Open post

Google Hacking | Open Web Information Gathering

ETHICAL HACKING – Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

Learn best Google hacking tricks for hacker OR Penetration Tester

Hacker or Penetration tester uses Google search tricks called Google hacking tricks to gather the information about target by open web. How to hack Google, if you want to hack Google use Google Hacking Database. Google Hacking is a Open Web Information Gathering Technique.

Before starts engagement with the organization, it is important to browse target’s website to gather the information which is available publicly. In this step you will be able to gather information like , contact  information,  phone  and  fax  numbers,  emails,  company  structure,  geographical location, address and  so  on. Sometimes it is general task provide you a big information.

How to hack Google?

The  Google  search  engine  is  a  security  auditor’ʹs  best  friend,  especially  when  it  comes  to   information  gathering

search camera by using operator

Enumerating with Google an Open Web Information Gathering

Google supports many search operators, which allow to security auditor point on the particular search. For the example a “site” is a search operator which displays all related domains of the target. And decrease the number of search result related target.

google hacking site microsoft

In this example, site operator search over 59 million results, related with Microsoft site it mean all result contains Microsoft.com. I we want to search of microsoft’s subdomains use exclude site operator –site.

microsoft subdomain

It’s  easy  to  see  how  the  many  other  search  operators  such  as  filetype,  inurl  and  intitle15   can  also  be  used  to  find  information  about  a  target  organization.

known hardware vulnerability 1

intitle:”netbotz appliance” “OK” -filetype:pdf

Find web command execution interface

Another example

find out the passwords

Google Hacking Database

The Google Hacking Database (GHDB) is a database of queries used by hackers to identify sensitive data on your website such as portal logon pages, logs with network security information, and so on. Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.

google hacking databaseOpen Web Information Gathering

https://www.exploit-db.com/google-hacking-database/

Open post
Exploit and shellcode Course

dnsmap | DNS Domain name system brute force attacks

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

Brute Force on domain name for subdomain

Brute force attacks on dns name to find out subdomains or domain suggestion, and it check domain status and dns records. Before start learning about dnsmap you should know what is domain name server and sobdomain? Domain name system is a server which resolve dns name quiry into Ip Address and vice versa IP address to domain name. Most of dns servers have two part primary dns and secondery dns. Subdomain is a domain related with domain like www.aa.example.com is a subdomain of www.example.com.

dnsmap Overview

dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network – How to 0wn the Box”.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).

Source: http://code.google.com/p/dnsmap/

Key features of DNSMAP Tool

  • Obtain all A records (i.e. IP addresses) associated to each successfully brute forced sub domain, rather than just one IP address per sub domain.
  • Abort the brute forcing process in case the target domain uses wildcards.
  • Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
  • Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
  • Saving the results in human-readable and CSV format for easy processing.
  • Improved built-in subdomains wordlist.
  • New bash script (dnsmap-bulk.sh) included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute forcing several domains in a bulk fashion.
  • Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).

What find after using dnsmap?

 1. Finding interesting remote access servers.
2. Finding badly configured and/or unpatched servers.
3. Finding new domain names which will allow you to map non-obvious/hard-to-find net blocks.
4. Sometimes you find that some brute forced sub domains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).
5. Discover embedded devices configured using Dynamic DNS services.

Dnsmap Usage Example

See included packages in dnsmap by run following command

#dnsmap

dnsmap included tools

 

scan domain name (example.com) for sub domain and see the result by executing following command

dnasmap scan for subdomain

dnasmap result

Scan example.com using a wordlist (-w /usr/share/wordlists/dnsmap.txt)

#dnsmap example.com -w /usr/share/wordlists/dnsmap.txt

dnsmap using wordlist

 

Open post
Zone Transfer using dnswalk tool

Zone Transfer using dnswalk tool

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

Overview of dnswalk

dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy.

Source: http://sourceforge.net/projects/dnswalk/

You can get the information about the dnswalk tool by executing following command, there are many tools included in dnswalk and can be run by using deference switches.

#dnswalk –help

dnswalk help

dnswalk Options

-r     Recursively descend sub-domains of the specified domain.
-a     Turn on warning of duplicate A records.
-d     Print debugging and ‘status’ information to stderr.  (Use only if redirecting stdout).
-m     Perform checks only if the zone has been modified since the previous run.
-F     Perform  “fascist”  checking.  When checking an A record, compare the PTR name for each IP address with the forward name and report mismatches.
-i     Suppress check for invalid characters in a domain name.
-l     Perform  “lame  delegation”  checking.   For every NS record, check to see that the listed host is  indeed returning authoritative answers for this domain.

dnswalk Usage Example

When you are running dnswalk command then you will have to put “.” (d0t) in the end of the domain name for example if the domain name is cyberpedia.in you have to specify cyberpedia.in. Zone transfer is disabled by default in most of domains and can be enabled by administrator. Here is the result disabled zone transfer domain.

dnswalk a domain

dnswalk zonetrasfer fail

If zone transfer is disabled then you can use -f switch to transfer zone forceful.

dnswalk diferent switches

Open post
Website information Gathering through Nikto tool

Website information Gathering through Nikto tool

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

What is nikto ?

