DISCLAIMER!
This content is intended solely for educational and ethical purposes. The website pentest.id is created by our lecturer and this activity is conducted with permission. All activities related to cybersecurity must comply with available regulations. The author (me) is not responsible for any misuse or illegal activities performed using the knowledge shared here. Any actions taken by the readers using this info are at the reader’s own risk.

Information Gathering

Image source: https://www.lisedunetwork.com/information-gathering/

The first step before conducting penetration testing (pen test) is to gather information about the target. In other words, we will conduct footprinting (a technique to gather as much data about the system as possible). There are many ways and tools to gather info about a system. Below I will show some of it.

1.    Wayback Machine (archive.org)

Wayback machine is a digital archive that allows user to view past versions of websites in the Internet. For example, we can view the past versions of Kompas.com way back to 1996. Below is the comparison of Kompas.com back in 1996 (the white one) and the current one (the black one).  Through wayback machine, we may find some clues about the possible current architecture that the system uses.

2   Job Vacancy Posts

To know more about the system’s technology for a well-known client, we can search for programmer job vacancies for that client company. For example, from this job vacancy post in Kalibrr, we can infer that Kompas.com utilizes technology, such as PHP, CodeIgniter, MariaDB, and so on.

3.     dig and whois in KaliLinux Terminal

From dig, we can get the information about the current IP address for the website, For example, we test it with pentest.id (this website is allowed by the owner to be our test object).

Meanwhile, using whois will give us the information about the details of the company managing the domain name registration, server names, and DNSSEC status. DNSSEC (Domain Name System Security Extensions) is unsigned there, meaning that protection against DNS spoofing or cache poisoning attacks using DNSSEC is not enabled.

4.    theHarvester in Kali Linux Terminal

The Harvester is a tool developed in Python used to gather information from different search engines. TheHarvester basic command is

theHarvester -d [domain name] -b [search engine name / all][options] [parameters]

Below is the explanation of all the options in theHarvester.

Keywords	Name	Description
-d	Domain	Company name or domain to search.
-l	Limit	Limit the number of search results, default=500.
-S	Start	Start with result number X, default=0.
-p	Proxies	Use proxies for requests, enter proxies in proxies.yaml.
-s	Shodan	Use Shodan to query discovered hosts. Shodan is a search engine that finds devices connected to the Internet.
--screenshot	Screenshot	Take screenshots of resolved domains specify output directory: --screenshot
-v	Virtual host	Verify host name via DNS resolution and search for virtual hosts.
-e	DNS server	DNS server to use for lookup.
-t	Take over	Check for takeovers.
-r [DNS_RESOLVE]	DNS resolve	Perform DNS resolution on subdomains with a resolver list or passed in resolvers, default False.
-n	DNS lookup	Enable DNS server lookup, default False.
-c	DNS brute	Perform a DNS brute force on the domain.
-f FILENAME	File name	Save the results to an XML and JSON file.
-b SOURCE	Source	Data source, e.g. anubis, baidu, bevigil, binaryedge, bing, bingapi, bufferoverun, brave, censys, certspotter, criminalip, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, hackertarget, hunter, hunterhow, intelx, netlas, onyphe, otx, pentesttools, projectdiscovery, rapiddns, rocketreach, securityTrails, sitedossier, subdomaincenter,subdomainfinderc99, threatminer, tomba, urlscan, virustotal, yahoo, zoomeye

Using theHarvester, we can discover the ASNS, interesting URLs, LinkedIn links, IP addresses, and hosts. For example, I run theHarvester -d pentest.id -b all -l 500 and the snippet of the result is as below.

5.     DNSEnum in Kali Linux Terminal

Using dnsenum pentest.id in terminal, you can get the host addresses, wildcard DNS record, server names, and mail servers of pentest.id as shown below.

Wildcard DNS record (e.g. *.pentest.id) is a record that allows all subdomains to share the same web content with a single DNS entry (resolved to a specific IP address).

 

6.     SecurityTrails (securitytrails.com)

Lastly, we can also use Security Trails on the Internet to help us find the historical data of the website. One of the snippets of Security Trails is as below. We can see the DNS records of the domain from A, AAAA, MX, NS, SOA, to TXT records (more about them will be explained in the next post :D)

We can also see the subdomains of pentest.id with the hosting and mail provider for them.

Summary

Gathering information about a website domain requires patience and creativity. The tools stated above can help us collect information about the target so that we can analyze it and make use of it to conduct our pen test later. One thing to note is that before conducting anything, please obtain permission from the client or owner first and respect the regulations.

That is all for today’s page. See you! 

References for the table: theHarvester documentation: https://www.kali.org/tools/theharvester/