白帽子之路首章：Footprinting, TARGET ACQUISITION

*Disclaimer: All materials provided on this blog are for educational purposes only. The author and owner of these articles is not subject to any legal liability for third-party malicious use of all the content posted*

　　Step 1: decide scope of activities

Security vulnerabilities are usually identifiable directly from the cource code of the organization's webpage. By identifying the domain, e.g. victim.com, and reading its source code, you may witness some security settings explicitly put on the organization's webpages in comment. [source request] After identifying the domain name, go fetch the subsidiaries, which are usually poorly-guarded and poses potential security threats to the mother site.

　　Step2: network enumeration

Firstly, identify domain name & associated networks relating to particular organization. This could be easily achieved with the help of InterNIC database (https://www.internic.net/whois.html), and ARIN. We can see from the example below, we acquire all the information about the target domain's registry.

-----

　　Example of a InterNIC search:

Domain Name:
Registrar:
Sponsoring Registrar IANA ID:
Whois Server:
Referral URL:
Name Server:
Name Server:
Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Updated Date:
Creation Date:
Expiration Date:

-----

...to be continue

By performing Whois seach in Kali Linux, open the terminal and type in "whois xxx.com", which initiates 'whois' search. However, many details could be hidden by WhoisGuard protected. Refer to the definition of WhoisGuard from wiki.

WhoisGuard is a privacy protection service that prevents people from seeing your name, address, phone number and email when they do a Whois search on your domain. It puts its address information to the public Whois instead of yours to protect you from potential spam and even identity theft.

The next move would definitely be how to break such privacy protection. Otherwise, we may better circumvence this by targetting the next victim.

• solution 1: visit GxDxdxy to acquire info about real owner of that web
• solution 2: use DomainToos (paid) to review the entire domain registry history. In case a domain has been registered as public previously, all info would be revealed. A free alternative would be Webboar.com or https://www.whois.com/whois/ [failed: domain details still not revealed]

最痛苦的是，他的privacy settings 還不能破。只好轉移到其他target shotting approaches. 在 Google dock 上暫時沒有什麼特別的發現。在轉移到Acunetix之前，先使用linux kali 本身就有的scan web vulnerabilities tools. 試試linux kali 地下的uniscan.

Linux Kali Uniscan

Syntax: # uniscan -u xxx.com(complete website address) -ds

https://en.wikipedia.org/wiki/Penetration_test

Then, follow the following commands to fetch back the report file:

~# cd/usr/share/uniscan/report
ls
xdg-open xxx.com.html