1
00:00:00,480 --> 00:00:01,830
Instructor: Welcome back.

2
00:00:01,830 --> 00:00:04,757
Since this is our first video in information gathering,

3
00:00:04,757 --> 00:00:08,198
we're going to start off with something easy.

4
00:00:08,198 --> 00:00:11,760
Let us see how we can identify our target

5
00:00:11,760 --> 00:00:14,190
and get its IP address.

6
00:00:14,190 --> 00:00:16,290
We're going to check how we can do this,

7
00:00:16,290 --> 00:00:19,262
both actively and passively.

8
00:00:19,262 --> 00:00:23,220
Let's do it with active information gathering first.

9
00:00:23,220 --> 00:00:27,235
So this means we are going to interact with our target.

10
00:00:27,235 --> 00:00:30,060
So just go on Google and pick a website

11
00:00:30,060 --> 00:00:31,620
that you want to use for this.

12
00:00:31,620 --> 00:00:33,930
It can be any website that you want,

13
00:00:33,930 --> 00:00:37,770
and you can also use the ones the I will show in this video.

14
00:00:37,770 --> 00:00:41,929
First, open up your terminal, and what we are going to do

15
00:00:41,929 --> 00:00:45,739
for the first test, I'm going to use this website.

16
00:00:45,739 --> 00:00:47,040
(Keys clacking)

17
00:00:47,040 --> 00:00:49,410
This is just some university page that they picked,

18
00:00:49,410 --> 00:00:53,133
and what we can do to get its IP address is to ping it.

19
00:00:54,030 --> 00:00:57,660
Most of you will already be familiar with Ping tool,

20
00:00:57,660 --> 00:01:02,100
since it is installed by default on any operating system.

21
00:01:02,100 --> 00:01:04,732
By pinging this website or any other website,

22
00:01:04,732 --> 00:01:09,162
we're sending something called ICMP packets to that website,

23
00:01:09,162 --> 00:01:12,420
and if we get responses back that means

24
00:01:12,420 --> 00:01:14,970
that website is up and running.

25
00:01:14,970 --> 00:01:16,200
But what we also get,

26
00:01:16,200 --> 00:01:19,293
besides that response, is the IP address.

27
00:01:20,310 --> 00:01:21,840
So let's try it out.

28
00:01:21,840 --> 00:01:25,290
I will leave this link right here, and I will just add

29
00:01:25,290 --> 00:01:30,290
at the beginning: ping, space, and then hit Enter.

30
00:01:32,310 --> 00:01:36,000
And it seems that we are not getting any responses back,

31
00:01:36,000 --> 00:01:39,780
but what we did get is an IP address.

32
00:01:39,780 --> 00:01:40,613
Here it is.

33
00:01:41,490 --> 00:01:43,350
And we are not getting responses back

34
00:01:43,350 --> 00:01:46,920
from this side because it is probably blocking ping probes,

35
00:01:46,920 --> 00:01:48,873
which some websites often do.

36
00:01:49,830 --> 00:01:52,440
Let us try another site to see how it looks

37
00:01:52,440 --> 00:01:54,390
once we get responses back.

38
00:01:54,390 --> 00:01:58,050
So to stop this, you can simply just press CTRL + C,

39
00:01:58,050 --> 00:02:00,480
and it'll tell us 32 packets transmitted

40
00:02:00,480 --> 00:02:03,360
and 100% packet loss.

41
00:02:03,360 --> 00:02:06,413
Now this doesn't mean that this website is offline,

42
00:02:06,413 --> 00:02:10,656
since if we visited this link right here or this IP address,

43
00:02:10,656 --> 00:02:13,740
we would open a page to that website.

44
00:02:13,740 --> 00:02:16,380
But just in case, let us see how it looks like

45
00:02:16,380 --> 00:02:20,400
once we get the response back from the ping command.

46
00:02:20,400 --> 00:02:24,600
If we try to ping a big website, for example, like Facebook,

47
00:02:24,600 --> 00:02:28,383
so let's type ping facebook.com.

