Information collection using Kali Linux in penetration testing

Source: Internet
Author: User
Tags domain registration domain name registration mx record subdomain to domain kali linux maltego

Domain Registration Information

When you know the target domain name, the first thing you have to do is to query the domain name registration information through the Whoist database, whois database is to provide the domain name registrant information, including contact, administrator name, Administrator mailbox, etc., which also includes the DNS server information.

For an introduction to WHOIS, please visit:

By default, Kali already has Whois installed. You only need to enter the domain name you want to query:



We can get information about Baidu's DNS server, domain name registration basic information. This information is likely to play a significant role in the next testing phase.

In addition to using the WHOIS command, there are websites that provide online whois information inquiries:

After collecting the domain name information, we will begin to collect detailed information about the DNS server.

DNS Analysis

The purpose of using the DNS analysis tool is to collect appropriate logging information about DNS servers and test targets.

Here are a few common types of DNS records:

For example, in a test project, the customer only gave a domain name, you need to use the domain name, to find all the target host IP and available domains. Next we will take you to achieve such a function.


After obtaining the DNS server information, the next step is to locate the destination host IP address with the DNS server. We can use the following command-line tool to find the IP address of the target host with a DNS server:

# host

We can see there are two IP addresses??

In general, host looks for A,AAAA, and MX records.

Query detailed records only need to add-a


Here is specifying a DNS server.

Because the host command lookup record is through the Kali DNS server system file, the file is located in/etc/resolv.conf. You can add DNS to any server inside. Of course, you can also specify a DNS server directly on the command line, just like me.


In addition to the host command, you can also use the dig command to mine a DNS server. The dig command provides flexible and clear display information relative to the host command.


The dig command, which does not use options, returns only one record. If you want to return all records, simply add the type given in the command:

#dig any


We can use Dnsenum to obtain the following information from the DNS server:

1. Host IP address 2. The DNS server for the domain name is 3. MX record for this domain

In addition to being used to obtain DNS information, Dnsenum also has the following features:

1. Get subdomain 2 using Google Chrome. Brute Force hack 3. C-Level network scan 4. Reverse Lookup Network

To start Dnsenum, use the following command


Demonstrate by an example:

# Dnsnum

Before we get the IPV4 information, we then use DNSDICT6. The tool can get IPV6 address information



By default, DNSDICT6 will use its own dictionary and eight threads


This shows that there is a default status of Baidu to carry out IPv6 scanning.

At the same time, we can also use DNSDICT6 to find the IPv4 on the domain name, using option-4. And you can also collect DNS and NS information using-D:



Fierce is a DNS server enumeration tool that uses multiple techniques to scan the destination host IP address and host name. Use a recursive approach to work. It works by querying the local DNS server to find the target DNS server, and then using the target DNS server to find the subdomain. The main feature of fierce is that it can be used to position independent IP space corresponding to domain name and host name.

To start the command used by fierce:


Demonstrate by an example:

#fierce-dns 3


DMitry (deepmagic information gathering tool) is an integrated collection of information tools. It can be used to collect the following information:

1. Port Scan 2. WHOIS host IP and domain name information 3. Get host information from 4. Subdomain 5. Email address included in the domain name

Although this information can be obtained through a variety of tools in Kali, Dmitry can be used to save the collected information in a single file for easy viewing.

Use Dmitry to use the following command:


Demonstrate by an example:

This demo is to get Whois, IP, host information, subdomain, email.


Another example is to scan the website port via Dmitry


After the scan we will find that Baidu only opened 80 ports. (Only part ...) )


Maltego is an open source forensics tool. It can excavate and collect information.

Maltego is a graphical interface.

Maltego's basic network features:

1. Domain 2. DNS3. Whois4. IP Address 5. Network block

can also be used to collect information about the person concerned:

1. Company, organization 2. e-Mail 3. Social network Relationship 4. Phone number

The command line using Maltego is as follows:


The first run will appear with the Startup wizard:

An example demonstrates:

Use the shortcut key ctrl+t to create a new project. Then go to the Palette tab, select the Infrastructure (Infrastructure), select domains (domain), and if successful setup will appear You can make changes by double-clicking the icon

If you right click on the domain name, you will see all the functions (transform?? ):

We use the other Transforms->domaintodnsnameschema results

After the DNS transformation of the domain name, we got the relevant information of Baidu. You can also try other (transform) functions.

Using Search Engines

The Kali toolset uses tools that can be used to collect information such as domains, e-mails, and other tools that use third-party search engines for information collection, and the advantage is that we don't have direct access to the target, and the target doesn't know what you're doing.


Theharvester is an email, user name and host name/subdomain information collection tool. It collects information from a variety of publicly available sources. Information sources supported by the latest version include:

1. Google2. Google Profiles3. Bing4. PGP5. LinkedIn6. Yandex7. People1238. Jigsaw

Using the Theharvester command line:

# Theharvester

Demonstrate by an example:

Through Bing to collect

#theharvester-D 100-b Bing

If we want to collect the target user name, we can find it through The command is as follows:

#theharvester-D 100-b LinkedIn

The user names collected from LinkedIn will be of great use in subsequent tests. For example: social engineering attacks.


Metagoofil is a tool that uses Google to gather information and currently supports the following types:

1. Word2. Ppt3. Excel4. Pdf

Commands to use Metagoofil:


Demonstrate by an example:

#metagoofil-D 20-t doc,pdf-n 5-f Test.html-o test

Through this tool we can see very much information collected, such as user name, path information. We can use these usernames for brute force hacking.

Through the generated HTML version of the report, we can see very clearly the kind of information we collect:

At this point, our information collection tool description has been completed. Each penetration goal, you want to get a lot of information from the target in different ways. You know: "Tse, Victorious."

Information collection using Kali Linux in penetration testing

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.