1
00:00:01,410 --> 00:00:08,160
‫Domain host related info, so the conducted web penetration test, you're generally close to a black

2
00:00:08,160 --> 00:00:15,180
‫box testing, as we mentioned before, so we don't have, well, hardly any information about the target,

3
00:00:15,330 --> 00:00:15,860
‫if any.

4
00:00:16,710 --> 00:00:17,580
‫Maybe just a U.

5
00:00:17,580 --> 00:00:22,610
‫RL IP address or a domain name is given to us.

6
00:00:23,910 --> 00:00:30,480
‫So to start testing and gathering information, we'll need to dig around in our own IP or domain name,

7
00:00:30,690 --> 00:00:31,380
‫no problem.

8
00:00:32,470 --> 00:00:40,000
‫So in this section, we're going to first extract domain registration information by using the who is

9
00:00:40,000 --> 00:00:40,480
‫service.

10
00:00:41,610 --> 00:00:48,630
‫Then we're going to use the extracted information to get subdomains of the target and even the other

11
00:00:48,630 --> 00:00:49,680
‫hosts in the network.

12
00:00:50,680 --> 00:00:56,170
‫And then if it's possible we're going to discover the applications that are served on the same server

13
00:00:56,200 --> 00:00:57,490
‫or same service.

14
00:00:58,300 --> 00:00:58,660
‫All right.

15
00:00:58,660 --> 00:01:01,030
‫So let's start with the who is service.

16
00:01:02,620 --> 00:01:07,990
‫When registering a domain, the domain owner needs to provide his personal information to the domain

17
00:01:07,990 --> 00:01:12,010
‫registrar, such as name, phone, no other contact information.

18
00:01:13,240 --> 00:01:17,260
‫And all this is public information due to the nature of the who is service.

19
00:01:18,200 --> 00:01:23,660
‫So that means that you can view the name, address, phone number and email address of the person or

20
00:01:23,660 --> 00:01:25,910
‫entity who registered the domain.

21
00:01:26,930 --> 00:01:33,380
‫If you query the registrar who is service, you can get this information, but sometimes the registrars

22
00:01:33,380 --> 00:01:38,720
‫can hide this if they have a service to change the owner information with their.

23
00:01:39,990 --> 00:01:47,100
‫Who is records and holds the registration details provided by the domain owner to the domain registrar?

24
00:01:48,100 --> 00:01:58,300
‫Yes, I say who is who is is a protocol that works on Port TCP 43 and there are multiple who is servers

25
00:01:58,330 --> 00:02:00,000
‫on the Internet around the world.

26
00:02:01,370 --> 00:02:08,090
‫These servers are operated by regional Internet registrars, so they are used to extract information

27
00:02:08,090 --> 00:02:11,570
‫about the domains and the associated contacts information.

28
00:02:12,560 --> 00:02:15,770
‫OK, so open your terminal in Cali.

29
00:02:16,900 --> 00:02:22,750
‫And thanks to our developers, Carly has, who is a client and it's very easy to use.

30
00:02:23,640 --> 00:02:29,130
‫OK, so type who is to see the help file and we're going to use that.

31
00:02:30,730 --> 00:02:38,080
‫So let's think of Google dot com as your target domain, and you got to wonder about Google's registration

32
00:02:38,080 --> 00:02:38,720
‫info, right?

33
00:02:39,340 --> 00:02:43,120
‫So type who is Google dot com and hit enter.

34
00:02:45,100 --> 00:02:50,020
‫OK, so this is the output for this domain, it's long, so scroller.

35
00:02:51,500 --> 00:02:57,770
‫And as you're seeing this with me, the registrar for this domain is Mark Monitor.

36
00:02:58,930 --> 00:03:01,270
‫The dates of validity period are also displayed.

37
00:03:02,220 --> 00:03:07,560
‫The output of a who is query also points out the DNS servers for Google dot com.

38
00:03:09,640 --> 00:03:13,180
‫And those will help us to find additional hosts in the domain.

39
00:03:14,560 --> 00:03:16,810
‫So now I will run another who is Creary?

40
00:03:18,020 --> 00:03:23,840
‫But first, let me get the Google dot com IP address on Google dot com.

41
00:03:25,950 --> 00:03:29,970
‫And the host command performs a reverse ipecac.

42
00:03:31,280 --> 00:03:35,450
‫So when you give the domain, it returns the corresponding IP address.

43
00:03:36,860 --> 00:03:43,310
‫So type who is dash age, who is not Erin dot net?

44
00:03:44,910 --> 00:03:46,940
‫Now, I will copy this IP address.

45
00:03:48,580 --> 00:03:53,680
‫With the age parameter, you can point to a specific who is server to query.

46
00:03:54,940 --> 00:03:55,750
‫So hit enter.

47
00:03:57,150 --> 00:03:59,100
‫And again, you get along output.

48
00:04:00,350 --> 00:04:06,560
‫But it's got a lot of information, such as network range, phone number and address.

49
00:04:07,730 --> 00:04:12,300
‫So who is queries are very handy to originate a domain name.

50
00:04:13,580 --> 00:04:17,860
‫There are also online who is services and you've probably had a look at them.

51
00:04:17,870 --> 00:04:19,220
‫You may want to look at them again.