MODULE 4:- Information Gathering

1. How to use dnsenum for dns enumeration – Kali
2. How to use dig command in Kali Linux
3. whois Kali Linux commands with example
4. Enumerating DNS Records through dnsenum tool in Kali Linux
5. Email Harvesting by theharvester tool in Kali Linux
6. Google Hacking | Open Web Information Gathering
7. dnsmap | DNS Domain name system brute force attacks
8. Zone Transfer using dnswalk tool
9. Website information Gathering through Nikto tool
10. Search Senstive Data through Metagoofil Kali Linux 2.0
11. 8 Steps to run Maltego Kali Linux – beginner guide

Overview of dnswalk

dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy.

Source: http://sourceforge.net/projects/dnswalk/

You can get the information about the dnswalk tool by executing following command, there are many tools included in dnswalk and can be run by using deference switches.

#dnswalk –help

dnswalk Options

-r     Recursively descend sub-domains of the specified domain.
-a     Turn on warning of duplicate A records.
-d     Print debugging and ‘status’ information to stderr.  (Use only if redirecting stdout).
-m     Perform checks only if the zone has been modified since the previous run.
-F     Perform  “fascist”  checking.  When checking an A record, compare the PTR name for each IP address with the forward name and report mismatches.
-i     Suppress check for invalid characters in a domain name.
-l     Perform  “lame  delegation”  checking.   For every NS record, check to see that the listed host is  indeed returning authoritative answers for this domain.

dnswalk Usage Example

When you are running dnswalk command then you will have to put “.” (d0t) in the end of the domain name for example if the domain name is cyberpedia.in you have to specify cyberpedia.in. Zone transfer is disabled by default in most of domains and can be enabled by administrator. Here is the result disabled zone transfer domain.

If zone transfer is disabled then you can use -f switch to transfer zone forceful.

MODULE 4:- Information Gathering

1. How to use dnsenum for dns enumeration – Kali
2. How to use dig command in Kali Linux
3. whois Kali Linux commands with example
4. Enumerating DNS Records through dnsenum tool in Kali Linux
5. Email Harvesting by theharvester tool in Kali Linux
6. Google Hacking | Open Web Information Gathering
7. dnsmap | DNS Domain name system brute force attacks
8. Zone Transfer using dnswalk tool
9. Website information Gathering through Nikto tool
10. Search Senstive Data through Metagoofil Kali Linux 2.0
11. 8 Steps to run Maltego Kali Linux – beginner guide

What is nikto ?

Nikto is one of the most popular web server scanners designed to fingerprint and test web servers for a variety of possible weaknesses including potentially dangerous files and out-of-date versions of applications and libraries. It is written in Perl language.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Features of Nikto

• • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
  Perl/NetSSL)
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker’s IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability
  checks
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root
  directory
  • Enhanced false positive reduction via multiple methods: headers,
  page content, and content hashing
  • Reports “unusual” headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common “parking” sites
  More detail go for original documentation page https://cirt.net/nikto2-docs/

How do I perform website scan through Nikto?

Run Nikto

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:
#nikto -h

#nikto -h www.cyberpedia.in

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:
#nikto -h 192.168.56.102 -p 443
Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:
#nikto -h https://192.168.56.102:443/

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.
#nikto -h 192.168.56.102 -p 443 -ssl
There is one option to save scan report into the file with difference-2 format for example xml txt csv etc
#nikto -h 192.168.56.102 –output /root/Destop/nikto.txt

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.
#nikto -h 192.168.56.102 -p 80,88,443
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.

Sources: https://cirt.net/nikto2,

MODULE 4:- Information Gathering

1. How to use dnsenum for dns enumeration – Kali
2. How to use dig command in Kali Linux
3. whois Kali Linux commands with example
4. Enumerating DNS Records through dnsenum tool in Kali Linux
5. Email Harvesting by theharvester tool in Kali Linux
6. Google Hacking | Open Web Information Gathering
7. dnsmap | DNS Domain name system brute force attacks
8. Zone Transfer using dnswalk tool
9. Website information Gathering through Nikto tool
10. Search Senstive Data through Metagoofil Kali Linux 2.0
11. 8 Steps to run Maltego Kali Linux – beginner guide

What is DNS Enumeration?

DNS identification is the procedure of finding all the DNS servers and their relating records for an organization. An organization may have both internal and external DNS servers that can yield data, for example, usernames, PC names, and IP addresses of potential target System. There are a lot of tools that can be used to gain information for performing DNS enumeration. The examples of tool that can be used for DNS enumeration are NSlookup, DNSstuff, dnsenum, firecie,host,dig and Whois. To enumerate DNS, you must have understanding about DNS and how it functions. You must have knowledge about DNS records. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. In these domain servers, different record types are used for different purposes. The following list describes the common DNS record types and their use:

• A (address)—Maps a host name to an IP address
• SOA (Start of Authority)—Identifies the DNS server responsible for the domain information
• CNAME (canonical name)—Provides additional names or aliases for the address record
• MX (mail exchange)—Identifies the mail server for the domain
• SRV (service)—Identifies services such as directory services
• PTR (pointer)—Maps IP addresses to host names
• NS (name server)—Identifies other name servers for the domain.

Definition of a Zone Transfer

A Zone Transfer is the term used to refer to the process by which the contents of a DNS Zone file are copied from a primary DNS server to a secondary DNS server.

A Zone transfer will occur during any of the following scenarios:

• When starting the DNS Service on the secondary DNS server.
• When the refresh time expires.
• When changes are saved to the Primary Zone file and there is a Notify List.

Zone Transfers are always initiated by the secondary DNS server. The primary DNS server simply answers the request for a Zone Transfer. If the name server allows zone transfers to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.

More Detail : https://support.microsoft.com/en-us/kb/164017

dnsenum description

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. This tool is inbuilt in kali Linux by default and following options are covered by this tool.

Operations by dnsenum

Following operation are performed by dnsenum:

1. Get the host’s addresse (A record).
2. Get the namservers (threaded).
3. Get the MX record (threaded).
4. Perform axfr queries on nameservers and get BIND VERSION (threaded).
5. Get extra names and subdomains via google scraping.
   (google query = “allinurl: -www site:domain”).
6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
7. Calculate C class domain network ranges and perform whois queries on them (threaded).
8. Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
9. Write to domain_ips.txt file ip-blocks.

General Options with in dnsenum

Usage example of dnsenum

Don’t do a reverse lookup (–noreverse) and save the output to a file (-o result.xml) for the domain example.com:

Source: https://www.exploit-db.com/docs/12389.pdf

http://tools.kali.org/information-gathering/dnsenum

https://github.com/fwaeytens/dnsenum