Nikto is one of the most popular web server scanners designed to fingerprint and test web servers for a variety of possible weaknesses including potentially dangerous files and out-of-date versions of applications and libraries. It is written in Perl language.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Features of Nikto

  • • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
    Perl/NetSSL)
    • Full HTTP proxy support
    • Checks for outdated server components
    • Save reports in plain text, XML, HTML, NBE or CSV
    • Template engine to easily customize reports
    Scan multiple ports on a server, or multiple servers via input file (including nmap output)
    • LibWhisker’s IDS encoding techniques
    • Easily updated via command line
    • Identifies installed software via headers, favicons and files
    • Host authentication with Basic and NTLM
    • Subdomain guessing
    • Apache and cgiwrap username enumeration
    • Mutation techniques to “fish” for content on web servers
    • Scan tuning to include or exclude entire classes of vulnerability
    checks
    • Guess credentials for authorization realms (including many default id/pw combos)
    • Authorization guessing handles any directory, not just the root
    directory
    • Enhanced false positive reduction via multiple methods: headers,
    page content, and content hashing
    • Reports “unusual” headers seen
    • Interactive status, pause and changes to verbosity settings
    • Save full request/response for positive tests
    • Replay saved positive requests
    • Maximum execution time per target
    • Auto-pause at a specified time
    • Checks for common “parking” sites
    More detail go for original documentation page https://cirt.net/nikto2-docs/

How do I perform website scan through Nikto?

Run Nikto

run nikto

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:
#nikto -h

available options in Nikto
#nikto -h www.cyberpedia.in

nikto cyberpedia
To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:
#nikto -h 192.168.56.102 -p 443
Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:
#nikto -h https://192.168.56.102:443/

nikto 4 scan website port
There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.
#nikto -h 192.168.56.102 -p 443 -ssl
There is one option to save scan report into the file with difference-2 format for example xml txt csv etc
#nikto -h 192.168.56.102 –output /root/Destop/nikto.txt

nikto 4 scan website saveoutput
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.
#nikto -h 192.168.56.102 -p 80,88,443
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.

Sources: https://cirt.net/nikto2,

 

Open post
Gather information using dig command in Kali Linux

Gather information using “dig” command in Kali Linux

Dig Overview

Dig ( Domain Information Groper ) is a tool in Kali Linux used  to gather information about host addresses, mail exchange servers, name servers by sending query to the DNS Name server. This tool can be run by Linux or Mac OS. Simply this works with single domain name, to get the result of multiple domain you will have to run multiple queries.

Dig Usage Options

To see the available options used to dig command, Open terminal and execute the following command

#dig -h

dig help

Dig Usage Instructions

#dig authority www.google.com

dig authority

in the above command, the result indicates that the authoritative search went from ns2->ns1->ns4->ns3, that means name server 2 have more authority over the search according to the context of the domain name over name server 1.

Now lets fool around with some other commands

#dig nssearch www.facebook.com  **searches for name servers**

dig nssearch

dig additional www.facebook.com **controls all additional queries **

dig nssearch

dig nsid www.facebook.com ** searches for the name servers ID**

dig nsid

Similarly , there are other options that can be used for several other purposes. Here we go folks yet another command prominent in information gathering.

What can I find using the dig command?

dig will let you perform any valid DNS query, the most common of which are:

  • A (the IP address),
  • TXT (text annotations),
  • MX (mail exchanges), and
  • NS nameservers.

Use the following command to get the addresses for mt-example.com.

 dig mt-example.com A +noall +answer

Use the following command to get a list of all the mailservers for mt-example.com.

 dig mt-example.com MX +noall +answer

Use the following command to get a list of authoritative DNS servers for mt-example.com.

 dig mt-example.com NS +noall +answer

Use the following command to get a list of all the above in one set of results.

dig mt-example.com ANY +noall +answer 

Use the following command to query using a specific nameserver.

dig @ns1.mediatemple.net mt-example.com 

Use the following to trace the path taken.

 dig mt-example.com +trace

Sources:mediatempleCyberpedia.in

 

Open post
Enumerating DNS Records through dnsenum tool in Kali Linux

Enumerating DNS Records through dnsenum tool in Kali Linux

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

What is DNS Enumeration?

