Gathering information is the main and big part of hacking, having the right information makes the attack easier, information can be very useful for a while. Finding information can be difficult if you don’t know where to find it.
Here are five of the best tools to effectively discover web information
It is used by most penetration testers to gather information, it gives information such as domain names, IP netblocks, subdomains, etc. It can also be used to brute force subdomain at the enumeration stage.
(useful in case of false positives)
Fierce is a semi-lightweight scanner that helps you find non-contiguous IP spaces and hostnames from specified domains. It does not perform exploitation and does not indiscriminately scan the entire Internet. It is specifically designed to detect probable targets both inside and outside the corporate network. Since it mainly uses DNS you will often find misconfigured networks that will leak your internal address space. This is especially useful for targeted malware.
Usage: fierce -dns examplecompany.com -wordlist dictionary.txt
Useful for web analysis and surface attack of displaying vhosts during penetration testing. Find hostnames that share an IP address with your target, which can be a hostname or IP address.
Usage: ./bing-ip2hosts [OPTIONS]
- -n Turn off the animation progress bar
Use this directory instead of / tmp. The directory must exist.
- -i – Optional CSV output. Prints the IP and hostname on each line, separated by commas.
- -p – Optional Http: // prints the prefix. Useful for right click in shell
This tool is used to collect information about email, subdomains, hosts, employee names, open ports and banners from various open sources such as search engines, key PGP servers and Shodan’s computer database.
Usage: theharvester options
- -d: Domain to search or company name
- -b: Data source: google, googleCSE, bing, bingapi, pgp, linkedin, google-profiles, jigsaw, twitter, googleplus, all
- -s: Start with result number X (default: 0)
- -v: Check hostname through domain name resolution and look up virtual hosts
- -F: Save results to HTML and XML file (both)
- -n: Perform DNS reverse lookup on all found ranges
- -c: Bruteforce DNS for the domain name
- -t: Do DNS TLD discovery of the extension
- -e: Use this DNS server
- -l: Limit the number of results to work with (bing shows up to 50 results)
This tool is used to check DNS-Loadbalancing or HTTP-Loadbalancing. Load balancing is sharing excess load with another server. This tool lets you know if a DDoS attack can be carried out on a website or not.