This is second post today but same topic about iformation gathering.
Not like before first time I do is whois check
root@bt:~# whois spentera.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: SPENTERA.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: ART.NS.CLOUDFLARE.COM Name Server: DINA.NS.CLOUDFLARE.COM Status: ok Updated Date: 17-may-2012 Creation Date: 15-feb-2011 Expiration Date: 15-feb-2013 >>> Last update of whois database: Wed, 19 Dec 2012 20:39:47 UTC <<< Registration Service Provided By: Namecheap.com Contact: support@namecheap.com Visit: http://namecheap.com Domain name: spentera.com Registrant Contact: WhoisGuard WhoisGuard Protected () Fax: 11400 W. Olympic Blvd. Suite 200 Los Angeles, CA 90064 US Administrative Contact: WhoisGuard WhoisGuard Protected (2289eab88851476688242cf0144287f4.protect@whoisguard.com) +1.6613102107 Fax: +1.6613102107 11400 W. Olympic Blvd. Suite 200 Los Angeles, CA 90064 US Technical Contact: WhoisGuard WhoisGuard Protected (2289eab88851476688242cf0144287f4.protect@whoisguard.com) +1.6613102107 Fax: +1.6613102107 11400 W. Olympic Blvd. Suite 200 Los Angeles, CA 90064 US Status: Active Name Servers: art.ns.cloudflare.com dina.ns.cloudflare.com Creation date: 15 Feb 2011 13:04:00 Expiration date: 15 Feb 2013 08:04:00As we can see it, the dns is using cloudflare that give protection for some attack check here: https://www.cloudflare.com/features-security
then, I try to check using dnsenum
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl --enum spentera.com dnsenum.pl VERSION:1.2.2 Warning: can't load Net::Whois::IP module, whois queries disabled. ----- spentera.com ----- Host's addresses: __________________ spentera.com 30 IN A 173.245.61.94 spentera.com 30 IN A 199.27.134.28 Name Servers: ______________ dina.ns.cloudflare.com 55024 IN A 173.245.58.107 art.ns.cloudflare.com 47666 IN A 173.245.59.102 Mail (MX) Servers: ___________________ aspmx.l.google.com 293 IN A 74.125.25.26 alt1.aspmx.l.google.com 293 IN A 74.125.142.26 alt2.aspmx.l.google.com 293 IN A 74.125.137.26 aspmx3.googlemail.com 293 IN A 74.125.140.26 aspmx2.googlemail.com 293 IN A 74.125.142.26 Trying Zone Transfers and getting Bind Versions: _________________________________________________ Trying Zone Transfer for spentera.com on dina.ns.cloudflare.com ... AXFR record query failed: SERVFAIL Unable to obtain Server Version for dina.ns.cloudflare.com : SERVFAIL Trying Zone Transfer for spentera.com on art.ns.cloudflare.com ... AXFR record query failed: SERVFAIL Unable to obtain Server Version for art.ns.cloudflare.com : SERVFAIL Scraping spentera.com subdomains from Google: ______________________________________________ ---- Google search page: 1 ---- Google Results: ________________ perhaps Google is blocking our queries. Check manually. brute force file not specified, bay. root@bt:/pentest/enumeration/dns/dnsenum#as I mention before, the dns is using cloudflare that will not telling us about what is the real hosting IP address and where they are.
but I will try to nmap it.
root@bt:~# nmap -sS -sV -O spentera.com Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-20 03:57 WIT Nmap scan report for spentera.com (199.27.134.28) Host is up (0.066s latency). Other addresses for spentera.com (not scanned): 173.245.61.94 rDNS record for 199.27.134.28: cf-199-27-134-28.cloudflare.com Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http cloudflare-nginx 443/tcp closed https 8443/tcp closed https-alt Aggressive OS guesses: HP P2000 G3 NAS device (95%), Linux 2.6.32 - 2.6.39 (93%), Linux 3.1 - 3.4 (91%), Android 3 (Linux 2.6.36) (89%), Linux 2.6.39 (89%), DD-WRT v23 (Linux 2.4.37) (89%), Linux 2.6.31 - 2.6.35 (89%), DD-WRT v24-sp2 (Linux 2.6.34) (89%), Android 2.2 (Linux 2.6.32) (88%), Linux 2.6.38 (88%) No exact OS matches for host (test conditions non-ideal). OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.10 seconds root@bt:~#if you notice the difference between is2c-dojo.com and spentera.com we got less information using same tool.
So, I try another tool called theharvester:
root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d spentera.com -l 500 -b google ************************************* *TheHarvester Ver. 2.2 * *Coded by Christian Martorella * *Edge-Security Research * *cmartorella@edge-security.com * ************************************* [-] Searching in Google: Searching 0 results... Searching 100 results... Searching 200 results... Searching 300 results... Searching 400 results... Searching 500 results... [+] Emails found: ------------------ mada@spentera.com jonathan@spentera.com modpr0be@spentera.com muza...@spentera.com marketing@spentera.com contact@spentera.com [+] Hosts found in search engines: ------------------------------------ 199.27.134.28:www.spentera.com root@bt:/pentest/enumeration/theharvester#So, I got 5 emails to start another information gathering.
Thank you for reading all of my junk post.
Happy trying.. :)