DNS identification is the procedure of finding all the DNS servers and their relating records for an organization. An organization may have both internal and external DNS servers that can yield data, for example, usernames, PC names, and IP addresses of potential target System. There are a lot of tools that can be used to gain information for performing DNS enumeration. The examples of tool that can be used for DNS enumeration are NSlookup, DNSstuff, dnsenum, firecie,host,dig and Whois. To enumerate DNS, you must have understanding about DNS and how it functions. You must have knowledge about DNS records. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. In these domain servers, different record types are used for different purposes. The following list describes the common DNS record types and their use:

  • A (address)—Maps a host name to an IP address
  • SOA (Start of Authority)—Identifies the DNS server responsible for the domain information
  • CNAME (canonical name)—Provides additional names or aliases for the address record
  • MX (mail exchange)—Identifies the mail server for the domain
  • SRV (service)—Identifies services such as directory services
  • PTR (pointer)—Maps IP addresses to host names
  • NS (name server)—Identifies other name servers for the domain.

 

Definition of a Zone Transfer

A Zone Transfer is the term used to refer to the process by which the contents of a DNS Zone file are copied from a primary DNS server to a secondary DNS server.

A Zone transfer will occur during any of the following scenarios:

  • When starting the DNS Service on the secondary DNS server.
  • When the refresh time expires.
  • When changes are saved to the Primary Zone file and there is a Notify List.

Zone Transfers are always initiated by the secondary DNS server. The primary DNS server simply answers the request for a Zone Transfer. If the name server allows zone transfers to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.

More Detail : https://support.microsoft.com/en-us/kb/164017

dnsenum description

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. This tool is inbuilt in kali Linux by default and following options are covered by this tool.

Operations by dnsenum

Following operation are performed by dnsenum:

  1. Get the host’s addresse (A record).
  2. Get the namservers (threaded).
  3. Get the MX record (threaded).
  4. Perform axfr queries on nameservers and get BIND VERSION (threaded).
  5. Get extra names and subdomains via google scraping.
    (google query = “allinurl: -www site:domain”).
  6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
  7. Calculate C class domain network ranges and perform whois queries on them (threaded).
  8. Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
  9. Write to domain_ips.txt file ip-blocks.

 

General Options with in dnsenum

dnsenum general options

Usage example of dnsenum

Don’t do a reverse lookup (–noreverse) and save the output to a file (-o result.xml) for the domain example.com:

dnsenu example demo

Source: https://www.exploit-db.com/docs/12389.pdf

http://tools.kali.org/information-gathering/dnsenum

https://github.com/fwaeytens/dnsenum

Open post
Information Gathering tool whois

Information Gathering tool “whois”

Definition of whois

A whois is a command line utility as a part of the information gathering used in all of the linux based operating systems. It is used to identify

  • Unknown and distand hosts
  • Networks
  • Even Netadmins if you use the command the right way and you are lucky enough

IN TECHNICAL TERMS:

“WHOIS is a database managed by local internet registrar, availing to us the personal information about the owner for example`: his contact details, his organization and Domain IP  as well as his geographical location “

 

The usage of whois

The usage of the ‘whois’ varies widely from system to system, but nevertheless a common ground is established where you have yo give the IP address after the command.

whois command is behaving differently for ip address and site name

  • For the IP address the information is much more substantial. Here you got addresses, phone numbers, organization handles and everything
  • For the site name you got the server name registrar and the referral URL which is of course for the whois command. as you can notice theat the information is certainly less substantial but fun and relevant if you are just starting.

Typing   whois –help will grant you further information

who is help command

 

Whois Example Demo

The usage of the command in Kali Linux systems is as follows:

whois <ip address/name of the website you want access the information to>

for example   

$whois cybersecuritynotes.com

whois reveal owner's information

 

 

Open post
kali-linux-2-0-pentration testing tutorial

Search Senstive Data through Metagoofil Kali Linux 2.0

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

 Description Metagofil Kali Linux 2.0

As per official website Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.

Installation of Metagoofil Kali Linux 2.0

Metagoofil comes with pervious version of Kali Linux by default but Kali Linux 2.0 dont have Metagoofil. So you will have to install it to search senstive data of any organization.

#apt-get update

#apt-get install metagoofil

install metagoofil on Kali Linux 2.0

Usages

Usage: metagoofil options

-d: domain to search

-t: filetype to download (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx)

-l: limit of results to search (default 200)

-h: work with documents in directory (use “yes” for local analysis)

-n: limit of files to download

-o: working directory (location to save downloaded files)

-f: output file

metagoofil usage

Metagoofil usage demo

Example : metagoofil -d www.hitechinstitute.in -t doc,pdf -l 200 -n 50 -o /root/Desktop/metagoofil/ -f results.html

Metagoofil usage example demo

Open post
Maltego Kali Linux

8 Steps to run Maltego Kali Linux – beginner guide

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

Familiar with Maltego Kali Linux

Welcome you, I am glad you are here and continue reading my notes on Penetration Testing Tutorial and this post is part of Information Gathering and This article will cover Maltego Kali Linux  is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

What does Maltego do ?

