Information Gathering Tools: whois and WordWeb

Information Gathering Tools: whois and WordWeb

We've explored basic information gathering, like finding a website's IP address using ping, nslookup, and custom Python tools. Now, let's dive into more advanced tools for richer insights into a target.

whois

whois provides a wealth of information beyond just IP addresses. This includes:

  • Email addresses

  • Physical addresses

  • Phone numbers

  • Potentially, plugins used by a website.

Usage

To use whois, simply type whois followed by the address, such as:

whois dpr.go.id
Information Provided

The output includes:

  • Domain ID (e.g., pandi, the domain registrar in Indonesia under the Ministry of Communication and Informatics).

  • Creation date (created on).

  • Last updated date (last updated).

  • Expiration date.

  • Organization name (e.g., Kementerian Komunikasi dan Informatika).

  • Complete physical address, including street, city, province, postal code, and country.

  • Phone number.

  • Email address.

Example: google.com
whois google.com

Reveals:

  • Domain ID, URL, and expiration date.

  • Abuse contact email and phone number.

  • Organization: Google LLC.

  • State/Province: CA (California).

  • Country: US.

  • Admin email.

  • A link to request more information.

Usefulness

whois offers valuable information for various contexts, especially during reconnaissance phases of security assessments.

WordWeb

WordWeb is an advanced tool that identifies the technologies and plugins used by a website, like:

  • Web server type (e.g., Apache).

  • HTML version.

  • JavaScript usage.

  • PHP, including its version.

Usage and Options

To see the options:

wordweb

The basic syntax is:

wordweb [options] URL

Key options include:

  • -i: Input file.

  • --level: Aggression level (e.g., stylety or aggressive).

  • --verbose: Includes plugin descriptions in the output.

Example: Scanning instagram.com
wordweb instagram.com

This scan reveals multiple links associated with instagram.com, including:

  • Redirect locations.

  • IP addresses.

  • Technologies used (e.g., Django, HTML5).

The output can be somewhat messy, so use the --verbose option for better readability.

Verbose Output
wordweb instagram.com --verbose

The verbose option provides descriptions for each identified component. For example, it describes the HTTP server header and its ability to identify the operating system. It also identifies Django as a high-level Python web framework.

IP Range Scanning

WordWeb can scan a range of IP addresses. To understand this, it helps to know some networking basics.

To view your IP information:

ifconfig

It will give you inet (ip address) and netmask.

For Class C IP addresses (commonly used in home networks), the first three octets remain constant, while the last octet varies from 0 to 255. You can specify this range in WordWeb.

Example:

If an IP address from Instagram is 31.13.174.95, you could scan the range:

wordweb 31.13.0.95/255 --verbose

This scans IP addresses from 31.13.0.95 to 31.13.255.95 and will find available hosts. You can interrupt with Ctrl+C.

Saving Scan Results

To save the results of a scan to a file:

wordweb instagram.com --verbose --logverbose=iginfo

This saves the verbose output to a file named iginfo.

First, navigate to the Desktop:

cd Desktop

Then run the scan with the save command.

Summary

These notes provide a foundation for using whois and WordWeb for information gathering. There are more tools to explore!