I'm trying to learn a bit about information gathering. When doing a whois search on a host address I came across the address and phone numbers it was registered for just like normal but I googled the address and realized that a lot of whois searches come up with the same results, after a little research I learned about how you can register your domain using a proxy registrar (I never knew that until now) so basically all the info I got from the whois is useless right?
I still got the IP address of a site by ping but that's about all I've been able to come up with so far and a hosting site that seems to be relevant. I guess what I'm wondering is if I can find out anymore information even if they have a domainbyproxy registration?
domains by proxy
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
when doing a WHOIS lookup you get different entries:
- owner-contact
- admin-contact
- tech-contact
- billing-contact
the first 2 ones are the data of the person who registered the domain and acts as contact person when trouble appears ("trouble" related to site content for example, like copyright violations). THIS is the site owner, and in most countries you HAVE TO display your personal data there, if you don't do it your domain can be even locked and closed....ok, nobody really checks it, but if you would complain at ICANN about such a domain they would close it.
BUT in some countries (Canada and USA for example) you can have "private" domains, in those cases not the data of the domain owner/registrant is displayed, they display the data of the registrar (like godaddy.com for example). in those cases it's not easy to get the data of the real registrant...the registrar has the data, but to get it you would need a lawyer.
the tech- and billing-contact entries are the ones of the registrar or the hosting company (both are identical in most cases because many people rent webspace where 1 domain is included).
next thing is the "network whois record", this is the one who is responsible for the technical infrastructure....that's usually the person/company I contact when some überlamer overdid it with his attack attempts....because they have the power to set his IP to 0-route.
as you can see you can't always get the name of the real domain owner, but to get as much data as possible I always use that site: http://www.centralops.net
I'm sure others have even better links...
- owner-contact
- admin-contact
- tech-contact
- billing-contact
the first 2 ones are the data of the person who registered the domain and acts as contact person when trouble appears ("trouble" related to site content for example, like copyright violations). THIS is the site owner, and in most countries you HAVE TO display your personal data there, if you don't do it your domain can be even locked and closed....ok, nobody really checks it, but if you would complain at ICANN about such a domain they would close it.
BUT in some countries (Canada and USA for example) you can have "private" domains, in those cases not the data of the domain owner/registrant is displayed, they display the data of the registrar (like godaddy.com for example). in those cases it's not easy to get the data of the real registrant...the registrar has the data, but to get it you would need a lawyer.
the tech- and billing-contact entries are the ones of the registrar or the hosting company (both are identical in most cases because many people rent webspace where 1 domain is included).
next thing is the "network whois record", this is the one who is responsible for the technical infrastructure....that's usually the person/company I contact when some überlamer overdid it with his attack attempts....because they have the power to set his IP to 0-route.
as you can see you can't always get the name of the real domain owner, but to get as much data as possible I always use that site: http://www.centralops.net
I'm sure others have even better links...
ideas for footprinting
make sure you also try searching for "@company.com" and the company name for press releases, and even plain old social engineering, call them.
I don't like using just one search engine, try copernic or a search engine directory like so:
http://c0vertl.tripod.com/search.htm
DNR
I don't like using just one search engine, try copernic or a search engine directory like so:
http://c0vertl.tripod.com/search.htm
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
-
penumbra_wolf
- forum buddy
- Posts: 16
- Joined: 13 Sep 2006, 16:00
- 17
Awesome! 
Thanks for the centralops link b_b! I had it a while back and didn't save it when I formatted my hard drive last then I couldn't remember what it was, lol. That site gives you the best info resources I've been able to find.
@DNR: Yeah, There's PLENTY of press on the company I'm researching, theoretically, with the amount of information I could gain from all the sources available, penetration shouldn't be too difficult for someone who knows what they're doing. Since I'm just kinda starting out though I'm thinking to my self and trying to analyze the most critical information I need to obtain right now. And trying to figure out the best means to get that information.
So far I'm just collaborating as much info as I can possibly gather and saving it on notepad, lol. I'll sort through the mess later and organize it a bit and see what I can gain from what I've found (just IP addresses, names, contact emails, phone numbers, host domains and companies, etc.) It's tough to focus on what exactly I need to be looking for though but I've got time and patience on my side... and most of all determination.
I have excellent people skills so as soon as I find out what information I need to get I'll call the company and use a bit of social engineering as you say. Thanks for the info btw.
Thanks for the centralops link b_b! I had it a while back and didn't save it when I formatted my hard drive last then I couldn't remember what it was, lol. That site gives you the best info resources I've been able to find.
@DNR: Yeah, There's PLENTY of press on the company I'm researching, theoretically, with the amount of information I could gain from all the sources available, penetration shouldn't be too difficult for someone who knows what they're doing. Since I'm just kinda starting out though I'm thinking to my self and trying to analyze the most critical information I need to obtain right now. And trying to figure out the best means to get that information.
So far I'm just collaborating as much info as I can possibly gather and saving it on notepad, lol. I'll sort through the mess later and organize it a bit and see what I can gain from what I've found (just IP addresses, names, contact emails, phone numbers, host domains and companies, etc.) It's tough to focus on what exactly I need to be looking for though but I've got time and patience on my side... and most of all determination.
I have excellent people skills so as soon as I find out what information I need to get I'll call the company and use a bit of social engineering as you say. Thanks for the info btw.