 Hello everyone, I am Sanjay Gupta. I welcome you on Sanjay Gupta Tech School. So today is day nine of this cybersecurity boot camp and I welcome you all in the session and I welcome Sumit as well. So Sumit is sharing all the knowledge related to cybersecurity, which is totally related to web application security. So let's start with the day nine session and over to you Sumit, please start the session. I think now you will be able to share this. Hello, welcome again on this cybersecurity boot camp day nine. My name is Sumit Jain and today we will talk about how to collect some information. We already discussed some of the web applications, some of the websites we used for collecting the target information related to subdomains, URLs and something more. Today is the day two of collecting information. So before starting this, let me introduce myself. So guys, my name is Sumit Jain and I'm an ethical hacker and cyber security expert currently working as a Cinec Red Team and Pentabug Red Team member where I'm testing multiple companies target and handling the security by reporting some bugs. Apart from that, I'm working as a senior security specialist at Jitron Networks where I'm currently training some of the students, professionals or freshers to build their career in cyber security. I have 10 plus years experience in this domain and I have five plus years experience in web application security. Before this, I'm working as a guest instructor at Central Detective Training School where my part is training police officials and et cetera. Now I'm sharing my knowledge onto YouTube with this bootcamp. So you can follow me on my YouTube channel. The name is Sabah Security Zone where you will find videos related to web application security, mobile application security and the other stream as well you can follow and you can follow Sanjay Gupta Tech School as well where you will be seeing this bootcamp and you can interact with me on live session. Please share and review or feedback about this bootcamp. What do you like it? What do you achieve it or what will you learn? If you have some queries and questions, you can ping me on these below platforms. I'm available on LinkedIn and Twitter or Telegram as well. You can find all the links in video description. So today we are discussing about how to collect some information. The process is called foot printing and before starting this, let me recap you something. We previously we collected some information related to subdomains. I use some different websites to collect the information related to our target. We collect some subdomains. We collect important links as well. We also collected some of the technologies which websites are built on. So we use a website, the name is built with. Today we are talking about some more information and to do that, we use these websites we are seeing right now. So SSLlabs.com, what is my IP address.com, IPloger.org, we see sms.com instead email.org. So we are using these websites or application as well for collecting the information. So let's see what these websites will do and how to use these applications to collect the information about your target. So let's move on to our... So first I'm using SSLlabs.com. So basically this is a website which will test your SSL server, your certificate. If you are implementing a certificate on your domain, so what these certificates are, what is your root certificate, when your certificate will expire or what is your TLS server, if you are using some server or not, what is your ciphers and what are your secret keys, et cetera. So for using this, you will go to navigate to test your server where you can put your target name. So in this section, already some of the website names are displayed which will be recently scanned by someone. So you can put your target name here like facebook.com. I'm using a public target. So facebook.com and click on submit. As you can see, there are, Facebook is using two server, one of the server is running on IPv4 address and one of the server is running on IPv6 address. You can see the host name as well, server host name as well. And if you are clicking on this, I'm opening this in new tab. You can see all the related information about the facebook.com of SSL certificate. So you can see the subject name is facebook.com. What is the fingerprint facebook.com is using? What is the common names facebook.com? Alternative names, this certification is applied to these domains as well like facebook.com, facebook.net, fbcdn.net, fbsbx.com, m.facebook.com, messenger.com, xy.fbcdn, xz.fbcdn, facebook.com and messenger.com. So basically the certificate you are seeing right now is applicable to all these sub-domains or domains as well. There is a mark, a strict mark is also given. You can see a strict mark is also given. So this means all the sub-domains are covered with this certificate. The serial number of certificate is this, valued from, the certificate is valued from 21, 5, 2023, so this certificate will expire in seven days, eight hours. So facebook need to renew it. The encryption key facebook are using is EC- Sorry to interrupt, can you please zoom in more? Actually it is very, yeah, now it is. So the encryption key, which the facebook server is using is EC-256 bit. The weak key is no issuer. What is the issuer name of the server? There is no issuer. What is the issuer name of this certificate is DigiSert. So this certificate is delivered by DigiSert, signature algorithm, which is SHA-256 with RSA, and you can find the other informations. Additional certificate, if they have any, the facebook is using also an additional certificate. So this is the information of additional certificate. You can find out the certificate number two, all the information, additional certificate, and you can see the configurations, which of the protocol is facebook.com is using in SSL. So TLS 1.3, 1.2, TLS 1.1, TLS 1.2, all these protocols as well. And here you can see if this protocol is applied or not. So facebook are using TLS 1.3, TLS 1.1, 1.2, and zero as well. There is no SSL implementation, SSL version three or SSL