48
00:02:31,410 --> 00:02:36,410
Here we get an IP address of Facebook and we can CTRL + C,

49
00:02:36,660 --> 00:02:40,140
since we can notice that we are getting packets back,

50
00:02:40,140 --> 00:02:43,170
which means Facebook is up and running and also responding

51
00:02:43,170 --> 00:02:45,570
to our ICMP packets.

52
00:02:45,570 --> 00:02:48,870
Just to note, this IP address right here is just one

53
00:02:48,870 --> 00:02:51,330
of the IP addresses that Facebook uses.

54
00:02:51,330 --> 00:02:54,450
So for you, once you ping it, you will probably

55
00:02:54,450 --> 00:02:56,460
get a different result.

56
00:02:56,460 --> 00:02:59,970
Okay, what we saw right here, is an example

57
00:02:59,970 --> 00:03:03,176
of active information gathering to get the IP address,

58
00:03:03,176 --> 00:03:07,053
since we directly send packets to these websites.

59
00:03:08,400 --> 00:03:10,158
Another tool you can use to get IP

60
00:03:10,158 --> 00:03:13,353
from a website is called NS lookup.

61
00:03:14,190 --> 00:03:16,960
So if I go down here and type nslookup

62
00:03:19,470 --> 00:03:21,600
and then the name of the website,

63
00:03:21,600 --> 00:03:24,870
which in our case, let's try with the first one,

64
00:03:24,870 --> 00:03:26,610
which is this one.

65
00:03:26,610 --> 00:03:29,820
And once again you can test any website you want with this.

66
00:03:29,820 --> 00:03:31,500
It doesn't matter.

67
00:03:31,500 --> 00:03:35,910
If I press enter, it'll give me this response,

68
00:03:35,910 --> 00:03:38,640
which says server and address right here.

69
00:03:38,640 --> 00:03:42,120
But this is not the IP address of this website.

70
00:03:42,120 --> 00:03:45,810
This is just my router and where the result

71
00:03:45,810 --> 00:03:49,563
or where the IP address of this website is is down here.

72
00:03:50,490 --> 00:03:51,450
Here it is.

73
00:03:51,450 --> 00:03:55,950
If we compare this one, and we go back to the ping command,

74
00:03:55,950 --> 00:03:58,950
you will notice the IP address is the same.

75
00:03:58,950 --> 00:04:01,263
So we got the same result, which is good.

76
00:04:02,130 --> 00:04:03,510
Let's try the same with Facebook.

77
00:04:03,510 --> 00:04:07,463
So just type right here nslookup facebook.com.

78
00:04:07,463 --> 00:04:10,770
(Keys clacking)

79
00:04:10,770 --> 00:04:13,953
And we also get the IP address of Facebook.

80
00:04:15,540 --> 00:04:18,060
Now if you wanted to do this passively,

81
00:04:18,060 --> 00:04:19,860
you would search for this information,

82
00:04:19,860 --> 00:04:23,190
such as IP address, over some other website.

83
00:04:23,190 --> 00:04:24,960
Let us see how we can do that.

84
00:04:24,960 --> 00:04:27,420
First of all, we want to open our Firefox,

85
00:04:27,420 --> 00:04:30,030
and to do that, just click on this Kali Linux icon,

86
00:04:30,030 --> 00:04:33,363
in the top left corner and type Firefox.

87
00:04:34,650 --> 00:04:37,020
You should see Firefox ESR.

88
00:04:37,020 --> 00:04:37,863
Click on it.

89
00:04:38,730 --> 00:04:40,110
And what we're going to look

90
00:04:40,110 --> 00:04:43,950
for is a website that provides us with IP address

91
00:04:43,950 --> 00:04:45,903
of a different website.

92
00:04:46,920 --> 00:04:49,680
And since I don't know any website that does that,

93
00:04:49,680 --> 00:04:53,070
I will simply just go right here in the search bar,

94
00:04:53,070 --> 00:04:58,070
and type what is an IP address of this website.

95
00:04:59,272 --> 00:05:03,150
If I press Enter, it should probably give me a few results

96
00:05:03,150 --> 00:05:07,470
of different websites that will do exactly what we want,

97
00:05:07,470 --> 00:05:10,995
which is get the IP address of another website.

