The course is part of this learning path
Now that you know all about the fundamentals of bug bounty hunting and web pen-testing, we're not going to look at the information gathering techniques that you can carry out as reconnaissance on the website you're planning to attack.
Hi, within this lecture, we're going to cover another lookup, another passive information gathering tool. But this time we're going to see what is DNS lookup. Okay so, I'm going to come over here to google again and I'm going to search for DNS lookup. Okay and this time we're going to go after the domain name servers and actually we're going to gather much more information, useful information in this case. Might lead to something in our web pentesting. Okay, so I'm going to come over here to DNS look up as you can see there are a couple of million results over here as well. So, I'm going to open this one, mxtoolbox.com. Let's see if it's any good. So, for domain name, I'm going to give my own website one more time. You can just do it with any website that you are targeting or that you want. Okay, let's see how MToolBox did. So, as you can see we don't get too much information over here. It already found the IP address and something like that and it says that there is a super tool but maybe you have to pay for it. So, apparently this tool is not very good. Okay. At least for free. So, I'm going to show you a website. I'm going to go to robtex.com. Okay. So, this is one of the sites that I regularly use for DNS lookup and it gives comprehensive summary about DNS lookup. So, I'm going to give my website over here again and here you go. It's very fast and as you can see, it already found a lot of information. So, over here we have an analysis section. As you can see, it says that it has two name servers and one IP number. So, over here, we have the domain control name servers. So, we have already seen this in the Whois lookup as well. So, we have the IP number and IP number is a little bit different this time. I don't know why. We're going to see why this can happen later on. And as you can see, there are other websites over here which is not even related to our website in any other way. Like, I don't know any of these websites. But I'm going to show you why. This is happening because I'm using an shared server. Okay. So, my server is hosted on GoDaddy and uses a shared server even though I go to my website and it finds the website and it shows it. As you can see, it's a very simple website where I display my own courses on, something like that. So, I don't even need a dedicated server. Right? So, I'm not using a dedicated server. Rather, I'm using a shared server. Which means that GoDaddy gets to actually place some other web postings in my server as well. So, I'm sharing a computer with some other guys I don't know about. Right. So, it can get dangerous actually. So, I have to see what kind of other websites are hosted on my web server. So, if I can hack one of them, then maybe it may lead me to hack the other websites as well. It won't be easy because it won't be kind of giving the root access to us like in a plate. But again, it's worth a shot and again, it's a risk for security. Okay. So, it should be in your way, it should be in your list to look for this website and understand if there is any vulnerable websites in that list as well. Of course, maybe you don't have to just do web pentesting to all the websites that you get on that same web server. Maybe you can just take a look and try to identify if there is very vulnerable one among them. But again, it's worth a shot and you have to do it. So, this is the beauty of the DNS look up. It shows you the other websites that are installed on that server as well and we're going to see another way of doing this as well. So, if you come over here to records. Let's see if we get anything different over there. It shows us the DNS servers or name servers and we have already seen them for this search engine optimization information. We were not getting anything different or anything that we can use in our advantage. So, Web Of Trust reputation score, we couldn't find any in this case. So, we have the Alexa data. As you can see, the global rank of my website is increasing over here for some reason and I'm getting some visitors. And for the last information, we have again the IP numbers, we have the name servers, IP numbers of the servers, and similar start sites. And there's a graph apparently and we need to log in to see that section but it's not very important, it's just graphical representation of these things. So, let me just go back and let me talk about more about this shared websites or shared hostings . Okay. So, as you can see, we have this IP address over here but we have seen something else before. So, let me try to see if that's the real IP address of my website. It can give us some kind of different IP address time to time. So, you need to make sure, okay. You don't have to trust every tool that you use in this case since they are free and online tools. If you're not certain, you just can ping it and see the IP address. As you can see, if we click on that IP address, we get a detailed information about that IP address in this DNS lookup as well. So, what I'm going to show you, I'm going go for bing.com. As you can see, this is a search engine and in the Bing, you can search for IP addresses as well. So, I'm going to say 'IP:' and just give this IP address and see what kind of websites are hosted on that IP address. Okay. So, Bing does that for free and as you can see, we cannot get any results back. So, there should be something wrong with this IP address because I'm certain that we have seen some other IP address in Whois lookup and other lookups. So, this should be the IP address. Right? So, I'm going to search for that one and this will give us the correct IP address, I believe. And here you go. We have a lot of websites over here. So, maybe Haveston, Shropshire Stainless and Aluminum Limited, something like that. And my website is on that list as well. So, as you can see, it shares with a lot of other websites and it shares this same IP address. So, I don't have a dedicated idea IP address and I don't have a dedicated server in this case. It's an issue, it's a risk issue. I have strengthened my own website with firewalls and other measures as well. But again, it's worth a shot. So, if this is very vulnerable, then maybe someone can hack it and reach to the server. Of course, the goal that the servers are not that vulnerable so you cannot get route exactly. Okay. Like in an easy way. And by the way, come over here to Kali Linux or in any other operating system as well. I'm gonna ping myself and see if that's the correct IP address. Here you go. We have this IP address. For some reason, we didn't get this on the Robtex.com. So, make sure you double check it before you go on and attack that IP address in any other way. So, that's it for the DNS lookup. We're going to stop here and continue with the information gathering in the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.