1
00:00:00,480 --> 00:00:06,720
Welcome back, since this is our first video in information gathering, we're going to start off with

2
00:00:06,720 --> 00:00:07,890
something easy.

3
00:00:08,810 --> 00:00:13,370
Let us see how we can identify our target and get its I.P. address.

4
00:00:14,180 --> 00:00:18,740
We are going to check how we can do this both actively and passively.

5
00:00:19,730 --> 00:00:26,240
Let's do it with active information gathering first, so this means we are going to interact with our

6
00:00:26,240 --> 00:00:26,760
target.

7
00:00:27,680 --> 00:00:31,460
So just go on Google and pick a website that you want to use for this.

8
00:00:31,700 --> 00:00:33,650
It can be any Web site that you want.

9
00:00:33,860 --> 00:00:37,250
And you can also use the ones that will show in this video.

10
00:00:37,760 --> 00:00:39,170
First, open up your terminal.

11
00:00:40,600 --> 00:00:48,490
And what we're going to do for the first test, I'm going to use this website, this is just some university

12
00:00:48,490 --> 00:00:53,020
page that they picked and what we can do to get its I.P. address is to Pincott.

13
00:00:54,040 --> 00:01:00,850
Most of you will already be familiar with pink tulle, since it is installed by default on any operating

14
00:01:00,850 --> 00:01:05,020
system by pinging this website or any other website.

15
00:01:05,470 --> 00:01:09,190
Are sending something called ICMP packets to that website.

16
00:01:09,400 --> 00:01:14,420
And if we get responses back, that means that website is up and running.

17
00:01:14,920 --> 00:01:19,150
But what we also get besides that response is the IP address.

18
00:01:20,290 --> 00:01:21,340
So let's try it out.

19
00:01:21,760 --> 00:01:30,730
I will leave this link right here and I will just add at the beginning, think space and then hit enter.

20
00:01:32,240 --> 00:01:39,140
And it seems that we are not getting any responses back, but what we did get is an IP address.

21
00:01:39,740 --> 00:01:46,420
Here it is, and we are not getting responses back from this site because it is probably blocking ping

22
00:01:46,430 --> 00:01:48,770
probes, which some websites often do.

23
00:01:49,820 --> 00:01:53,830
Let us try another site to see how it looks once we get responses back.

24
00:01:54,380 --> 00:02:00,530
So to stop this, you can simply just press control, see, and it will tell us 32 packets transmitted

25
00:02:00,530 --> 00:02:02,600
and one hundred percent packet loss.

26
00:02:03,350 --> 00:02:10,130
Now, this doesn't mean that this website is offline, since if we visited this link right here or this

27
00:02:10,130 --> 00:02:13,010
IP address, we would open a page to that website.

28
00:02:13,730 --> 00:02:19,490
But just in case, let us see how it looks like once we get the response back from the comment.

29
00:02:20,390 --> 00:02:24,320
If we try to ping our big website, for example, like Facebook.

30
00:02:24,590 --> 00:02:28,220
So let's type thing Facebook dot com.

31
00:02:31,390 --> 00:02:39,190
Here we get an IP address on Facebook and we can control see, since we can notice that we are getting

32
00:02:39,190 --> 00:02:44,650
packets back, which means Facebook is up and running and also responding to our ICMP packets.

33
00:02:45,550 --> 00:02:51,370
Just to note, this IP address right here is just one of the IP addresses that Facebook uses.

34
00:02:52,060 --> 00:02:55,810
So for you, once you pinkert, you will probably get a different result.

35
00:02:56,450 --> 00:03:04,060
OK, what we saw right here is an example of active information gathering to get the IP address since

36
00:03:04,210 --> 00:03:06,940
we directly sent packets to these websites.

37
00:03:08,360 --> 00:03:13,160
Another tool you can use to get IP from a website is called A. Lookup.

38
00:03:14,180 --> 00:03:23,090
So if I go down here and type A. lookup and then the name of the website, which in our case, let's

39
00:03:23,090 --> 00:03:25,670
try with the first one, which is this one.

40
00:03:26,540 --> 00:03:29,180
And once again, you can test any website you want with this.