98
00:05:10,995 --> 00:05:13,289
And let's go with this one, IP checker,

99
00:05:13,289 --> 00:05:15,213
which is IPinfo.info.

100
00:05:16,950 --> 00:05:19,320
If I click on it and down here,

101
00:05:19,320 --> 00:05:23,280
we see something that says IP/Domain Checker.

102
00:05:23,280 --> 00:05:27,273
We need to specify the IP address, the Domain, or URL.

103
00:05:28,170 --> 00:05:32,130
And if we type the domain name of that first website,

104
00:05:32,130 --> 00:05:35,050
so if I type the same domain name

105
00:05:37,170 --> 00:05:39,499
and click right here on Check.

106
00:05:39,499 --> 00:05:43,380
Okay, so some security check, select all traffic lights.

107
00:05:43,380 --> 00:05:46,653
Let's select all traffic lights that we see.

108
00:05:48,660 --> 00:05:50,665
And here is the result.

109
00:05:50,665 --> 00:05:53,400
And you will notice that right here, we get even

110
00:05:53,400 --> 00:05:56,310
more information than we ask for.

111
00:05:56,310 --> 00:06:00,540
For example, here is the IP address of this website.

112
00:06:00,540 --> 00:06:03,240
We also get from which country it is,

113
00:06:03,240 --> 00:06:05,250
as it says right here in the brackets,

114
00:06:05,250 --> 00:06:10,170
and we also get its geolocation, which says even the city.

115
00:06:10,170 --> 00:06:13,323
We can also check it out on Google Maps if we wanted to.

116
00:06:14,490 --> 00:06:18,090
Down here we get even more information, such as Reverse DNS.

117
00:06:18,090 --> 00:06:19,170
Here we get information

118
00:06:19,170 --> 00:06:23,223
about registration date, modification date, expiration date.

119
00:06:24,090 --> 00:06:26,640
Down here we get some of the DNS servers,

120
00:06:26,640 --> 00:06:29,970
and here we get its physical address.

121
00:06:29,970 --> 00:06:31,267
So this is the exact location

122
00:06:31,267 --> 00:06:33,753
to where this server is located.

123
00:06:34,770 --> 00:06:38,160
Now this is just the same result, I believe, down here.

124
00:06:38,160 --> 00:06:39,767
We also get some email addresses,

125
00:06:39,767 --> 00:06:42,030
as we can notice right here.

126
00:06:42,030 --> 00:06:43,426
All this could be useful for us,

127
00:06:43,426 --> 00:06:47,280
depending on which type of attack we would plan.

128
00:06:47,280 --> 00:06:48,390
Now, of course, we are not going

129
00:06:48,390 --> 00:06:49,740
to be attacking this website,

130
00:06:49,740 --> 00:06:52,320
since we do not have permission, but we are simply

131
00:06:52,320 --> 00:06:55,620
just gathering information to see what can be retrieved

132
00:06:55,620 --> 00:06:57,810
from the internet about this website.

133
00:06:57,810 --> 00:06:59,880
And for now on we are getting a bunch

134
00:06:59,880 --> 00:07:02,280
of information about it.

135
00:07:02,280 --> 00:07:06,210
Now, similar response that we got right here,

136
00:07:06,210 --> 00:07:10,140
we can get using a tool called Whois.

137
00:07:10,140 --> 00:07:12,480
Whois not only gives us an IP address

138
00:07:12,480 --> 00:07:15,210
of the pacified domain, but it also gives us a bunch

139
00:07:15,210 --> 00:07:17,463
of other information about that domain.

140
00:07:18,330 --> 00:07:22,050
It is already installed in Kali Linux, so let's test it out.

141
00:07:22,050 --> 00:07:27,050
If I close this page, and type in my terminal Whois,

142
00:07:27,505 --> 00:07:31,713
the same domain name, press Enter.

143
00:07:32,910 --> 00:07:35,310
I will pretty much get the same information

144
00:07:35,310 --> 00:07:37,653
that I saw previously on that website.