version two. There is no sign of using this. Scrolling down, you can see what is the cipher suits in TLS 1.3. So these are the cipher suits in using in SSL certificate. In TLS 1.2, these are the cipher suits that are used and also these cipher suits are weak. So you can clearly see this, that facebook need to reason rate the SSL or to apply some security to protect these. You can find the handshake information as well. These are the different different Android devices or operating systems or web browser. This certificate is applied to. So if you are using i11 in window 10, so you need to, you are connecting with that domain with this protocol. And if you are using Java 7.0, 25, you are connecting with this protocol, open SSL, Safari, Apple, Yahoo. And also, if you want that detail of your protocol. So these are some attack related to your protocol that you are using on your domain. So this SSL, SSL labs will scan your target for these potential vulnerabilities. And you can see if your target is vulnerable or not. So there is no drown attack. Down attack is not possible on facebook.com. Beast attack is also not possible. Poodle SSL v3, all these are network based or SSL based attack, but facebook is not a vulnerable to these attack. So you can clearly see all these attacks. Poodle, zombie Poodle, golden Poodle, open SSL, sleeping Poodle, RC4, heartbeat, heart bleed, ticket bleed, robot vulnerability, et cetera, et cetera. And the test date is this. Right now we are testing this date, testing this certificate. So this is the date of testing the certificate and the HTTP redirection and the server host name is written here. So this application is used to test our domain. If I give another domain, like if I use some of the domains which are already scanned and I've used this random domain, I'm using this website. The website name is pappetonline.com and you see the overall rating is T. The server certificate is not trusted. So you can clearly see the error because the server is at the certificate is expired. Two months and 12 days ago, the certificate is already expired. And right now the domain is not on SSL. The website is not using any SSL certificate. That's why the rating will be downgraded and more attacks are possible on this domain. So you see this trusted, not trusted. The SSL certificate is not trusted because certificate is already expired. This website didn't renew the certificate. So basically all the users will redirect it to HTTP protocol and all the data will be transmitted using HTTP protocol. So this website immediately need to renew this SSL certificate. If you are not renewing your certificate properly on the date which will be certified expired, so you will face more problems like this website. This website also has some weak ciphers and if you are scrolling down, you can see some of the attacks are also possible. So basically this website, this SSLlabs.com, we need, we use this to collect some of the information related to our SSL certificate. Also, you can manually, you can also manually collect the certification info as well. For this, you need to go to the application, then click on here and then click on connection secure. Click on more information and you can see the certificate. This website is using view certificate. When you click on view certificate, you will see the certificate name, the subject alternative name, all the information which are displayed here. Also you can display, also you can test manually as well. So here are the public keys, fingerprints and all the other information you want to find. So this application use SSL certificate issued by the GoDaddy. So root organization name is GoDaddy and common name is GoDaddy issuer certificate. Validity, it is valid from this to that. So there are two methods to collect the information about the SSL, one is using SSLlabs and the other is manual. Now, if you want a dummy phone number, if you are testing a target and you need to put your phone number, but you don't want to give your personal number. So we have an application which give you a dummy number to use for the OTP purpose or for registration purpose. We generally need some of the international numbers as well while testing our target because we can't, we don't want to put our personal number. So you can use this website. The website name is receivesms.co. There you can see, you will find the countries where 677 numbers are available for USA country, Belgium, Canada, Czech Republic, Denmark, Spain, Finland, France. So you can find our phone numbers from various countries and if you want to use a USA based number, click on this and you see all the numbers are displayed here. If you want, if you put this number on any of the application, so basically the OTP or any other information you can check here. If you click on here, read SMS, you see the, you see all the messages that are sent to, that are sent on this number. So while testing a target, if you need a dummy phone number, you can use this website and you see some of the codes are already here. Some of the, some of the person are using this website for generating some codes or OTP. Now moving forward, you, we have another website is named what is myipaddress.com. So this website is used to collect the information about an IP or the ISP server information. So right now the IP I'm using, it is displayed here. I'm using a IPv4 version as well as IPv6. My ISP name is Bharti Airtel and the ISP location is Delhi, India. The reason is also Delhi and the country is India. But if you have some IP and want to know the information about the ISP, copy this, copy the ISP, copy the IP and go to IP lookup, paste your IP and click on get IP details. Now you have all the information related to your IP. So what is your IP? This is your IP. The ASN number is this. The ISP is Bharti Airtel limited. The country is India, state, Haryana, city, Gurgaon and the latitude, longitude of the ISP server as well. So if you want to, if you want to all the other information related to your IP, you can use this IP lookup tool where you can put your IP and know the details of your