Information gathering is the most important and first part for hacking or pentesting a target system successfully. As a hacker for hire, the hacker should understand we hacking to gather information as fast as possible. Whenever we get contacted by a client asking for pentest a system, our first step is to gather some information quickly. But How we do this? We will show you very few examples in this tutorial. But let us be frank, We use various information-gathering tools and google to do this. Google is a very powerful information-gathering tool.
We use a whois tool
Whois command used to retrieve basic information for a domain or IP address. There some valuable information can be found for future social engineering.
Domain Name: yahoo.com Registry Domain ID: 3643624_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-12-18T05:45:43-0800 Creation Date: 1995-01-18T00:00:00-0800 Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2083895770 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) Registry Registrant ID: Registrant Name: Domain Admin Registrant Organization: Oath Inc. Registrant Street: 22000 AOL Way Registrant City: Dulles Registrant State/Province: VA Registrant Postal Code: 20166 Registrant Country: US Registrant Phone: +1.4083493300 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: Domain Admin Admin Organization: Oath Inc. Admin Street: 22000 AOL Way Admin City: Dulles Admin State/Province: VA Admin Postal Code: 20166 Admin Country: US Admin Phone: +1.4083493300 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: Domain Admin Tech Organization: Oath Inc. Tech Street: 22000 AOL Way Tech City: Dulles Tech State/Province: VA Tech Postal Code: 20166 Tech Country: US Tech Phone: +1.4083493300 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: ns1.yahoo.com Name Server: ns3.yahoo.com Name Server: ns4.yahoo.com Name Server: ns5.yahoo.com Name Server: ns2.yahoo.com
What information is useful here?
- Organization Name.
- Address.
- Email Address.
- Phone Number.
This information is needed to make a social engineering attack.
DNS Enumeration – Powerful Information Gathering
DNS Enumeration is important part of information gathering. So We quickly try to find all the sub-domain for a target main domain. The main domain might not vulnerable. This is not mean other sub-domains are not vulnerable. So we don’t forget to discover all the sub-domains. Here we quickly use Google and some tools. One example is:
fierce -dns yahoo.com
DNS Servers for yahoo.com:
ns3.yahoo.com
ns1.yahoo.com
ns2.yahoo.com
ns4.yahoo.com
ns5.yahoo.com
Trying zone transfer first…
Testing ns3.yahoo.com
Request timed out or transfer not allowed.
Testing ns1.yahoo.com
Request timed out or transfer not allowed.
Testing ns2.yahoo.com
Request timed out or transfer not allowed.
Testing ns4.yahoo.com
Request timed out or transfer not allowed.
Testing ns5.yahoo.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way… brute force
Checking for wildcard DNS…
Nope. Good.
Now performing 2280 test(s)…
204.71.200.40 old-sh30.us.rmi.yahoo.com
204.71.200.15 bas2-m.snv.yahoo.com
204.71.200.1 bas1-r-vip.snv.yahoo.com
204.71.200.14 bas1-m.snv.yahoo.com
204.71.200.16 et.old-ip.yahoo.com
204.71.200.17 ppt.old-ip.yahoo.com
204.71.200.19 bkt.old-ip.yahoo.com
204.71.200.33 dl3-a.yahoo.com
204.71.200.34 dl3-b.yahoo.com
204.71.200.39 old-sh29.us.rmi.yahoo.com
204.71.200.42 old-e20.yahoo.com
204.71.200.45 a5.yahoo.com
204.71.200.46 a6.yahoo.com
204.71.200.50 old-feed.sports.yahoo.com
204.71.200.51 old-admon1.yahoo.com
204.71.200.54 csalt.yahoo.com
204.71.200.55 csalt.yahoo.com
204.71.200.62 old-uds3.yahoo.com
204.71.200.65 e19.yahoo.com
204.71.200.73 old-rest6.yahoo.com
Sometimes we use another tool for quick information gathering which is called Dimitry:
dmitry -sen yahoo.com Deepmagic Information Gathering Tool "There be some deep magic going on" HostIP:98.138.219.232 HostName:yahoo.com Gathered Netcraft information for yahoo.com Retrieving Netcraft.com information for yahoo.com Netcraft.com Information gathered Gathered Subdomain information for yahoo.com Searching Google.com:80… HostName:www.yahoo.com HostIP:98.138.219.232 HostName:mail.yahoo.com HostIP:69.147.86.12 HostName:ca.yahoo.com HostIP:98.138.219.232 HostName:uk.yahoo.com HostIP:98.137.246.8 HostName:calendar.yahoo.com HostIP:69.147.86.12 HostName:ca.rogers.yahoo.com ---truncate--- Found 44 possible subdomain(s) for host yahoo.com, Searched 0 pages containing 0 results Gathered E-Mail information for yahoo.com Searching Google.com:80… [email protected] [email protected] [email protected] [email protected] [email protected] ----truncate---- Searching Altavista.com:80… Found 85 E-Mail(s) for host yahoo.com, Searched 0 pages containing 0 results All scans completed, exiting
All found information needs to save for more analysis. After finding sub-domain another tool can be used to gather more information for port 80 is called whatweb. We use this tool because it can take URL list from whatweb, and we like this tool. This is just part of a quick information gathering:
whatweb -i dmn.txt -v
WhatWeb report for http://aboutme.google.com
Status : 301 Moved Permanently
Title :
IP : 172.217.1.142
Country : UNITED STATES, US
Summary : X-XSS-Protection[0], HttpOnly[NID], Cookies[NID], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], RedirectLocation[https://aboutme.google.com/], HTTPServer[ESF]
Detected Plugins:
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : NID
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : ESF (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : NID
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : https://aboutme.google.com/ (from location)
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
[ X-XSS-Protection ]
This plugin retrieves the X-XSS-Protection value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : 0
HTTP Headers:
HTTP/1.1 301 Moved Permanently
Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 17 Mar 2020 18:48:32 GMT
Location: https://aboutme.google.com/
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: NID=200=kpKeS2ZeY5qNpBahFSIWzlcxpLcI4g0g8kWN4jD7ffNdvBQmQekzBiJs264s50zP93owC16slSpkNMJKDTwwSJbFalBn4etmPN1uxxVm7nvaQO4XKyDA2RuOPp_Xx4J4uljF4Ued9xO5Dq6sHnH2dMuHS1_p-_6X1MOtOqNWLTw; expires=Wed, 16-Sep-2020 18:48:32 GMT; path=/; domain=.google.com; HttpOnly
Connection: close
We use Nmap For More Information Gathering
Network Mapper or Nmap is a Port Scanner. It finds all open ports and identifies what service is running to those ports. Nmap not only scans for open ports but it can scan for vulnerability too. We don’t want to explain in detail what more exactly Nmap can do, as we use these tools primarily for port scanning. We want to give you a few command examples of Nmap.
