1 00:00:01,740 --> 00:00:08,190 As usual the first thing that we do before we start trying to exploit or find any vulnerability is we 2 00:00:08,190 --> 00:00:14,010 do information gathering so we try to gather as much information as possible about the target and what 3 00:00:14,010 --> 00:00:15,860 applications are no different. 4 00:00:15,870 --> 00:00:23,670 So we're going to start by trying to get as much information as we can about the target IP address the 5 00:00:23,670 --> 00:00:25,040 domain name info. 6 00:00:25,060 --> 00:00:28,880 The technology is used on the Web sites of what programming languages use. 7 00:00:28,950 --> 00:00:31,640 What kind of server is installed on it. 8 00:00:31,800 --> 00:00:37,170 What kind of database is being used and where we're going to gather information about the company the 9 00:00:37,170 --> 00:00:38,550 DNS records. 10 00:00:38,550 --> 00:00:44,850 And we'll also see if we can find any files that are not being listed or any subdomains that are not 11 00:00:44,850 --> 00:00:46,950 visible to other to other people. 12 00:00:48,710 --> 00:00:55,500 So the first thing that we're going to have a look on is who is look up who's the Co. 13 00:00:55,550 --> 00:01:05,570 Is a protocol that's used to find owners of Internet resources for example server an IP address or domain. 14 00:01:05,570 --> 00:01:07,820 So we're actually not hacking or doing anything. 15 00:01:07,820 --> 00:01:13,490 We're literally just retrieving info from a database that contains information about owners of stuff 16 00:01:13,490 --> 00:01:15,180 on the Internet. 17 00:01:15,200 --> 00:01:21,830 So for example when you sign up when you sign up for a domain name if you wanted to register a domain 18 00:01:21,830 --> 00:01:24,480 name for yourself for example Zayd dot com. 19 00:01:24,560 --> 00:01:30,830 When I do that I have to supply information about myself my address and then the name will be stored 20 00:01:30,830 --> 00:01:35,180 in my own name and people can see that Zayde owns this domain name. 21 00:01:35,180 --> 00:01:37,100 So this is all we're going to do. 22 00:01:37,310 --> 00:01:41,180 If you Google who is look up you'll see a lot of websites providing the service. 23 00:01:41,180 --> 00:01:48,860 So I'm using the domain tools dot com and are just going to put my target domain name and I'm just going 24 00:01:48,860 --> 00:01:50,990 to use security dot org. 25 00:01:56,390 --> 00:02:02,160 So as you can see very simple and we get a lot of information about our target web site. 26 00:02:02,230 --> 00:02:07,080 You'll see the e-mail that you can use to contact the domain name info. 27 00:02:07,510 --> 00:02:13,900 Usually he'll be able to see the address of the company that has registered this domain name but we 28 00:02:13,900 --> 00:02:17,620 can see that this company is using privacy on their domain. 29 00:02:17,620 --> 00:02:19,380 So you can't really see the address. 30 00:02:19,520 --> 00:02:25,360 But if they have if they're not using privity you'll be able to see their address and more information 31 00:02:25,360 --> 00:02:26,970 about the actual company. 32 00:02:27,340 --> 00:02:29,560 So you want the domain name was created. 33 00:02:30,670 --> 00:02:34,150 You can see the IP address of security. 34 00:02:34,270 --> 00:02:42,110 So if you're doing this you should get this IP address and I'll show you how I do it. 35 00:02:43,190 --> 00:02:52,180 A security org you'll see it's the same domain name here same as same IP address your site. 36 00:02:52,610 --> 00:02:56,130 You can see the IP location which unseen status. 37 00:02:56,150 --> 00:03:04,860 Obviously it's active can also access the history but you need to register for that and obviously you 38 00:03:04,860 --> 00:03:10,140 can see the title here and something that's very useful here we can see that it's use an Apache web 39 00:03:10,140 --> 00:03:10,530 server. 40 00:03:10,530 --> 00:03:17,310 So this is software that can be used as a web server and we can see that I secured uses this web server 41 00:03:17,550 --> 00:03:20,450 and this version to point to point 3 1. 42 00:03:20,610 --> 00:03:23,610 So again we can use this to find exploits. 43 00:03:23,790 --> 00:03:29,920 We can see that it's using Unix the operating system of the web website of the server and it's using 44 00:03:29,920 --> 00:03:36,020 in the following items as well as use modern SSL and open SSL that right here. 45 00:03:36,240 --> 00:03:40,440 You can find more information about the company who registered this domain. 46 00:03:40,440 --> 00:03:46,700 So again security is using privacy so you want be able to see the address you can see that it's saying 47 00:03:47,000 --> 00:03:54,930 that the target person is used in the privacy protection but usually you'll be able to see phone numbers 48 00:03:55,170 --> 00:03:58,530 and addresses of that company. 49 00:03:58,540 --> 00:04:03,410 So as you can see very simple stuff but it's very helpful in the long run. 50 00:04:03,460 --> 00:04:08,770 Just to know what your target was their IP what services are they use and we can also hear actually 51 00:04:08,800 --> 00:04:13,340 didn't show you can see the name servers that are being used. 52 00:04:13,360 --> 00:04:18,160 And you can see that they are provided by a company called them dot net. 53 00:04:18,160 --> 00:04:25,590 Now if you go on them now you'll see that this is a hosting company. 54 00:04:25,640 --> 00:04:31,420 So if we go on the English version that you'll see that this is a hosting company and again you can 55 00:04:31,420 --> 00:04:37,990 even use this hosting company and try to social engineer your way maybe into hacking into your target 56 00:04:37,990 --> 00:04:39,140 into security.