1. Home
  2. Training Library
  3. Information Gathering



Information Gathering
Whois Lookup
8m 22s

The course is part of this learning path

Start course

Now that you know all about the fundamentals of bug bounty hunting and web pen-testing, we're not going to look at the information gathering techniques that you can carry out as reconnaissance on the website you're planning to attack.


Hi. So, far within this section, we have been doing passive information gathering which means that we're doing just an information gathering. They're publicly available information most of the time, we don't send big pings to or intense pings to the server. It doesn't have any reason to ban us or understand that we are trying to gather information. So, that's a passive information gathering. And in active information gathering, we do actually a very hard pinging with tools like Nmap or Nessus, and it's not in the scope of this lecture, in this course actually. It's more like a hacking into the system thing. We're not trying to hack into the server. If we can, we can do it but we can do it with the vulnerabilities that we find in the websites. So, if you're doing bug bounties, most of the time you're going to do it against big companies, and they won't have easy things to go into.

I'm going to show you some tool called Netcraft. So, go into the Google like I did, and just open this netcraft.com. So, this is a mix between passive information gathering and active information gathering. It finds related information about the website, like what kind of technologies they use or if there's any vulnerability in that related technology. So, it's a very good tool actually. And as you can see, Netcraft is a cybersecurity company. It sells a lot of products as well. So, it's better to go this website: sitereport.netcraft.com. So, this is a free tool, you can use it and you can gather much more information about the website that you're targeting when we compare it to Whois Lookup and DNS Lookup. So, you can do this for my website as well.

Again, one more time I'm going to give my website over here and say 'Lookup'. So, this may take a little bit time than what we have seen before. But it's quick as you can see, we're going to still see the things that we have seen before. But we're going to see some additional stuff as well, like Netcraft Risk Rating. As you can see, my risk is very low, because there is no misconfiguration or there's some sort of firewall protections in my website. And as you can see, we see this: Netblock Owner, Domain name, Nameserver, IP addresses, right now we're getting the true IP address in this case. Before we didn't get that. So, we see the Hosting company, Top Level Domain. So, we have seen many of those before. So, let me scroll down a little bit to see something interesting. As you can see, we have the IP range, we can see the hosting sites GoDaddy, and it's in the US. So, we can see the SSL information. it says that this is not an HTTPS website, which is not correct. I believe we have to come over here and give https:// in order to get the actual information about this website. So, it's a learning as well. Don't forget to add the https over here. Once we do that, we can get much more information. As you can see right now in the SSL/TLS section, we get a lot of information about the SSL certificates. And I don't think we're going to see something interesting in here, in the SSL Encryption or SSL certificate because mine does not have any problem. But if there was, then we could have seen it over here but in the websites that you're going to be performing, weapon testing or bug bounty hunting, I don't believe you're gonna see some issues with the SSL as well. So, over here we have these certificates again. And let's see SSL Certificate Chain; I got it from the GoDaddy. So, we can see the Certificate Authority and stuff. There's nothing interesting in here, Hosting History. I'm using Apache and Linux.

So, this may get interesting. We actually started to see some useful information like Linux and Apache, over here we have the Sender Policy Framework. So, this is a security rating about the mail. So as you can see, it describes who can send mail on its behalf and as you can see, it's passing in this case. So if it's not passing, if it's failing on every qualifier over here, it's maybe spoofed easily. That mail maybe spoofed easily, so it creates a risk about that website as well. So, that can be put in a report if you're preparing a report for your weapon testing against the website. So, let's see if we have anything interesting over there; we have Web Trackers. So, Google is tracking my website. So, let me scroll down. Here you go, these are very useful. As you can see, my website is using PHP, XML SSL, PHP Enabled. So, if I try to do something like an attack, like a code injection, I will definitely go for PHP. If I was using a Windows server with ASP for example, PHP codes wouldn't work on my website. So, I need to know that kind of information before I go into pen testing. So, maybe it's using Windows and ASP. If I upload a PHP shell, it wouldn't work. Most of the websites that you're going to be pen testing, I believe they're going to be using Linux and other services that you are familiar with. But it maybe the other way around. And then you're not going to search for PHP shell in Google, but you're going to search for ASP shell for Windows servers in Google in order to find the relevant information.

So, you need to know about this stuff before you go bug bounty hunting. So as you can see, in Client-Side, my website uses JavaScript. Again, this is useful information. We can try to use XSS attacks if we can find any opportunity. We can see it's using WordPress, and it's again very important if it uses any content management systems like WordPress, we can try to gather the version of that CMS and try to see if that's vulnerable or not. Let's browse a little bit. Let's see if it uses HTML, HTML5, and it uses CSS. So far so good. As you can see, we get much more information in Netcraft than we have ever been before, and we can actually use this information in our weapon testing. So, it's a little bit different than DNS Lookup and Whois Lookup. It may be the first step, one of the first steps that you can do before you go on and start bug bounty hunting. So, these steps are very important. You shouldn't skip one of those before you start that pen testing. So, we're going to stop here and continue within next lecture about information gathering.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.