just a quick information gathering technique whenever we start penetration testing a new target. Gradually we use more advance tools for deeper information. Hacking or penetration testing is much harder if a hacker does not have enough information.

We hope, in this post, you have learned some good techniques for information gathering. If you need to hire a hacker, always look for the right one who knows what he or they are doing! If want to learn hacking you can install vulnhub machine and try to hack them!

Thanks for Reading!

Scroll to Top