Ethical Hacking – Information Gathering

Hello everyone in this video we will talk about information gathering so what is information gathering so as I told you earlier that information gathering is also called as reference which is the first phase of ethical hacking so information gathering is actually process of well knowing the target and finding the interesting information about our target which we can use in order to exploit that target in the future so here you can see that it’s a process of well knowing the target digging details footprinting and keeping in touch with the target so that’s why we called as in the first phase of ethical hacking so information gathering is actually of two types the first one is active information gathering and the next one is passive information gathering so in active information gathering the information is gathered directly which means if our target is a person that in order to get information from that person by using active information gathering what we can do we can gather the information through a phone call we can do a face-to-face meeting we can take interview of that person but whereas in passive information gathering the information is gathered using a third party so most of the hackers use this passive information gathering techniques in order to gather information about their targets because if you use a passive information gathering techniques then that your target will not be able to know that someone is searching information about me so that’s why the passive information gathering is one of the best so what we can do is we can even find the information about our targets using search engine tools or even from the third party vendors or web applications so this is the difference between active and passive that in actively gathers information directly and the passive we gather the information using a third party or a secretly then let’s talk about passive information gathering targets so our target could be anything either it could be a website email address web server and a person so what if if our target is a web site then what we can do so here you can see that the information gathering web site so just for example if our target is a web site then before testing that web site in order to find vulnerability what we can do we can gather some interesting information about that website so that interesting information my friend in who is information that what is the Registrar information of that website we can find the website DNS records we can also check on which platform or the framework that website is built and even we can do a reverse IP check where we find that what are the other website which are hosted on the same web server so this was all about if our target is a web site so what if if our target is a web server then what we can do so if our target is a web server then in order to find information about that we can find it open ports we can find the services running on that server and if that port is open we can also try to make a connection with that port and even we can find interesting services which is running on them including their version number so once we got these interesting information about our target then we can use these informations in order to exploit that target now let’s see how we can do information gathering through our system now first of all let’s find the Whois information about a particular web site so in order to find the Whois information are there a destroyer information of a particular website just go to who is dot s C so there are lot of web sites which provides the same functionality but this Web site is one of the best so just write down who is dot SC and hit enter so here we have to write the website name left-side tutorialspoint.com and click on search and we have to prove that we have not a robot so we have to fill this CAPTCHA so here you can see all the Whois information of tutorialspoint.com so the registration organization has tutorials point India Private Limited and the Registrar is GoDaddy and here you can find the domain name server details along with the IP and the IP location so if you scroll down here you can find the website title the response code and some additional information including the domain name and the rajah strength name so this was all about who is calm so once we find the Whois detail of our target what we can do is we can do a reverse IP lookup of our target which means to check that how many other websites are hosted on the same server of our target so to do that go to one website you get signal calm so this website provides various features which we can use in order to do information gathering of our target but right now we are interested only in this reverse IP domain check it also provides the same who is function of which function also so here we have to write the website name click on check so here you can see that 80 other websites 80 other domains are hosted on the same web servers of tutorialspoint.com so by checking the reverse IP it also give us some idea that whether our target is hosted on a shared web server or a dedicated web server so for an example if I just write here google.com and click on check now here you can see that 124 domains are hosted on the same web server of google.com but here notice that all the domains are associated with google.com which means this is a dedicated hosting or a dedicated server now the next step after collecting the Whois information and the reverse IP check is finding the subdomains of our target so to do that we have to start our Kali Linux so right now I am inside my Kali Linux instance so in order to find the subdomains I am using this Knox subdomains scan so it’s a very good tool to find the subdomains and you can download it from here from this URL otherwise what you can do is you can even install it manually by going to command line so now now let’s install the stool so here is my terminal which you can just see and let me just copy this thing so it’s a Python script so that’s why it’s installing by using pip so just paste the command here and hit on enter first of all it will download this zip file and install this so I have already installed this tool so it will just give me an error that requirement already satisfied okay so now in order to run this tool we have we have to write down knock PI followed by the website name of which we want to scan the subdomains just for example just write down here google.com and hit enter so here you can see that it’s performing some checks and some scans okay now how you can see that started in emulating the different subdomains of google.com so here you can see the sub domain name like accounts.google.com status and along with its IP address there are some additional websites which you can use to find out the subdomains but most of the times that not work so I recommend you to find out the subdomains by downloading this tool so once we done with it then the next step is to detecting the operating system on which the website is hosted because if we know as a pentester that on which operating system the website is hosted we can just find out the ways to exploit the operating system so in order to find the operating system on which the website is hosted there are different different ways but the most easy way is to just the ping that website and check the response now let me open my command prompt so just for example I am writing here ping and the website name and hit enter so hey so if I just look at the response so here you can see reply from bite and TTL value so here is the thing to be notice TTL value so TTL stands for time to live so if the TTL value of any of the website is near about 60 or less than 60 then it means then the website is hosted on a Linux a Linux server so if the TTL value is more than 50 or more than 60 which means then the website is hosted on a Windows so if the TTL value is near about 110 or more than 110 then that means that the website is hosted on windows server so once we find the operating system then the last step is to find that on which platform the website is hosted or the website is running whether the website is running on WordPress or on any content management system or the website is running or some kind of framework like PHP or any open source language so in order to accomplish that task there is one website called as built with calm so here we have to write the URL okay so now it’s showing us the detail of techcrunch.com so web server you can see that the web server is nginx and the SSL certificate is WordPress SSL means this website is running somehow on WordPress so here you can also find the registrar detail GoDaddy and name server is a WordPress again so email servers in email services details then hosting providers and content management system so this website techcrunch.com is actually running on WordPress which is a content management system and the framework is PHP and if I go down you will find a lot of juicy details juicy information interesting information about JavaScript libraries version audio video media payment providers also even if it’s using and you can also find out the detail of CDN content delivery network of your website and meta tag information so recapture information also all the techniques which we can use to find the important information of our target so thanks for watching this video …

We acknowledge that this video belongs to the author and thank them for it’s use.

Copyright Disclaimer under section 107 of the Copyright Act of 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, education and research. Fair use is a use permitted by copyright statute that might otherwise be infringing..

As found on Youtube

(Visited 2 times, 1 visits today)

About The Author

You Might Be Interested In