145
00:07:39,420 --> 00:07:43,132
As we can see right here, we get those DNS Servers,

146
00:07:43,132 --> 00:07:46,770
the registration date, modification date, expiration date.

147
00:07:46,770 --> 00:07:50,190
We get the physical address and some other things,

148
00:07:50,190 --> 00:07:52,050
such as ID Number, Tax ID,

149
00:07:52,050 --> 00:07:54,063
which is not really of interest to us.

150
00:07:55,230 --> 00:07:58,980
And let us also test this tool on Facebook,

151
00:07:58,980 --> 00:08:03,000
since different websites might give different information.

152
00:08:03,000 --> 00:08:05,538
For example, if I do the same on Facebook,

153
00:08:05,538 --> 00:08:08,070
since it being a much bigger site,

154
00:08:08,070 --> 00:08:11,940
it'll probably give us much more information as well.

155
00:08:11,940 --> 00:08:15,603
So let's type it, whois facebook.com.

156
00:08:16,560 --> 00:08:17,490
Press Enter.

157
00:08:17,490 --> 00:08:19,020
Let me just enlarge the terminal,

158
00:08:19,020 --> 00:08:21,480
so we can see everything clearly.

159
00:08:21,480 --> 00:08:26,480
And if I scroll all the way up, we get some name servers,

160
00:08:27,570 --> 00:08:31,230
Tech Street, City, State/Province, Postal Code.

161
00:08:31,230 --> 00:08:34,440
We also get some phone numbers right here.

162
00:08:34,440 --> 00:08:38,520
Here are some of the email addresses for the tech email.

163
00:08:38,520 --> 00:08:41,070
So we get another email address, right here,

164
00:08:41,070 --> 00:08:42,933
and even more phone numbers.

165
00:08:43,950 --> 00:08:46,080
We get the city, the street.

166
00:08:46,080 --> 00:08:47,703
If I go all the way up,

167
00:08:48,570 --> 00:08:50,490
we can see that this is a whois response,

168
00:08:50,490 --> 00:08:53,400
so this all information is public to us.

169
00:08:53,400 --> 00:08:54,870
And this would be pretty much it.

170
00:08:54,870 --> 00:08:56,550
This is all the information we get

171
00:08:56,550 --> 00:08:58,743
for Facebook using Whois tool.

172
00:09:00,090 --> 00:09:03,420
And, by the way, in real penetration tests

173
00:09:03,420 --> 00:09:04,519
that you will perform,

174
00:09:04,519 --> 00:09:06,895
all of the interesting information is something

175
00:09:06,895 --> 00:09:10,350
that you want to write down in a report.

176
00:09:10,350 --> 00:09:13,590
For now, we only saw how we can get basic information,

177
00:09:13,590 --> 00:09:16,440
such as IP addresses, country origin,

178
00:09:16,440 --> 00:09:18,810
physical address, and similar.

179
00:09:18,810 --> 00:09:22,410
But later during information gathering and scanning,

180
00:09:22,410 --> 00:09:24,900
we might find something that shouldn't be out there

181
00:09:24,900 --> 00:09:26,130
on the internet,

182
00:09:26,130 --> 00:09:28,948
and that would be called information disclosure.

183
00:09:28,948 --> 00:09:31,478
It is something that client doesn't want to be seen,

184
00:09:31,478 --> 00:09:34,590
but it is still publicly available.

185
00:09:34,590 --> 00:09:37,500
So anything that you might think is interesting,

186
00:09:37,500 --> 00:09:39,390
you would write down.

187
00:09:39,390 --> 00:09:40,680
Okay, great.

188
00:09:40,680 --> 00:09:42,960
Now we know how we can identify a target

189
00:09:42,960 --> 00:09:44,790
by getting its IP address,

190
00:09:44,790 --> 00:09:46,830
and also getting its physical address

191
00:09:46,830 --> 00:09:49,440
and some other interesting information as well.

192
00:09:49,440 --> 00:09:52,410
And even though this isn't really hard information to get,

193
00:09:52,410 --> 00:09:54,390
it is a good beginning.

194
00:09:54,390 --> 00:09:57,483
Let us see in the next video, what else can we find out?