  • Maltego is an Information gathering tools inbuilt in Kali Linux by default and can be used for determining the relationships and real world links between:
    • People
    • Groups of people (social networks)
    • Companies
    • Organizations
    • Web sites
    • Internet infrastructure such as:
      • Domains
      • DNS names
      • Netblocks
      • IP addresses
    • Phrases
    • Affiliations
    • Documents and files
  • These entities are linked using open source intelligence.
  • Maltego is available for Window, Mac and Linux. You can download and install it on any platform.
  • Maltego is comes with Graphical interface that makes easy to use and see these relationships instant and accurate.
  • Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
  • Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

 

Use of Maltego as Information gathering tools:

  • Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
  • Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
  • Maltego provide you with a much more powerful search, giving you smarter results.
  • If access to “hidden” information determines your success, Maltego can help you discover it.

 

Run Maltego in Kali Linux

As you know Maltego is available in kali linux by defalt. So you can run by going Aplication > Information Gathering > Maltegoce

Or simple run command in terminal as a normal or super user

$maltego &

Run-Maltego

Welcome screen will be appear

Welcome-page-for-maltegoce

Registration/login on Maltego Server:

When you run the maltego in kali linux the Welcome screen will appear and start setup wizard click on next to jump on next step,

maltego-register

Step 2: This screen for login user on Maltego server. If you are new register on maltego’s website https://www.paterva.com/web6/community/maltego/ then login with right credential (Username and password)

Enter-username-and-password-after-registration

If you will enter right credential you login result appear some thing like image

login-result

 

Step 3: When you loged in successfuly on Maltego Server, you will Select transform seeds and install. After complete transform installation you are ready to run new Machine for gathering information.

update-transform

Setp 4: Select Run new Machine and click finish.

run-a-machine

Step 5: New wizard will be popup you can run machine by current wizard or cancel this wizard and run by Maltego program. If you want to run Machine with this wizard then select Machine type and click Next .

company-stalker

 

Step 6: If you select company stalker then you will have to specify target (domain name) in new window, Provide domain (target) and click Finish.

provide-domain-name

After run stalker successfully you will get result like following

result-of-company-stalker

Step 7: Create New Graph:

Step 8: Start new graph by click on left corner. Drag and drop domain and enter the domain name, right click on domain and run desired transform

start-new-graph-and

Give the domain name I am going to give cyberpedia.in

provide-domain-name-q

My next target to gather the information about email addresses. So I need to transform “run email addresses from domain”. If you want to do same write click on domain and select Email addresses from Domain.

get-email-address

New transforms will appear try each and everyone continuously you will get some interesting result.

get-email-by-whois

Result Here

result-for-mail

Run another transforms and get detail of name servers, mail servers, IP addresses and much more.

run-other-stalker

.

Infrastructure Reconnaissance

Maltego helps to gather a lot of information about the infrastructure. In order to start gathering information, select the desired entity from the palette. In this example, we are going to scan a domain. Select the domain option from the palette and drag the option to the workspace. Enter the target domain. Now right-click on the entity and you should be getting an window that says “Run Transform” with additional relevant options.

Run the required transform and find out information like the MX, NS and IP address. We can then use transforms like ‘IPAddressToNetblock’ to break a large netblock into smaller networks for better understanding.

Also we can find the shared domains. We can determine information like IP addresses for domains and other internal networks, the netblocks which are used by the target, etc.

Personal Reconnaissance

Maltego helps you find information about a person, like their email address, social profiles, mutual friends, various files shared on various URLs, etc. Select the desired option from the palette. Here I am going to select the option ‘Person’ and will enter the name of the person I will be trying to gather information about.

Right-click on the ‘Person’ option and select the desired transforms. First let’s find the email address related to the person and try to gather more information. With Maltego, we can find their SNS information from Facebook, Flickr, etc.

Various entities in Facebook were detected by using the transform “toFacebookaffiliation.” This method generally looks for a Facebook affiliation that matches closely to a person’s name based on the first and last name and weighs each result accordingly. With Maltego we can also find mutual friends of two targeted persons in order to gather more information.

Similarly, we can find if the user has uploaded any files in pastebin or any other public URLs. Having all this information can be useful for performing a social engineering-based attack.

Scroll to top