Hacking Tutorials Information Gathering

Gathering Information About A Domain

In previous article, we discussed why information gathering is important. In this part we will be gathering information about a domain.
Wait!! What’s a domain?
In simple words it is the address of a website like address of this website is teamultimate.in.
So we have a target here—–> example.com
And we know nothing more than its domain.
So first thing we will do is a basic whois lookup, it will retrieve information like…umm better do it and see.

You can use whois.icann.org for this purpose but I will be using whois script that I have installed in my Linux.

You can install it on your linux distro by entering apt-get install whois in terminal.
So lets fire up terminal and enter whois example.com
We got this result in no time:

We can use his email and phone number for different kind of attacks especially social engineering based attacks like we can send him a phishing mail or a malicious file.

As you can see their Name servers are CHAD.NS.CLOUDFLARE.COM and KAY.NS.CLOUDFLARE.COM.
which clearly implies that it uses cloudflare.
Note: You can’t rely on whois lookup for testing cloudflare, using a website like doesitusecloudflare.com is a better idea.

So. . . What Is A Name Server?
A name server is a computer which is permanently connected to internet and translate (and vice versa).
Say thanks because name servers enable us to enter www.example.com instead of some IP Address like 192.34.231.34.

Okay so we must bypass cloudflare in order to obtain the real IP Address of the server on which the website is hosted.
To bypass the cloudflare I will take advantage of the misconfigured cloudflare (which is common lol).
The problem with people is that they configure cloudflare for their main domain but leave the sub-domains unprotected.

What is a subdomain?

A subdomain is that part of a URL that comes before the primary name. For example, when you search for an image on Google you end up on images.google.com, with “images” being the subdomain.

First of lets ping the main domain:
ping domain
We have an IP Address here but it likely to be the IP Address of the cloudflare server.
Now will try to ping possible sub-domains like,

  • ftp.example.com
  • mail.example.com
  • direct.examples.com
  • direct-connect.example.com
  • admin.example.com
  • portal.example.com
  • forum.example.com

So lets ping ftp.shoutricks.com:
ping sub-domain
We have an IP Address here which refers to some hosting service “<b>s136.web-hosting.com</b>”. So this IP Address should be the IP Address of the server on which <b>shoutricks.com</b> is hosted.

Note: Running sub-domain checks is not only limited to bypassing cloudflare. For example, you may find a sub-domain like dev.example.com which hosts the beta version of the website which may be vulnerable or vpn.example.com which may let website managers login from their devices etc.
If you are too lazy to ping sub-domains then don’t worry you can go to iphostinfo.com and do this with one click.
You can also use a program named DNSMap which has a big list of sub-domains and its usages is simple you just have to enter

and it will return you all the alive subdomains. You can download it from github.
Well now we have IP Address of their server i.e. 104.219.248.93.
If you do whois lookup for this IP Address (yeah we can look up IPs too) you will find it is one of the servers of a hosting company named Namecheap.com.

Okay! Now we have some information that we can use to perform social engneering based attacks and we have also have real IP Address of their server which opens a whole new world of breakpoints.

Well that’s all for now, we will discover more information gathering techniques in upcoming articles.
Thanks for reading.

Also Read: Which Programming Language Is Good For Beginners In Programming?


About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

3 Comments

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<