IP. Moving forward, if you want an email for dummy purpose, you can use disposable email address as well. Where you, if you want to register some of the targets with some dummy or instant email, you can use this website, instantemail.org where you can receive or and send mail as well. So this is your email address, WEL55 at the rate of freegmail.club. If you are, if you use this email address, all the email that is sent to this email will be displayed here. So generally, why we need this website? Doing the research, doing the research purpose, you don't want to put your original email. So we use these dummy email as well. We have one more website for this purpose. The name is emailondack.com. Emailondack. This website is also used to generate some of the temporary emails. So you need to check the capture. Clearing the capture, you will see an email address. So now you can use this email address and if anyone sent an email to this email address, your email will be displayed here. Don't close the page. Don't close the tab because once you close the tab, your email address will be lost. So if you are registering on a target, don't close the tab. Wait till your message or your email is arrived. So we have four websites. I used four websites, SSLapp.com for SSLapp.com for collecting the information related to our SSL certificate. What is my IP address.com for collecting the information related to our IP? What is our IP location? Where the IP is located or the ASN number or the latitude or longitude of the ISP server? Receive sms.com for generating some dummy or fake phone numbers. Instant email.org for generating some dummy email address. Now we have one more website IPlogger.org. See, if you want to track an IP address, so this website can help you. This website will create a link. You can forward this link to anyone. If someone is visited or click on this link, their IP will be tracked and you can see their location or their information or their IP address as well. Then close my IP address.com to get the IP address. So how this works? So how will you track your, how will you track someone's IP address? So you need to go to IPlogger.org. Then you need to sign in. You need to create an account. For create an account, you need to sign up. I already created an account. So I will use this with my credential. This is my credential. This website, how this looks. You need to go on location tracker. This is the tool section where you will find location tracker. In location tracker, you can use this create section. When you click on create, you will find a link. You can copy the link. This is the link. So if I forward this link to anyone and if someone visited the link or click on the link, their IP will be tracked. So I'm clicking here and you can see this will ask to allow the map or to allow my location and scroll down, refresh the page. As you can see, here is the information I gathered. So if someone is click on this link, so you will get all the information. You can see where is the country. Country is India. Device OSX, I'm using Apple and the Firefox browser. And the device identifier is this. And if you click this, it will tell you all the accurate location of the person which are using this link or click on this link. So this is the information. I'm using the Bharti et al ISP. The IP is this and the city is this, state is this. And you see exact information, exact mapping information as well. So if you want to track someone's IP, if you want to pack a person, so you will need to create an account on this website. Go to IP location, tracker, click a link, create a link. Also you can modify this link. You need to go there and add your domain. So this is the domains are publicly available. Like right now the link is this, iplogger.com and some of the path name. So you can use your own path like free data. And I'm changing the domain name as well. So I'm using ip.su and then save. So now your link will be, your new link will be the new domain and the word or the path you put. So you can modify your link as well. So if you forward this link to someone, someone will be trapped and will click on this link and you have the information, you have their IPs. So for tracking purpose, you can also use this IP. This website have already various tools, but these tools are not effective, but the location tracker will be working fine and absolutely giving you the right information. So we collected the certificate information, we collected the IP information. We also tracked someone's IP. If you want a dummy number, you can use this website. If you want a dummy email address, you can use this website. Now we have some more websites as well for your foot printing process. So the websites names are, if you want a reverse domain IP check, like if you want to know that what is some of domain names which are hosting on your same server, so you will use this website. The website name is yougetsignal.com, yougetsignal.com, click on reverse IP domain check, put your target, I'm putting a target and then check. So this will tell you that 989 domains are hosted on the same web server as facebook.com. So on which server, facebook.com are hosted, there are 989 other domains that use the same web server for their applications and mostly because Facebook is a big company, so their server is owned by Facebook only. So all the domains is related to Facebook. So you can see all the other different domains. Attachment.fb.me, facebook.com, these are the domains Facebook used to host on the same server, facebook.com is hosted. Now if you want to check your port, which of the port number is running on your website, so you can use the website IP. So we need to find out the Facebook IP as well for finding the IP. You need to type, you need to go to your terminal, which is your CMD and ping the Facebook, so you will get the IP of Facebook. So this is the Facebook IP, go to there and put your IP. And if you want to check, if the port 18 number is open or not, click on check. So this displayed internal server error, we want to check with the port number 443. So also this website