or any linux machine to know the dns servers of certain domain. For example,
Dig –t NS Wikimedia.org
Use backtack or any linux machine to know the A and MX records of certain domain. For example,
Dig –t A Wikimedia.org
Dig –t MX Wikimedia.org
To see the zone transfer
Dig –t AXFR Wikimedia.org @ ns1.wikimedia.org
We can see all the records in that dns server.
We can use the nslookup command to see the host of certain ip address
Nslookup –type= ptr 31.13.81.17
We can use who.is to know information about server, when created , and when expired and all information about that the dns servers of domain and about the administrator. You can get the same information from backtrack terminal. Write
whois Microsoft.com
We can use tool called smartwhois to get same information.
We can use tool called countrywhois to get information about country of a domain.
We can use tool called lanwhois to get same information from who.is.
There is tool called alchemy eye to make monitoring for certain services in a target server. It can check the status of certain services on a server.
Use robots.txt file to know what is not allowed on the website. Eg www.microsoft.com/robots.txt
To search site in google write eg, site:tedata.com filetype:pdf. You can search the following in google
Intitele: search in the title page
Inurl: search in the url page
Site: search on site
Link: other sites that links to our subject
Inanchor: search on hyperlinks
Filetype: search to see pattern yet
There is google hacking data base. You can find exploits in www.exploit-db.com in ghdb section.
You can use sitedigger to get the dorks of any site.
You can use theHarvester to get the emails of certain domain. From the backtrack write for example,
#./theharvester.py –d Microsoft.com –l 500 –b google
You can search emails using the exploitation tools in back track. Type in the command line msfconsole
# msfconsole.
From the command msf, write
msf> search email
It will bring all modules that have emails. Take one module
Auxiliary /gather/ search_email_collector
Write
Msf> use Auxiliary /gather/ search_email_collector
Then write " info "
Msf> info
Then write " set DOMAIN Microsoft.com"
Msf> set DOMAIN Microsoft.com
Then write "run"
Msf> run
You can use Maltego tool. When you run the program, choose company stalker, write the name of the company ie Microsoft.com. It will brings the email of the domain. Take the domain Microsoft.com, then click run transform.
You can use piple search or facebook.
You can use the website truecaller website to find the person of certain phone number .
You can use metadata collector tools. Two tools used, metagofil, FOCA
Metagofil tool is in backtrack. For example write
#/pentest/enumeration/google/metagoofilo
#./metagoofil.py –d Microsoft.com -t doc,pdf -l 200 –n 50 –o microsoftfiles –f results.com
It will bring many emails and other information.
You need to change downloader.py to be
Use foca to download files from certain servers.
Use traceroute, tracert to traceout the connections in certain server.
There is tool called tcptraceroute can bypass firewalls.
You can use geospider as tracert tool.
You can use trout tool.
You can use visual ip trace.
You can use www.bing.com to see all the web sites on the web server. Write the Ip and you will get all websites in the same server.
To know the type of web server, we use whatweb tool in linux.
#./whatweb www.microsoft.com
We can use httprecon tool for same purpose to know the type of web server.
We can use the site news.netcraft.com to get all information about web server.
We can use the telnet command to know the type of web server
# telnet 192.168.1.1 80
# GET / HTTP / 1.0
We can use netcat in linux to know the type of web server.
# nc –n 192.168.28.139 80
# GET / HTTP / 1.0
We can use the tool httrack and wget for mirroring websites. You can use them to download and save websites.
We can use in backtack THCSSLCheck tool
# wine THCSSLCheck www.yahoo.com 443
Or use the tool sslscan
#sslscan www.cnn.com
To
