EC Council CEH 312-50 V11 – Website Hacking – Information Gathering part 1

1. Gathering Basic Information Using Whois Lookup

As usual, the first thing that we do before we start trying to exploit or find any vulnerabilities, we do information gathering. So we try to gather as much information as possible about the target. And web applications are no different. So we’re going to start by trying to get as much information as we can about the target IP address, the domain name info technology is used on the website. So what programming language is used, what kind of server is installed on it, what kind of database is being used. We’re going to gather information about the company, the DNS records, and we’ll also see if we can find any files that are not being listed or any subdomains that are not visible to other people.

Now you can use any of the information gathering tools that we used before. For example, you can use Multigo and just insert an entity as a website and then start running Actions or Transformers, just like we see in the Multigo video. I’m not going to be explaining that because it’s exactly the same as we did it with a normal person. So I’m going to be skipping through that. You can also use Zen Map like we did before, or even Next Pose and test the infrastructure of the website and see what information you can gather from that. Again, I won’t be going over that because we’ve seen it. There is no difference between a website or a normal computer. As I said, a website just another computer.

So what I’m going to be focusing on is technologies that you’ll only see in websites such as domain names, DNS records and stuff like that, that you won’t be able to use or we haven’t seen before in the previous videos. So the first thing that we’re going to have a look on is who is Lookup. Who is Lookup is a protocol that’s used to find owners of internet resources. For example, a server, an IP address or a domain. So we’re actually not hacking or doing anything. We’re literally just retrieving info from a database that contains information about owners of stuff on the Internet. So for example, when you sign up when you sign up for a domain name, if you wanted to register a domain name for yourself, for example, Zade. com.  

When I do that, I have to supply information about myself, my address, and then the name will be stored in my own name and people can see that Zade owns this domain name. So this is all we’re going to do. If you Google who’s look up, you’ll see a lot of websites providing the service. So I’m using who’s, the domaintools. com and I’m just going to put my target domain name and I’m just going to use Isecurity. org. So as you can see, very simple and we get a lot of information about our target website. You’ll see the email that you can use to contact the domain name info. Usually you’ll be able to see the address of the company that has registered this domain name, but we can see that this company is using privacy on their domain.

So you can’t really see the address, but if they’re not using privacy, you’ll be able to see their address and more information about the actual company. You can see when the domain name was created, you can see the IP address of Iccecurity. org. So if you ping this, you should get this IP address and I’ll show you. If I do pingu. org, you’ll see it’s the same domain name here, same IP address here, sorry, you can see the IP location. We can see the status. Obviously it’s active. You can also access the history, but you need to register for that. And obviously we can see the title here and something that’s very useful here.

We can see that it’s using Apache web server. So this is a software that can be used as a web server. And we can see that Icured uses this web server and it’s of version 2. 2. 31. So again, we can use this to find exploits. We can see that it’s using Unix, the operating system of the website of the server, and it’s using the following add ons as well. It’s using mod SSL and open SSL. Now right here you can find more information about the company who registered this domain. So again, I securities using privacy, so you won’t be able to see the address. You can see that it’s saying that the target person is using privacy protection, but usually you’ll be able to see phone numbers and addresses of that company.

So, as you can see, very simple stuff, but it’s very helpful in the long run just to know what’s your target, what’s their IP, what services are they using. We can also here, actually I didn’t show you, you can see the name servers that are being used and we can see that they are provided by a company called Dimnov. Net. Now, if you go on Dimnov, you’ll see that this is a hosting company. So if we go on the English version that you’ll see that this is a hosting company. And again, you can even use this hosting company and try to social engineer your waymaker into hacking into your targets, into icurity.

2. Discovering Technologies Used On The Website

Today we’re going to learn how to get information about the technologies used by the target website. So we’re going to use a website called netcraft and I’m going to put my target here and as you can see, I already put it there Isecurity. org. So I’m just going to hit enter. And again, first of all you’ll see some basic information such as the website title, the description, the keywords and when the website was created. Scrolling down, you’ll see the website itself, the domain name, the IP address, just like we’ve seen in the previous video. The domain register are so the company who registered the domain for us for Isecurity. And you’ll also see information about the organization.

And here you can’t see it for this example, because I security is used in privacy protection, but usually you’ll be able to see it and see more information. We can also see that it’s hosted in Netherlands. We can see the name server which is dimnov. Net and again if you just go to dimnov. Net, you’ll discover that this is a website for web hosting. So we know this is a web hosting company. In worst case scenarios we can use this or try to hack into Dimnop itself to gain access to Isecurity. Scrolling down you’ll see history of the hosting companies that is security used and we can see that the latest one is this one and it’s running on Linux with Apache.

