In previous article, we discussed why information gathering is important. In this part we will be gathering information about a domain.
Wait!! What’s a domain?
In simple words it is the address of a website like address of this website is teamultimate.in.
So we have a target here—–> shoutricks.com
And we know nothing more than its domain.
So first thing we will do is a basic whois lookup, it will retrieve information like…umm better do it and see.
You can install it on your linux distro by entering apt-get install whois in terminal.
So lets fire up terminal and enter whois shoutricks.com
We got this result in no time:
Domain Name: shoutricks.com Registry Domain ID: 1997837305_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2016-12-24T16:54:29Z Creation Date: 2016-01-27T13:53:57Z Registrar Registration Expiration Date: 2018-01-27T13:53:57Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: ARUN KUMAR Registrant Organization: Shoutricks Registrant Street: #2010 burail 45-b Registrant Street: #2010 burail 45-b Registrant City: Chandigarh Registrant State/Province: Chandigarh Registrant Postal Code: 160047 Registrant Country: IN Registrant Phone: +91.8968611259 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Not Available From Registry Admin Name: ARUN KUMAR Admin Organization: Shoutricks Admin Street: #2010 burail 45-b Admin Street: #2010 burail 45-b Admin City: Chandigarh Admin State/Province: Chandigarh Admin Postal Code: 160047 Admin Country: IN Admin Phone: +91.8968611259 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Not Available From Registry Tech Name: ARUN KUMAR Tech Organization: Shoutricks Tech Street: #2010 burail 45-b Tech Street: #2010 burail 45-b Tech City: Chandigarh Tech State/Province: Chandigarh Tech Postal Code: 160047 Tech Country: IN Tech Phone: +91.8968611259 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: CHAD.NS.CLOUDFLARE.COM Name Server: KAY.NS.CLOUDFLARE.COM DNSSEC: unsigned
Now lets write down the important information from that long list.
This domain is owned by Arun Kumar who lives in Chandigarh. His phone no. is +918968611259 and E-mail address is [email protected]. We can use his email and phone number for different kind of attacks especially social engineering based attacks like we can send him a phishing mail or a malicious file.
As you can see their Name servers are CHAD.NS.CLOUDFLARE.COM and KAY.NS.CLOUDFLARE.COM.
which clearly implies that it uses cloudflare.
Note: You can’t rely on whois lookup for testing cloudflare, using a website like www.isthiswebsiteusingcloudflare.com is a better idea.
So. . . What Is A Name Server?
A name server is a computer which is permanently connected to internet and translate (and vice versa).
Say thanks because name servers enable us to enter www.example.com instead of some IP Address like 18.104.22.168.
Okay so we must bypass cloudflare in order to obtain the real IP Address of the server on which the website is hosted.
To bypass the cloudflare I will take advantage of the misconfigured cloudflare (which is common lol).
The problem with people is that they configure cloudflare for their main domain but leave the sub-domains unprotected.
What is a subdomain?
A subdomain is that part of a URL that comes before the primary name. For example, when you search for an image on Google you end up on images.google.com, with “images” being the subdomain.
First of lets ping the main domain:
We have an IP Address here but it likely to be the IP Address of the cloudflare server.
Now will try to ping possible sub-domains like,
So lets ping ftp.shoutricks.com:
We have an IP Address here which refers to some hosting service “<b>s136.web-hosting.com</b>”. So this IP Address should be the IP Address of the server on which <b>shoutricks.com</b> is hosted.
Note: Running sub-domain checks is not only limited to bypassing cloudflare. For example, you may find a sub-domain like dev.example.com which hosts the beta version of the website which may be vulnerable or vpn.example.com which may let website managers login from their devices etc.
If you are too lazy to ping sub-domains then don’t worry you can go to iphostinfo.com and do this with one click.
You can also use a program named DNSMap which has a big list of sub-domains and its usages is simple you just have to enter
and it will return you all the alive subdomains. You can download it from github.
Well now we have IP Address of their server i.e. 22.214.171.124.
If you do whois lookup for this IP Address (yeah we can look up IPs too) you will find it is one of the servers of a hosting company named Namecheap.com.
Okay! Now we have some information that we can use to perform social engneering based attacks and we have also have real IP Address of their server which opens a whole new world of breakpoints.
Well that’s all for now, we will discover more information gathering techniques in upcoming articles.
Thanks for reading.