1
00:00:01,410 --> 00:00:08,490
Domain host related info, so the conducted web penetration test are generally close to a black box

2
00:00:08,490 --> 00:00:10,250
testing, as we mentioned before.

3
00:00:10,770 --> 00:00:15,840
So we don't have, well, hardly any information about the target, if any.

4
00:00:16,680 --> 00:00:17,550
Maybe just a U.

5
00:00:17,550 --> 00:00:22,620
RL IP address or a domain name is given to us.

6
00:00:23,890 --> 00:00:30,460
So to start testing and gathering information, we'll need to dig around in our own IP or domain name,

7
00:00:30,670 --> 00:00:31,360
no problem.

8
00:00:32,450 --> 00:00:39,980
So in this section, we're going to first extract domain registration information by using the who is

9
00:00:39,980 --> 00:00:40,460
service.

10
00:00:41,590 --> 00:00:48,610
Then we're going to use the extracted information to get subdomains of the target and even the other

11
00:00:48,610 --> 00:00:49,660
hosts and the network.

12
00:00:50,660 --> 00:00:56,150
And then if it's possible we're going to discover the applications that are served on the same server

13
00:00:56,180 --> 00:00:57,450
or same service.

14
00:00:58,280 --> 00:00:58,640
All right.

15
00:00:58,640 --> 00:01:01,010
So let's start with the who is service.

16
00:01:02,600 --> 00:01:07,970
When registering a domain, the domain owner needs to provide his personal information to the domain

17
00:01:07,970 --> 00:01:11,990
registrar, such as name, phone, no other contact information.

18
00:01:13,220 --> 00:01:17,240
And all this is public information due to the nature of the who is service.

19
00:01:18,180 --> 00:01:23,640
So that means that you can view the name, address, phone number and email address of the person or

20
00:01:23,640 --> 00:01:25,890
entity who registered the domain.

21
00:01:26,910 --> 00:01:33,330
If you query the registrar who is service, you can get this information, but sometimes the registrars

22
00:01:33,330 --> 00:01:38,700
can hide this if they have a service to change the owner information with their.

23
00:01:39,970 --> 00:01:47,080
Who is records and holds the registration details provided by the domain owner to the domain registrar?

24
00:01:48,080 --> 00:01:49,700
Yes, I say, who is?

25
00:01:50,850 --> 00:01:59,160
Who is is a protocol that works on Port TCP 43 and there are multiple who is servers on the Internet

26
00:01:59,160 --> 00:01:59,960
around the world.

27
00:02:01,340 --> 00:02:08,090
These servers are operated by regional Internet registrars, so they are used to extract information

28
00:02:08,090 --> 00:02:11,540
about the domains and the associated contacts information.

29
00:02:12,530 --> 00:02:15,740
OK, so open your terminal in Cali.

30
00:02:16,880 --> 00:02:22,730
And thanks to our developers, Carly has, who is a client and it's very easy to use.

31
00:02:23,620 --> 00:02:29,110
OK, so type who is to see the help file and we're going to use that.

32
00:02:30,710 --> 00:02:38,060
So let's think of Google dot com as your target domain, and you got to wonder about Google's registration

33
00:02:38,060 --> 00:02:38,700
info, right?

34
00:02:39,320 --> 00:02:43,100
So type who is Google dot com and enter?

35
00:02:44,910 --> 00:02:49,980
OK, so this is the output for this domain, it's long, so scroller.

36
00:02:51,480 --> 00:02:57,750
And as you're seeing this with me, the registrar for this domain is Mark Monitor.

37
00:02:58,900 --> 00:03:01,270
The data of validity period are also displayed.

38
00:03:02,200 --> 00:03:07,540
The output of a who is query also points out the DNS servers for Google dot com.

39
00:03:09,610 --> 00:03:13,150
And those will help us to find additional hosts in the domain.

40
00:03:14,550 --> 00:03:16,770
So now I will run another who is Guerrieri?

41
00:03:18,000 --> 00:03:23,820
But first, let me get the Google dot com IP address on Google dot com.

42
00:03:25,930 --> 00:03:29,950
And the host command performs a reverse ipecac.

43
00:03:31,230 --> 00:03:35,430
So when you give the domain, it returns the corresponding IP address.

44
00:03:36,840 --> 00:03:43,290
So type who is Dash H, who is Dot Aaron dot net?

45
00:03:44,870 --> 00:03:46,920
Now, I will copy this IP address.

46
00:03:48,560 --> 00:03:53,660
With the age parameter, you can point to a specific who is server to query.

47
00:03:54,920 --> 00:03:55,730
So hit enter.

48
00:03:57,130 --> 00:03:59,080
And again, you get along output.

49
00:04:00,340 --> 00:04:06,550
But it's got a lot of information, such as network range, phone number and address.

50
00:04:07,710 --> 00:04:12,300
So who is queries are very handy to originate a domain name.

51
00:04:13,560 --> 00:04:17,820
There are also online who is services and you've probably had a look at them.

52
00:04:17,830 --> 00:04:19,200
You may want to look at them again.