Example for basic port scan:
$nmap -v 192.168.27.141
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:21 EDT
Initiating ARP Ping Scan at 15:21
Scanning 192.168.27.141 [1 port]
Completed ARP Ping Scan at 15:21, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:21
Completed Parallel DNS resolution of 1 host. at 15:21, 0.27s elapsed
Initiating SYN Stealth Scan at 15:21
Scanning 192.168.27.141 [1000 ports]
Discovered open port 21/tcp on 192.168.27.141
Discovered open port 80/tcp on 192.168.27.141
Discovered open port 22/tcp on 192.168.27.141
Completed SYN Stealth Scan at 15:21, 0.07s elapsed (1000 total ports)
Nmap scan report for 192.168.27.141
Host is up (0.000078s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:84:C4:33 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)
Example of Operating System Detection:
nmap -v -O 192.168.27.141
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:21 EDT
Initiating ARP Ping Scan at 15:21
Scanning 192.168.27.141 [1 port]
Completed ARP Ping Scan at 15:21, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:21
Completed Parallel DNS resolution of 1 host. at 15:21, 0.27s elapsed
Initiating SYN Stealth Scan at 15:21
Scanning 192.168.27.141 [1000 ports]
Discovered open port 22/tcp on 192.168.27.141
Discovered open port 21/tcp on 192.168.27.141
Discovered open port 80/tcp on 192.168.27.141
Completed SYN Stealth Scan at 15:21, 0.08s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.27.141
Retrying OS detection (try #2) against 192.168.27.141
Retrying OS detection (try #3) against 192.168.27.141
Retrying OS detection (try #4) against 192.168.27.141
Retrying OS detection (try #5) against 192.168.27.141
Nmap scan report for 192.168.27.141
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:84:C4:33 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/17%OT=21%CT=1%CU=33892%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5E712349%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Uptime guess: 29.701 days (since Sun Feb 16 21:31:50 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds
Raw packets sent: 1111 (52.918KB) | Rcvd: 1071 (46.290KB)
Example of all ports, service version, os, traceroute detection:
[email protected]:/home/exploiter# nmap -A -p- 192.168.27.141 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:25 EDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 1.03 seconds [email protected]:/home/exploiter# nmap -A -p- -Pn 192.168.27.141 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 15:25 EDT Nmap scan report for 192.168.27.141 Host is up (0.00042s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |-rw-r--r-- 1 ftp ftp 325 Dec 04 13:05 backupPasswords | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.27.140 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2f:26:5b:e6:ae:9a:c0:26:76:26:24:00:a7:37:e6:c1 (RSA) | 256 79:c0:12:33:d6:6d:9a:bd:1f:11:aa:1c:39:1e:b8:95 (ECDSA) | 256 83:27:d3:79:d0:8b:6a:2a:23:57:5b:3c:d7:b4:e5:60 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-generator: WordPress 5.3 |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Not so Vulnerable – Just another WordPress site |_http-trane-info: Problem with XML parsing of /evox/about 65535/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works MAC Address: 00:0C:29:84:C4:33 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/17%OT=21%CT=1%CU=38633%PV=Y%DS=1%DC=D%G=Y%M=000C29%T OS:M=5E71244B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=Z%II=I OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6 OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.42 ms 192.168.27.141
In this scan, we can see the FTP software version, Http Server version, and The Operating System. This information is very very important to find a vulnerability. For example, with this info we can search for a public exploit, 0day exploits even install the software as of the version of the target machine and start fuzzing for code execution vulnerability.
This is just a quick information gathering technique whenever we start penetration testing a new target. Gradually we use more advance tools for deeper information. Hacking or penetration testing is much harder if a hacker does not have enough information.
We hope, in this post, you have learned some good techniques for information gathering. If you need to hire a hacker, always look for the right one who knows what he or they are doing! If want to learn hacking you can install vulnhub machine and try to hack them!
Thanks for Reading!