is not working, so we use alternate DNS checker. dnschecker.org where you will put your website name and click on search. So these are the different IP address of different locations Facebook are using. So you can find all the other DNS records as well like A record, double A record. If you want to find IPv6 of facebook.com, you need to select double A, double A record and then click on search. Here is the information related to IPv6 address. If you want to find out the mail exchange server, click on MX and then search. So these are the mail server Facebook is using. If you want to find some text record, you click on search and the text record are displayed. So these are the text record of this facebook.com of different, different locations. We also have a website, digitalocean.com and put the domain in the URL like facebook.com. Click enter and then you can have the DNS information as well. Here is the DNS information about facebook.com. So what is the IP address, TXT record if they have any MX record, mail server record, double A record, IPv6 record, CNAME record. There is no CNAME record is available. So this is blank, CAA record is issuer, this is basically CAME certificate authorities, NS record, name server record. So these are the four name servers facebook.com is currently using SRV records, DMARC records, SSHF, SSHFP records, TLSA record. So these are the DNS records of facebook.com. So for the DNS record, we use two websites. One is DNS checker and the other one is digitalocean.com slash community slash two slash DNS. If you want to find out some of the links like we have one website, virtual visual site mapper. This website I think is not working so we will use ocean framework.com. So basically ocean framework is a collection of the different websites for doing the ocean work. So if you want to find out the email address of any domain, you need to click on email address then what kind of work you want to do? Like I want to email search, then we have all these websites. So Hunter.io, we previously checked this website for finding the email address of any domain. These are the alternates of Hunter.io. So we have various application records on ocean framework. We have various applications, various website name. Like if you want to find the IP address, you need to click here and these are the tools or tasks we want to do on some other application. So if you want to find IPv4 address, these are the website name. Like aslookup.com, you need to click on that and the website is not working. This website is working I think. So you can find the domain, you need to click on, you need to put your domain, put the capture and then search. So this website is also not working. Then IP logos. So I already told you about IPlogger.com. We have some alternates like grabify.link. So this website can also help you to track the IP address. So we have ocean framework for doing the different tasks. Like if you want to search some people, so these are the some people search engine, like registries, registry finder, Amazon registry search. If you want to find out search the telephone numbers, so these are the some of the website, you need to check for the checking someone's phone number. This is working like TruePolar. We are in India, we have TruePolar. So these are the other applications for searching the phone records. These are the application websites for searching the public record. Like if you want to find some birth records, some death records or US country data, we use this website. So oceanframework.com is used for doing the many purposes you want to do. You need to click on all the section and find your desirable task. And then you have your websites. Then you can visit the website and do, you want to find the information. Moving on, if you want to find out some broken links, so what are the broken links? Website is using some link, but the link is right now not using in the application source code. So if you want to find some broken links in the your application source code, you use this website. The website name is broken link checker. You need to put your target, like www.I'mgivingfacebook.com, click on find broken links and put the security capture. Find broken links now, click on find broken links now. So Facebook is restricting our accessing this data. So we need to put another domain. So let's change the domain. So this web application is processed. Two webpages are scans and eight links will be generated. These are all the broken links. These links have, these links, these links you can find in the application source code, but on clicking on these links, there is something fishy or something is not working. So you can find the broken links with the help of this website. We also have an alternate for finding the broken links. The website name is bad link checker. So using this, you can also scan your websites for broken links. You can scan the whole website or a single web page. The website name is dadlinkchecker.com. So these, the results which are displayed using this website, these all the links are dead, but somehow not moved from the website source code. So this scan is still running. Let's wait for that. Let's scan a single domain, single web page with the help of this website. And click on check, put the capture. This website also checking the source code of the application. And there is no URLs found with the error. So all 87 URLs checked and 87 is working. So if some links are not working, you can find easily with the help of this website. You also have an alternate, ahref.com. You need to create an account for using the website and using this, you can also scan your target for the dead links. Let's see if the results are displayed, yes. So these links are not working but are somehow displayed in the website source code. So this is the broken link. And if you want to check, you copy the link and put on your browser, you see the page is not found and redirect to some of the website, but this link is in the website source code. So here is the source code of the att.com where this link is located. Now, if you want to find