Hacking Tutorials Information Gathering

Gathering Information About A Domain

In previous article, we discussed why information gathering is important. In this part we will be gathering information about a domain.
Wait!! What’s a domain?
In simple words it is the address of a website like address of this website is teamultimate.in.
So we have a target here—–> shoutricks.com
And we know nothing more than its domain.
So first thing we will do is a basic whois lookup, it will retrieve information like…umm better do it and see.

You can use whois.icann.org for this purpose but I will be using whois script that I have installed in my Linux.

You can install it on your linux distro by entering apt-get install whois in terminal.
So lets fire up terminal and enter whois shoutricks.com
We got this result in no time:

Domain Name: shoutricks.com
Registry Domain ID: 1997837305_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2016-12-24T16:54:29Z
Creation Date: 2016-01-27T13:53:57Z
Registrar Registration Expiration Date: 2018-01-27T13:53:57Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: ARUN KUMAR
Registrant Organization: Shoutricks
Registrant Street: #2010 burail 45-b
Registrant Street: #2010 burail 45-b
Registrant City: Chandigarh
Registrant State/Province: Chandigarh
Registrant Postal Code: 160047
Registrant Country: IN
Registrant Phone: +91.8968611259
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: [email protected]
Registry Admin ID: Not Available From Registry
Admin Name: ARUN KUMAR
Admin Organization: Shoutricks
Admin Street: #2010 burail 45-b
Admin Street: #2010 burail 45-b
Admin City: Chandigarh
Admin State/Province: Chandigarh
Admin Postal Code: 160047
Admin Country: IN
Admin Phone: +91.8968611259
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: [email protected]
Registry Tech ID: Not Available From Registry
Tech Name: ARUN KUMAR
Tech Organization: Shoutricks
Tech Street: #2010 burail 45-b
Tech Street: #2010 burail 45-b
Tech City: Chandigarh
Tech State/Province: Chandigarh
Tech Postal Code: 160047
Tech Country: IN
Tech Phone: +91.8968611259
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: [email protected]
Name Server: CHAD.NS.CLOUDFLARE.COM
Name Server: KAY.NS.CLOUDFLARE.COM
DNSSEC: unsigned

Now lets write down the important information from that long list.
This domain is owned by Arun Kumar who lives in Chandigarh. His phone no. is +918968611259 and E-mail address is [email protected]. We can use his email and phone number for different kind of attacks especially social engineering based attacks like we can send him a phishing mail or a malicious file.

As you can see their Name servers are CHAD.NS.CLOUDFLARE.COM and KAY.NS.CLOUDFLARE.COM.
which clearly implies that it uses cloudflare.
Note: You can’t rely on whois lookup for testing cloudflare, using a website like www.isthiswebsiteusingcloudflare.com is a better idea.

So. . . What Is A Name Server?
A name server is a computer which is permanently connected to internet and translate (and vice versa).
Say thanks because name servers enable us to enter www.example.com instead of some IP Address like 192.34.231.34.

Okay so we must bypass cloudflare in order to obtain the real IP Address of the server on which the website is hosted.
To bypass the cloudflare I will take advantage of the misconfigured cloudflare (which is common lol).
The problem with people is that they configure cloudflare for their main domain but leave the sub-domains unprotected.

What is a subdomain?

A subdomain is that part of a URL that comes before the primary name. For example, when you search for an image on Google you end up on images.google.com, with “images” being the subdomain.

First of lets ping the main domain:
ping domain
We have an IP Address here but it likely to be the IP Address of the cloudflare server.
Now will try to ping possible sub-domains like,

  • ftp.shoutricks.com
  • mail.shoutricks.com
  • direct.shoutricks.com
  • direct-connect.shoutricks.com
  • admin.shoutricks.com
  • portal.shoutricks.com
  • forum.shoutricks.com

So lets ping ftp.shoutricks.com:
ping sub-domain
We have an IP Address here which refers to some hosting service “<b>s136.web-hosting.com</b>”. So this IP Address should be the IP Address of the server on which <b>shoutricks.com</b> is hosted.

Note: Running sub-domain checks is not only limited to bypassing cloudflare. For example, you may find a sub-domain like dev.example.com which hosts the beta version of the website which may be vulnerable or vpn.example.com which may let website managers login from their devices etc.
If you are too lazy to ping sub-domains then don’t worry you can go to iphostinfo.com and do this with one click.
You can also use a program named DNSMap which has a big list of sub-domains and its usages is simple you just have to enter

dnsmap example.com

and it will return you all the alive subdomains. You can download it from github.
Well now we have IP Address of their server i.e. 104.219.248.93.
If you do whois lookup for this IP Address (yeah we can look up IPs too) you will find it is one of the servers of a hosting company named Namecheap.com.

Okay! Now we have some information that we can use to perform social engneering based attacks and we have also have real IP Address of their server which opens a whole new world of breakpoints.

Well that’s all for now, we will discover more information gathering techniques in upcoming articles.
Thanks for reading.

Also Read: Which Programming Language Is Good For Beginners In Programming?

About the author

D3V

A n00b hacker and a proud member of Team Ultimate. I am infamous but known as D3V in my circle.

5 Comments

Click here to post a comment




Browse Categories:




Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.