information gathering is the most important part and where every hacker should start, Many beginners thought that there was a special, premeditated way to ‘hack’ everything or ‘something’.
The reality is slightly more complicated. There is no ‘how should I hack’ that is prescribed on forums. You have to figure it out yourself as a hacker, and the tools and skills to figure out how to hack something you can find online. After all, if there was a known Facebook hack, Facebook would have ensured that the leak was closed.
One of the most important steps that beginners overlook, because it is not necessarily the most exciting activity ever, is Information Gathering. In short: to learn everything there is to know about your target. This step is perhaps the most important one and includes most of all your time spent in hacking because you never have ‘all’ information and thus never stop looking up information.
Information Gathering is therefore very important. In this tutorial, I explain briefly what I find very useful Info Gathering tools/techniques, how they work and what you can use them for. So How to gather information, what tool ?
information gathering tools
A WHOIS (pronounce Who-Is ;-)) Lookup is very useful to learn more about a website. The link above leads you to one of the many websites that provide this service. You type the link of the target, and get a lot of information, including:
- The person who registered the website (registrant)
- Where the website is registered
- Where the server is
- At which company the server is hosted (registrar)
- From nameservers
- A lot of telephone numbers, addresses and personal information from the registrant and registrar.
On Browserspy there are interesting applications that show you which information can be retrieved from your browser by websites, but I mean mainly the tool:Browserspy.dk/webserver.php
Also with this tool, you can simply enter the URL or IP of fill in your target and you get a lot of information about the server’s technology. You can find out what software is used to host a website, and then you can find out if there is a known exploitation of that software.
The largest database with known exploits is https://www.exploit-db.com/ but I do not count them under Information Gathering so I will not go into it.
Netcraft Site Report
Netcraft is a website that mainly reports phishing, but they also have a tool that can be used for Information Gathering. Again you can enter the link, and you get a lot of information.
You have already seen a great deal of information in the previous two tools, but there are also new insights in, for example, the server-side and client-side technologies that have been used, where exploits can be found. Netcraft also finds out, for example, which CMS uses the website.
DNS Lookup (robtex)
At Robtex you can (also) fill in the link or the IP to find out information about your target. Again you have seen a lot of information in the previous three tools, but there is also something new to see: which websites are hosted on the same server, which other domain names the website has and a number of subdomains of the website (not all!)
Dirb is a tool that can be found on Kali Linux standard and can be downloaded via the following link. https://sourceforge.net/projects/dirb/
Dirb is a bruteforcing tool that tries to find sensitive files on a website using wordlists, lists of thousands of words, and to try them all out.
Imagine, you are trying to hack Kalitut.com. Dirb then retrieves information from the wordlist and tries to find out if there is a file on kalitut.com/passwords.txt
Dirb have a standard wordlist, but you can also create your own, I assume that you are trying this on Kali (it is to my knowledge a Linux tool), and that it is already installed as standard.
To use Drib Follow This Video or follow the commands below
Open the Terminal and fill in:
Immediately you will see a manual for all the options you have, and how the tool works. There are three parameters that you always have to fill in: Dirb, your link, and the wordlist. The wordlists that are installed by default with Dirb can be found (on Kali) in the following folder:
The (in my opinion) most important optional parameters are: -o and -X.
-o saves the output to a text file, -X searches for specific extensions (.txt, .exe, .mp3)
For example, a typical Dirb command could be:
dirb http://www.kalitut.com '/usr/share/wordlists/dirb/common.txt' -o Example_info.txt -X .txt
You now get the links to all sensitive TXT files that Dirb with the current wordlist can find on Example.com
Knock.py is a tool that can be used to find subdomains. Subdomains are important to find, because there may be login pages, non-secure pages or other websites, which can also be hacked. For example, this has already happened at beta.facebook.com
Knock.py is not installed as standard on Kali Linux and can be downloaded with GIT. In the Terminal:
git clone https://github.com/guelfoweb/knock.git
You can now start Knock by entering in the terminal (as long as you are in the same folder as you have installed it):
Knock has a standard wordlist, but with the -w parameter you can use your own. For more information you can
python knockpy.py -h
use, there are all further details, including the option for automatic output to a CSV or JSON file.
A typical Knock assignment would therefore be:
python knockpy.py Example.com -w Wordlist.txt
There are many more tools that can be used, and there are of course also manual ways to get information, tell us about the best tools you use 🙂