41
00:03:29,790 --> 00:03:32,600
It doesn't matter if I press enter.

42
00:03:34,220 --> 00:03:40,640
It will give me this response which says server and address right here, but this is not the IP address

43
00:03:40,850 --> 00:03:41,840
of this website.

44
00:03:42,110 --> 00:03:43,730
This is just my router.

45
00:03:44,180 --> 00:03:49,430
And for the result or where the IP address of this website is, is down here.

46
00:03:50,470 --> 00:03:57,610
Here it is, if we compare this one and we go back to the pink comment, you will notice the IP address

47
00:03:57,610 --> 00:03:58,180
is the same.

48
00:03:58,990 --> 00:04:01,150
So we got the same result, which is good.

49
00:04:02,140 --> 00:04:03,510
Let's try the same with Facebook.

50
00:04:03,520 --> 00:04:07,270
So just type right here and look up Facebook dot com.

51
00:04:10,700 --> 00:04:13,850
And we also get the IP address of Facebook.

52
00:04:15,520 --> 00:04:21,010
Now, if you wanted to do this passively, you would search for this information such as IP address

53
00:04:21,190 --> 00:04:24,470
over some other website, let us see how we can do that.

54
00:04:24,970 --> 00:04:27,430
First of all, we want to open our Firefox.

55
00:04:27,430 --> 00:04:33,220
And to do that, just click on this Chaltain icon in the top left corner and type Firefox.

56
00:04:34,640 --> 00:04:42,620
You should see Firefox Eker click on it and what we're going to look for is a website that provides

57
00:04:42,620 --> 00:04:45,800
us with IP address of a different website.

58
00:04:46,850 --> 00:04:52,280
And since I don't know any website that does that, I will simply just go right here in the search bar

59
00:04:53,030 --> 00:04:53,930
and type.

60
00:04:54,380 --> 00:04:58,580
What is an IP address of this website?

61
00:04:59,540 --> 00:05:06,650
If I press enter, it should probably give me a few results of different websites that will do exactly

62
00:05:06,680 --> 00:05:10,370
what we want, which is get the IP address of another website.

63
00:05:11,250 --> 00:05:19,350
And let's go with this one IP tracker, which is IP info, dot info, if I click on it, and down here

64
00:05:19,350 --> 00:05:26,730
we see something that says IP domain checker, we need to specify the IP address, the domain or your

65
00:05:26,730 --> 00:05:27,120
URL.

66
00:05:28,110 --> 00:05:34,950
And if we type the domain name of that first Web site, so if I type the same domain name.

67
00:05:37,110 --> 00:05:38,730
And click right here on Check.

68
00:05:39,900 --> 00:05:46,530
OK, so some security check, selectable traffic lights, let's select all traffic lights that we see

69
00:05:48,630 --> 00:05:54,450
and hear is the result, then you will notice that right here we get even more information.

70
00:05:54,810 --> 00:05:59,720
Then we ask for, for example, here is the IP address of this website.

71
00:06:00,510 --> 00:06:04,890
We also get from which country it is, as it says, right here in the brackets.

72
00:06:05,190 --> 00:06:09,780
And we also get its geolocation, which says even the city.

73
00:06:10,200 --> 00:06:13,220
We can also check it out on Google Maps if we wanted to.

74
00:06:14,480 --> 00:06:20,420
Down here, we get even more information, such as reverse DNS, here we get information about registration,

75
00:06:20,420 --> 00:06:23,180
date, modification, date, expiration date.

76
00:06:24,100 --> 00:06:29,480
Down here, we get some of the DNS servers and here we get its physical address.

77
00:06:29,950 --> 00:06:33,640
So this is the exact location to where this server is located.

78
00:06:34,730 --> 00:06:36,710
Now, this is just the same result, I believe.

79
00:06:37,040 --> 00:06:41,660
Down here, we also get some email addresses is we can notice this right here.

80
00:06:42,020 --> 00:06:46,550
All of this could be useful for us, depending on which type of attack we would plan.