Same server that we see in the previous video, 2331 with Unix, mod, SSL and all the other add ons. Again, this is very important to find vulnerabilities and exploits on our target computer. In the security section you’ll see if the website has any spam and you can see that it doesn’t really have any spam. Scrolling down on the web trackers it will show you the third party resources or applications used on our target. So we can see that our target uses Google Analytics, Google CDN and other Google services. So this could also help us to find or gain access to the target computer. The technologies is one of the most important tabs or sections in here because it shows us the technologies used on the target website. So we can see it’s used in Apache web server. We already know that on the server side we can see that the website uses PHP.

So this means the website can run, can understand and run PHP code. This is very important because in the future if we manage to run any kind of code on our target, then we know this code should be sent as PHP code. So if we’re creating payloads in Metasploit or even Velvetvasion, we should create them in PHP format and the target website will be able to run them because it can support PHP. On the client side we can see that the website supports JavaScript. So if you run JavaScript, or if you manage to run JavaScript code on the website, it’s not going to be executed on the website, it will be executed on the users who see the website because JavaScript is a client side language and PHP is a server side.

So if we manage to run PHP code, it will be executed on the server itself. If you manage to run JavaScript, it’s going to be executed on the users or the people who visit the website. Same here with Jquery. This is just a framework for JavaScript scrolling down, we can see that the website uses WordPress. This is very important. So netcraft will also show you any web applications being used on the website. So WordPress is just a web application, so you could see other examples in your case and it’s an open source web application that a lot of other websites might have. The good thing about this is you can go and find exploits or vulnerabilities within this web application.

If you are lucky enough to find an existing one, then you can go ahead and exploit it on the target website. So, for example, we have WordPress in our example and I’m going to go to exploit database and if we go on the search here so I’m just going to type in WordPress here and I’m going to say I’m not a robot then we’re going to search. And as you can see, we managed to find a lot of the exploits related to WordPress. Now these are related to different versions of WordPress, so you need to make sure that you have the same version on your target. And we’ll have examples to see how to use exploits like these, but it just shows you how powerful information gathering is. Again, going down, you can see that the website uses Cpanel.

This is another web application, it’s a hosting control panel. Again, you can go on exploit database and see if you can find any vulnerabilities or exploits related to it. And you can also find other information such as that the website uses HTML, five uses CSS and all that kind of stuff. So netcraft is really useful from it. We managed to know that the website runs PHP, it runs JavaScript, it uses WordPress. So we can use WordPress to hack into the website and Cpanel and we can also if we go up, we also manage to know the web hosting or even we found that in the previous video that Dimnov is the web hosting company of this website. So in worst case scenarios we can try to hack into that web hosting and gain access to our target website.

3. Gathering Comprehensive DNS Information

In this video we’ll see how we can get comprehensive DNS information about the target website. So just to give you a quick refresh on what DNS is, so when you type in Facebook. com, a DNS server will convert that name to an IP address. Now the process is a bit more complicated. So the DNS server contains actually a number of records, each pointing to a different domain or a TiVo or to a different IP, sometimes to the same IP. But in general you request a domain name, it gets converted to an IP address and depending on that, these information need to be stored somewhere. So we’re going to query this DNS server and see what information we can get through it.

Now we’re going to use a website called Raptex. com and I’m just going to put the target website that I want to get information about. So I’m going to type Isecurity. org and I’m going to hit Enter to get a report. Now as you can see, we will get a big report. So there is a lot of information in here but you can actually use the buttons in here to navigate to any of the sections below. So if you want to directly go to the records or to go to the SEO, all you have to do is just click in here and you’ll go directly to that section. What we’re going to do right now though, we’ll go over all the sections one by one and see what kind of information we got. Now keep in mind the order of this information might be different but you should have the same sections.

So in the analysis you can see we have general information about the target. So you can see that it’s telling us that icurity has three name servers, five mail servers and one IP address. We can see the name servers used by I Security and Digital Ocean is the hosting company that Is Security is using at the time of recording this lecture. So this is very useful because you can go to Digital Ocean right now, you’ll see the hosting company and then you can pretend to be them and communicate with Icy, telling them that you’re signing them up for a better hosting. You’re giving them something because they are a VIP customer and ask them to log in.