some SPF records about your target, you need to use this website. The website name is hitterman.com slash spfvalidate.stml. You need to put your domain name like facebook.com and click on get SPF record. So what is SPF record? So SPF means center policy framework. The record are using for generating the emails or handling the emails. So if a web server is using email or mail servers, this SPF DNS record will be used. So you can check the SPF records for your domain with the help of this tool. The tool name is hitterman.com slash spfvalidate. And you can clearly see the information of the information of the SPF record. These are all the websites we have. We also have one website which is sup.biz and this website have different tools you can use for collecting the information. If you want to find out the IP, if you want to find out your user agent, or if you want to find out the locations, subnet IP, subnet calculator, CIDR, if you want to search on Google, if you want to use some encoding techniques, you want to use anti-cloud flare techniques. This website has some automated scanner as well. So we will be using this in our upcoming sessions for collecting the information related to vulnerability. Now, if you want to find out some leaked data, you need to use this website. Previously, we collected the emails from using this website. So let's check the leaked data for some of the email address. There is no result for Facebook, but we can change our domain. Let's copy this email address and find the leaked data of this email address. So no results found. That means there is no leaked data available on dark web or any other domains for this particular email address. So you can use this website to find if your data is leaked on recent data breaches. And we have one more website for checking this. The website name is havabitpound.com. You need to put an email address and if your email is breached or your data is breached on the sum of the recent breaches of any domain, you can see the result here. So you can see. Good news, no corners found. That means there is no data, publicly data available for this email address. Like if I want to put my email address for dummy purpose, this is dummy email address. And you can see this email address is breached on this recent breaches. Like apodo.com, artsy.com, Bitcoin forum, Canva, Citizot, Domino's. So the data breaches of this website also have my email address and my data and my email details as well. So we have two websites to check the details related to your emails, like the leaked data related to your emails. One is intellects.io. You need to sign up on this website. This website is paid, but you can use the free trial. And this website is free. There is no need to registration. Also, we have one more website. The website name is dhas.com. This website is also help you to find the leaked data. So this is a paid website. You need to purchase a subscription before using this. That's why I will not suggest you to use this, but you can use the free version of all these websites for checking if your data is somehow leaked in some recent data breaches or not. So guys, that's it for today. Tomorrow we will learn about how to use Linux operating system and how to install some of the Python or Go-based tools in your Linux operating system. So the operating system we are using is this kalilenex.org. You need to download the operating system from here. And this is a Linux based operating system. This is mainly designed for security purpose because this operating system have some of the tools we are using in penetration testing, security research, computer forensics and reverse engineering. So this operating system is dedicated to the cyber security. We have one more operating system for this type of work. The operating system name is Parat and you can download from this website, paratsec.com. This is the dedicated operating system for security purpose and you can use this as well. So from tomorrow we are installing some of the scripts related to security written in Python or Go. So now if you have any question, you can ask me in the pin. Yeah, guys, if you have any questions, so just ask in the chat so that Sumit can answer. And you can utilize Telegram group as well, right? So if you have any doubt, like you can go through the stream again, like it will be available in form of recording after stream ended. So you can just go through and whatever technical information Sumit shared with you. So I think everything is important as far as web application security is concerned. So go through the recording once again and I hope you understood whatever he explained. So Sumit, I don't see any questions so maybe if they watch the recording once again, so they will be having something. No problem, you can ask me in the Telegram group as well. The links are in the video description. You can put your questions on Telegram group so I can answer whatever the problems you have. Okay, so yeah. Also, these websites are important from collecting our information because using this information, we will move forward to scan our targets. So while we do scanning, we need these information so you need to practice how these websites work, how you can collect information of different, different websites. So go once more, visit the website, test with different, different domains so you will have, you need to understand how this works and that will help you to proceed further. Okay, so I think more than 75 folks joined and right now also we have 12 folks so it was good response and I think once we end the stream so more than 500 folks are watching the session and a few session crossed 1,000 views as well. So I think with short period of time we are getting good response in this cybersecurity as well and as time progresses so whenever people will be getting more inside so we'll be having more response from the people. So thank you, Sumit, for your efforts. I really appreciate and like, let's complete this bootcamp as soon as we can and then we'll plan some more activities with the folks. Okay, thank you, Sumit, and thank you guys.