Report on Information Gatherin

Using Pen testing Tools

BCS211149-MUHAMMAD IMAZ
BCS211150-Waleed Ahmed Ali
BCS211046-Wajahat Imtiaz
[email protected]

Submitted To:
Mam SNOOBER NASEER
Abstract:
This report provides an overview of information gathering techniques using Kali
Linux tools for websites. Information gathering is a crucial phase in any
cybersecurity assessment or penetration testing activity. Kali Linux, a powerful and
popular penetration testing distribution, offers a range of tools and utilities that can
assist in gathering essential information about target websites. This report explores
some of the commonly used tools in Kali Linux and their applications for website
information gathering.

Introduction
In today's interconnected world, where organizations heavily rely on the internet to
conduct their business, cybersecurity has become a paramount concern. With the
increasing prevalence of cyber threats and attacks, it is crucial for organizations to
proactively assess the security posture of their digital assets, including websites.
One essential phase in any cybersecurity assessment or penetration testing activity
is information gathering.
Information gathering involves collecting, analyzing, and understanding critical data
about the target website, its infrastructure, and potential vulnerabilities. This
process provides valuable insights into the website's security vulnerabilities,
potential attack vectors, and overall risk level. By obtaining comprehensive
knowledge about the target, organizations can develop effective strategies to
mitigate risks, strengthen their security posture, and protect their sensitive data.
The scope of this report encompasses an introduction to Kali Linux as a penetration
testing distribution, followed by an in-depth exploration of the various tools
available in Kali Linux for website information gathering. We will examine tools such
as Nmap, TheHarvester, DNSRecon, SUbFinder, highlighting their functionalities,
features, and practical applications.

Nmap:
Nmap, short for "Network Mapper," is a versatile and widely used open-source tool
available in Kali Linux for network exploration and security auditing. Nmap and its
capabilities: Nmap is designed to scan networks, discover hosts, and identify open
ports and services running on target systems. It uses a combination of active and
passive scanning techniques to gather information about network hosts and their
associated services.
Nmap's key capabilities include:
1. Port Scanning:
Nmap allows users to scan target systems for open ports. By probing different
ports, Nmap determines which ports are accepting connections, indicating
potential entry points for attackers. Port scanning provides critical insights
into the network's exposure to potential vulnerabilities.
 2. OS Fingerprinting:
Nmap employs various techniques to identify the operating system (OS) running on
the target system. It analyzes network responses to determine specific
characteristics and behaviors that can be used to deduce the underlying OS.

3. UDP Port Scanning:

UDP scanning involves sending UDP packets to target ports and examining the
responses. The "-sU" command instructs Nmap to perform UDP scanning, probing
the specified ports for open, closed, or filtered states. It helps in identifying potential
services running on UDP ports and assessing their security posture.
DNSRecon:

DNSRecon is a Python script that provides the ability to perform:

 Check all NS Records for Zone Transfers.
 Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA,
SPF and TXT).
 Perform common SRV Record Enumeration.
 Top Level Domain (TLD) Expansion.
 Check for Wildcard Resolution.
 Brute Force subdomain and host A and AAAA records given a domain and a
wordlist.
 Perform a PTR Record lookup for a given IP Range or CIDR.
 Check a DNS Server Cached records for A, AAAA and CNAME
 Records provided a list of host records in a text file to check.
 Enumerate Hosts and Subdomains using Google
SubFinder:
A package that contains a subdomain discovery tool that discovers valid subdomains for
websites by using passive online sources. It has a simple modular architecture and is
optimized for speed. subfinder is built for doing one thing only - passive subdomain
enumeration, and it does that very well.
TheHarvester:
theHarvester is a simple to use, yet powerful tool designed to be used during the
reconnaissance stage of a red
team assessment or penetration test. It performs open source intelligence (OSINT)
gathering to help determine
a domain's external threat landscape. The tool gathers names, emails, IPs,
subdomains, and URLs by using
multiple public resources that include:
1. ASN’s and Employee Names:

 Rest of the Employee names can be shared in soft format

2. Related IP’s of the Website:

3. Employee and their Occupation:

 Rest of the data can be shared in soft format.
4. Website Hosts:
Vulnerabilities and Recommendation:

DNSSEC is a security protocol that adds an additional layer of protection to the DNS
infrastructure by digitally signing DNS records. Its purpose is to prevent various DNS-based
attacks, such as DNS spoofing or cache poisoning.
The absence of DNSSEC configuration for a domain does not necessarily mean that it can
be directly exploited. However, it does pose a potential security risk. Without DNSSEC,
there is a possibility that an attacker could manipulate DNS responses and redirect users to
malicious websites or intercept their communications. Without DNSSEC, an attacker can
potentially manipulate DNS responses through various methods, such as DNS cache
poisoning or DNS spoofing. Here's a high-level overview of how these attacks work:
1. DNS Cache Poisoning: In this attack, the attacker exploits a vulnerability in a DNS
server's caching mechanism. They send malicious DNS responses to the server,
containing false information that gets stored in the server's cache. When legitimate
users send DNS queries to the server, they receive the manipulated DNS responses,
leading them to malicious websites or incorrect destinations.
2. DNS Spoofing: In DNS spoofing, the attacker intercepts DNS queries and responds
with falsified DNS responses before the legitimate DNS server can provide the
correct response. This can be accomplished through various means, such as ARP
(Address Resolution Protocol) spoofing or DNS hijacking. By spoofing DNS
responses, the attacker can redirect users to malicious websites under their control.
By exploiting these vulnerabilities in the DNS infrastructure, an attacker can redirect users
to phishing sites, malware-infected websites, or intercept their communications. This can
enable various forms of attacks, including:
 Phishing attacks: Users may unknowingly enter their login credentials or sensitive
information on fraudulent websites that mimic legitimate ones, leading to account
compromise or data theft.
 Man-in-the-Middle (MitM) attacks: By intercepting DNS queries and responses, an
attacker can position themselves between the user and the intended server, allowing
them to monitor and potentially manipulate the communication.
 Malware distribution: The attacker can redirect users to websites hosting malware or
deliver malicious payloads through compromised DNS responses.
Implementing DNSSEC helps protect against these attacks by adding digital signatures to
DNS records, which can be validated by clients to ensure the integrity and authenticity of
the received DNS responses.