Information collection using Kali Linux in penetration testing

Domain Registration Information

When you know the target domain name, the first thing you have to do is to query the domain name registration information through the Whoist database, whois database is to provide the domain name registrant information, including contact, administrator name, Administrator mailbox, etc., which also includes the DNS server information.

For an introduction to WHOIS, please visit: https://www.ietf.org/rfc/rfc3912.txt

By default, Kali already has Whois installed. You only need to enter the domain name you want to query:

#whois baidu.com

Part

We can get information about Baidu's DNS server, domain name registration basic information. This information is likely to play a significant role in the next testing phase.

In addition to using the WHOIS command, there are websites that provide online whois information inquiries:

whois.chinaz.com/

Www.internic.net/whois.html

After collecting the domain name information, we will begin to collect detailed information about the DNS server.

DNS Analysis

The purpose of using the DNS analysis tool is to collect appropriate logging information about DNS servers and test targets.

Here are a few common types of DNS records:

For example, in a test project, the customer only gave a domain name, you need to use the domain name, to find all the target host IP and available domains. Next we will take you to achieve such a function.

Host

After obtaining the DNS server information, the next step is to locate the destination host IP address with the DNS server. We can use the following command-line tool to find the IP address of the target host with a DNS server:

# host Www.baidu.com

We can see there are two IP addresses??

In general, host looks for A,AAAA, and MX records.

Query detailed records only need to add-a

#host-a baidu.com 8.8.8.8

Here 8.8.8.8 is specifying a DNS server.

Because the host command lookup record is through the Kali DNS server system file, the file is located in/etc/resolv.conf. You can add DNS to any server inside. Of course, you can also specify a DNS server directly on the command line, just like me.

Dig

In addition to the host command, you can also use the dig command to mine a DNS server. The dig command provides flexible and clear display information relative to the host command.

#dig baidu.com

The dig command, which does not use options, returns only one record. If you want to return all records, simply add the type given in the command:

#dig baidu.com any

Dnsenum

We can use Dnsenum to obtain the following information from the DNS server:

1. Host IP address 2. The DNS server for the domain name is 3. MX record for this domain

In addition to being used to obtain DNS information, Dnsenum also has the following features:

1. Get subdomain 2 using Google Chrome. Brute Force hack 3. C-Level network scan 4. Reverse Lookup Network

To start Dnsenum, use the following command

#dnsenum

Demonstrate by an example:

# Dnsnum Baidu.com

Before we get the IPV4 information, we then use DNSDICT6. The tool can get IPV6 address information

Dnsdict6

#dnsdict6

By default, DNSDICT6 will use its own dictionary and eight threads

#dnsdict6 baidu.com

This shows that there is a default status of Baidu to carry out IPv6 scanning.

At the same time, we can also use DNSDICT6 to find the IPv4 on the domain name, using option-4. And you can also collect DNS and NS information using-D:

#dnsdict6-4-D baidu.com

Fierce

Fierce is a DNS server enumeration tool that uses multiple techniques to scan the destination host IP address and host name. Use a recursive approach to work. It works by querying the local DNS server to find the target DNS server, and then using the target DNS server to find the subdomain. The main feature of fierce is that it can be used to position independent IP space corresponding to domain name and host name.

To start the command used by fierce:

#fierce-H

Demonstrate by an example:

#fierce-dns baidu.com-threads 3

DMitry

DMitry (deepmagic information gathering tool) is an integrated collection of information tools. It can be used to collect the following information:

1. Port Scan 2. WHOIS host IP and domain name information 3. Get host information from netcraft.com 4. Subdomain 5. Email address included in the domain name

Although this information can be obtained through a variety of tools in Kali, Dmitry can be used to save the collected information in a single file for easy viewing.

Use Dmitry to use the following command:

#dmitry

Demonstrate by an example:

This demo is to get Whois, IP, host information, subdomain, email.

#dmitry-winse baidu.com

Another example is to scan the website port via Dmitry

#dmitry-P Baidu.com-f-B

After the scan we will find that Baidu only opened 80 ports. (Only part ...) ）

Maltego

Maltego is an open source forensics tool. It can excavate and collect information.

Maltego is a graphical interface.

Maltego's basic network features:

1. Domain 2. DNS3. Whois4. IP Address 5. Network block

can also be used to collect information about the person concerned:

1. Company, organization 2. e-Mail 3. Social network Relationship 4. Phone number

The command line using Maltego is as follows:

#maltego

The first run will appear with the Startup wizard:

An example demonstrates:

Use the shortcut key ctrl+t to create a new project. Then go to the Palette tab, select the Infrastructure (Infrastructure), select domains (domain), and if successful setup will appear paterva.com. You can make changes by double-clicking the paterva.com icon

If you right click on the domain name, you will see all the functions (transform?? ）：

We use the other Transforms->domaintodnsnameschema results

After the DNS transformation of the domain name, we got the relevant information of Baidu. You can also try other (transform) functions.

Using Search Engines

The Kali toolset uses tools that can be used to collect information such as domains, e-mails, and other tools that use third-party search engines for information collection, and the advantage is that we don't have direct access to the target, and the target doesn't know what you're doing.

Theharvester

Theharvester is an email, user name and host name/subdomain information collection tool. It collects information from a variety of publicly available sources. Information sources supported by the latest version include:

1. Google2. Google Profiles3. Bing4. PGP5. LinkedIn6. Yandex7. People1238. Jigsaw

Using the Theharvester command line:

# Theharvester

Demonstrate by an example:

Through Bing to collect

#theharvester-D baidu.com-l 100-b Bing

If we want to collect the target user name, we can find it through linkedin.com. The command is as follows:

#theharvester-D baidu.com-l 100-b LinkedIn

The user names collected from LinkedIn will be of great use in subsequent tests. For example: social engineering attacks.

Metagoofil

Metagoofil is a tool that uses Google to gather information and currently supports the following types:

1. Word2. Ppt3. Excel4. Pdf

Commands to use Metagoofil:

#Metagoofil

Demonstrate by an example:

#metagoofil-D baidu.com-l 20-t doc,pdf-n 5-f Test.html-o test

Through this tool we can see very much information collected, such as user name, path information. We can use these usernames for brute force hacking.

Through the generated HTML version of the report, we can see very clearly the kind of information we collect:

At this point, our information collection tool description has been completed. Each penetration goal, you want to get a lot of information from the target in different ways. You know: "Tse, Victorious."

Information collection using Kali Linux in penetration testing