Obviously they’ll be logging in to a fake login page and that way you’ll steal their information. You can tell them that there is a policy change that they have to accept and again ask them to log in and steal the information that way. Obviously you’ll do this through a fake login page. And this is mostly social engineering, so it’s nothing to do with website hacking and I cover all this in my social engineering course. But it’s very useful because if you couldn’t hack into the website through the applications installed then the only way to get in is using social engineering. Now below this we can see that the target is using Google Mail servers. So they’re not handling their own emails, they’re using Google to handle their emails.

Again, you can communicate with the target pretending to be Google and get them to do something, or to log into a fake page and steal information that way. You can also see the IP address of this website, which can be used to discover other websites installed on the same server. And this is very useful because if you couldn’t hack into your target website through the applications installed on that website, then you can try to hack into any website installed on the same server. And if you manage to do that, then you can actually navigate to your target website because they’re all essentially installed on the same computer. And we’ll talk more about that in the next lecture.

And below, right here, we have a number of similar domains to our target. Now these might be completely irrelevant, but you can have a look and see what you have navigating to the quick info. Again, you can see the domain name, you can see the TLD. We have the IP address, the name servers. Again, like I said, they’re useful because they usually give us information about the domain hosting company or the hosting company hosting the website itself. And we also have the mail servers. Like we’ve seen before, it’s Google Mail, so that all can be really useful. The reverse section will perform reverse DNS lookup.

So as I said at the start of the lecture, DNS is used to translate domain names into IP addresses in a reverse lookup, we use the IP address to see which domains link to this IP address. And like I said previously, this can be very useful because we’ll be able to discover other websites hosted on the same server and we can hack into any of these websites and from there gain access to our target. But with the reverse lookup, you won’t always get all the websites installed on the same server. Therefore, in the next lecture, I will show you a better way of doing that. But if you really want to see the results of the reverse lookup, you’ll have to log in.

So I’m actually going to open a new tab. I’m going to go to Rob text again, and I’m going to click on Login right here. And the only way to log into Robtex right now is through Google. So I’m going to click on Google, I’m going to click my email, and that’s it. We’re logged in. So I’m going to close this and we’re going to refresh in here. And if we scroll down again to the reverse right here, we have the results of the reverse look up. And you can either download this as a CSV or view it as HTML. So I’m going to choose to view it as HTML in a new tab. And right here, as you can see, we only have Zet Security on its own because Z Security is hosted on its own server. So there are no other websites installed on the same server.

 But like I said, if there are other websites hosted on the same server, then you’ll be able to see them in here in the reverse lookup. Now going down, we can see a more detailed breakdown of the DNS records. So you can see here we have information about the A record. And this is the record that’s used to translate the domain name into an IP address. So you can see that isecurity. org links to this IP address, which is the IP address of the server hosting or containing the files of the website. Scrolling down, we have more SEO information, search engine optimization info. We have the web trust reputation of this website. We have the Alexa ranking in the shared tab. We have the IP of the target website.

Again, like I said, we can use this to get websites installed on the same server. We have a graph representation of all the information we gathered. We also have a history section. This is actually very useful because you can use this to track all the changes to the DNS info of the target website. So you can see when they started using Google, you can see when they started using Digital Ocean as their hosting provider. So if we scroll down, we might actually be able to see that they were using a different provider. And here you go. We can see that they were using a different hosting company. This one right here, demo, I hope I’m pronouncing that right. But right now, as we can see, they changed and they switched to a different hosting company, Digital Ocean.

So again, you can even contact them pretending to be this company and tell them that you’re going to sign them up for a better offer, or pretend that they violated one of your terms and conditions and asked them to log in to do something. When they log in, you can serve them a fake file, a backdoor, or again, use the login information, get them to log in through a fake web page and steal the username and password. So information is always very, very useful when it comes to hacking, especially if you want to perform a social engineering attack, which might be your last resort if you could not hack into the website using the applications installed on it. Scrolling down, we can see we have the whose information.

We had a full lecture on how to get this and how this can be useful. And finally we have the DNS block information, which basically is a list of websites known to send spam. So usually emails sent from these websites would be blocked or considered as pam. So as you can see, a very useful website that can be used to get information about the server used to host the target website and its relationship, other websites, other servers, which hosting companies are being used. And like I said, all of this can be very, very useful. Whether you want to target the website itself, whether you want to target other websites so you can hack into your target website. And even if you want to social engineer one of the admins to gain access to your target website.