81
00:06:47,210 --> 00:06:51,590
Now, of course, we are not going to be attacking this website since we do not have permission, but

82
00:06:51,800 --> 00:06:57,500
we are simply just gathering information to see what can we retrieve from the Internet about this website.

83
00:06:57,740 --> 00:07:02,660
And from now on, we are getting a bunch of information about it now.

84
00:07:02,660 --> 00:07:05,560
Similar response that we got right here.

85
00:07:06,230 --> 00:07:13,700
We can get using a tool called Who is Who is not only gives us an IP address of the specified domain,

86
00:07:13,760 --> 00:07:17,330
but also gives us a bunch of other information about that domain.

87
00:07:18,280 --> 00:07:21,850
It is already installed in clinics, so let's test it out.

88
00:07:22,060 --> 00:07:23,230
If I close this page.

89
00:07:24,960 --> 00:07:27,210
And type in my terminal, who is?

90
00:07:28,280 --> 00:07:31,550
The same domain name press enter.

91
00:07:32,860 --> 00:07:37,570
I will pretty much get the same information that they saw previously on the website.

92
00:07:39,330 --> 00:07:45,930
As we can see right here, we get those DNS servers, the registration date, modification date, expiration

93
00:07:45,930 --> 00:07:52,650
date, we get the physical address and some other things, such as ID number, tax I.D., which is not

94
00:07:52,650 --> 00:07:53,940
really of interest to us.

95
00:07:55,130 --> 00:08:02,470
And let us also test this tool on Facebook, since different websites might give different information,

96
00:08:02,960 --> 00:08:09,140
for example, if I do the same on Facebook, since it being a much bigger site, it will probably give

97
00:08:09,140 --> 00:08:11,310
us much more information as well.

98
00:08:11,930 --> 00:08:12,890
So let's type it.

99
00:08:12,890 --> 00:08:15,530
Who is Facebook dot com?

100
00:08:16,530 --> 00:08:23,190
Press enter, let me just enlarge the terminal so we can see everything clearly and if I scroll all

101
00:08:23,190 --> 00:08:24,030
the way up.

102
00:08:25,290 --> 00:08:31,210
We get some name servers that trade city, state, province, postal code.

103
00:08:31,230 --> 00:08:33,550
We also get some phone numbers right here.

104
00:08:34,440 --> 00:08:37,590
Here are some of the email addresses for Ditech email.

105
00:08:38,470 --> 00:08:42,810
So we get another email address right here and even more phone numbers.

106
00:08:43,930 --> 00:08:50,520
We get the city, the street, if I go all the way up, we can see that this is a hoy's response.

107
00:08:50,530 --> 00:08:54,860
So this all information is public to us and this would be pretty much it.

108
00:08:54,880 --> 00:08:58,630
This is all the information we get for Facebook using who is to.

109
00:09:00,000 --> 00:09:06,660
And by the way, in real penetration tests that you will perform, all of the interesting information

110
00:09:06,660 --> 00:09:09,630
is something that you want to write down in our report.

111
00:09:10,350 --> 00:09:16,980
For now, we only saw how we can get basic information, such as IP addresses, country origin, physical

112
00:09:16,980 --> 00:09:18,000
address and similar.

113
00:09:18,780 --> 00:09:24,660
But later, during information gathering and scanning, we might find something that shouldn't be out

114
00:09:24,660 --> 00:09:28,480
there on the Internet and that would be called information disclosure.

115
00:09:29,400 --> 00:09:33,840
It is something that client doesn't want to be seen, but it is still publicly available.

116
00:09:34,590 --> 00:09:38,480
So anything that you might think is interesting, you would write down.

117
00:09:39,360 --> 00:09:40,100
OK, great.

118
00:09:40,620 --> 00:09:46,830
Now we know how we can identify a target by getting its IP address and also getting its physical address

119
00:09:46,830 --> 00:09:48,860
and some other interesting information as well.

120
00:09:49,380 --> 00:09:53,760
And even though this isn't really hard information to get, it is a good beginning.

121
00:09:54,340 --> 00:09:55,650
Let us see in the next video.

122
00:09:55,840 --> 00:09:57,350
What else can we find out?