OSINT : Les astuces cachées des noms de domaine | Ep. 4

Techno

30 Aug 202410:25

Summary

TLDRThis video delves into the intriguing world of open-source intelligence, focusing on how domain names can be exploited to uncover valuable information. It explains the structure of domain names and their management by entities like registrars, regulated by international organizations such as ICANN. The video demonstrates how to use the 'whois' command to extract information about a domain, including its creation date, registrar details, and contact information. It also covers the use of various online tools for further investigation, such as ViewDNS, MX Toolbox, and the Wayback Machine, which can reveal historical data, associated emails, and technological insights about websites. The presenter, an experienced cybersecurity professional, shares tips and introduces additional tools like crt.sh and osint.sh for comprehensive domain analysis.

Takeaways

🌐 A domain name is a unique address composed of a name and a top-level domain (TLD), such as 'example.com'.
🔎 The 'whois' command is commonly used to reveal information about a domain name, including its creation date, registration details, and registrar.
💾 On Windows, 'whois' can be downloaded and used to query domain information by navigating to the directory containing the extracted files and running the command.
📝 Public domain names are registered and managed by entities called registrars, which are accredited by organizations like ICANN.
🔑 The registrar is the accredited company that sells domains to the public and provides contact information and identifiers as part of the domain's WHOIS record.
🏢 The registrant is the entity that holds the rights to a domain name, responsible for registration fees and contact information updates.
📡 Domain name servers (DNS) resolve domain names into IP addresses, which are essential for web navigation and application queries.
🕵️‍♂️ Some domain owners may choose to hide their information using private registration services, making certain details unavailable to the public.
🔍 Tools like ViewDNS can be used to discover additional information about a domain, such as associated IP addresses and historical data.
📈 The Wayback Machine (web.archive.org) allows users to see historical snapshots of web pages, which can be useful for digital investigations or understanding changes over time.
🔗 Tools like Hunter and crt.sh provide functionalities to find associated emails and SSL/TLS certificates for a domain, respectively, which can be valuable for network intelligence gathering.

Q & A

What is the significance of a domain name in the context of the video?
-A domain name is a unique address typically composed of a name and a top-level domain. It can reveal various information about the entity that owns it, and is managed by entities called registrars under the governance of international organizations like ICANN.
What is the command used to gather information about a domain name?
-The command generally used to gather information about a domain name is 'whois'. It is available by default on Linux machines and can be downloaded for Windows.
How can one extract the content of a ZIP file as mentioned in the video?
-The content of a ZIP file can be extracted using a file extraction tool. On Windows, one can navigate to the directory containing the extracted files and use the 'dir' command to list the contents.
What information can be revealed by executing the 'whois' command on 'yube.com' as per the video?
-Executing the 'whois' command on 'yube.com' can reveal when the domain was created, when it was last updated, and the registrar managing the domain, among other details.
What is a registrar and what is its role in domain management?
-A registrar is an entity accredited by ICANN to sell domain names to the public. They handle the registration and management of domain names.
What does the term 'registrant' refer to in the context of domain names?
-The registrant refers to the person, business, or organization that registers and holds rights to a domain name. They are responsible for the payment of registration and renewal fees, as well as updating contact information associated with the domain.
What are the administrative and technical contacts associated with a domain?
-The administrative and technical contacts are the individuals or entities responsible for handling administrative and technical issues related to a domain name.
Why might some domain owners choose to hide their information?
-Some domain owners may choose to hide their information or use private registration services to protect their privacy and avoid spam or potential security threats.
What is the purpose of the 'viewDNS' tool mentioned in the video?
-The 'viewDNS' tool is used to identify the servers that host a domain and to check if certain ports are open on a server, which can be useful for network diagnostics and security assessments.
How can one use the 'Wayback Machine' to view historical changes of a website?
-The 'Wayback Machine' allows users to view historical snapshots of web pages, providing a timeline of changes made to a website over time.
What is the 'Hunter' tool and how does it assist in finding email addresses associated with a domain?
-The 'Hunter' tool searches for email addresses associated with a domain by scanning public web pages. It can provide contacts of individuals working for or associated with the domain.
What can one learn from the 'crt.sh' tool regarding a domain's SSL/TLS certificates?
-The 'crt.sh' tool allows users to search and view SSL/TLS certificates associated with a domain. It provides information on certificate validity dates and lists domains included in the certificate's subject alternative name field.
What is the 'OSINT.sh' platform and how does it aid in domain analysis?
-The 'OSINT.sh' platform is a collection of various tools that can be used for domain analysis, including identifying technologies used on a website, finding related subdomains, and checking domain history.

Outlines

00:00

🌐 Exploring Domain Names in Open Source Intelligence

This paragraph delves into the concept of domain names and their significance in Open Source Intelligence (OSINT). A domain name is a unique address comprising a second-level domain and a top-level domain, with examples provided. The paragraph introduces the use of the 'whois' command, which is standard on Linux and downloadable for Windows, to extract information about domain registration, management, and associated entities like registrars and their accreditation by international bodies. It also discusses the availability of domain information, including creation and update dates, registrar details, and contact information for registrants, while noting the option for private registration to mask such data.

05:02

🔎 Advanced OSINT Tools for Domain Name Investigation

Paragraph 2 expands on the tools and techniques used for in-depth investigation of domain names. It mentions 'viewDNS' for server and IP history, 'Wayback Machine' for viewing past versions of web pages, and 'Informer' for finding associated email addresses during domain registration. The paragraph also introduces 'Hunter' for discovering email addresses from public web pages and 'crt.sh' for exploring SSL/TLS certificates, including their validity dates and associated domains. The discussion includes the use of 'OSINT.sh', a collection of tools for website analysis, and 'subdomain Finder' for identifying related domains and their IP addresses. The paragraph concludes with 'whois history' for tracking domain ownership changes over time.

10:03

📚 Conclusion and Further OSINT Exploration

The final paragraph summarizes the video's content on using OSINT for domain name research and encourages viewers to explore further with suggested resources. It mentions an upcoming video on OSINT and Google Dorking, suggesting that viewers stay tuned for more insights into digital investigation techniques.

Mindmap

Keywords

💡Open Source Intelligence (OSINT)

Open Source Intelligence (OSINT) refers to the collection and analysis of information that is publicly available and can be legally gathered. In the context of the video, OSINT is used to explore how one can exploit domain names to uncover relevant information. The video dives into the fascinating world of OSINT, showing how domain names can be a treasure trove of data when it comes to cyber investigations or general research.

💡Domain Name

A domain name is a unique address, typically composed of a name and a top-level domain (TLD), used to identify a website or an organization on the internet. The video uses examples of domain names to demonstrate how they can be investigated for information using various tools and techniques, highlighting the significance of domain names in the digital landscape.

💡WHOIS

The WHOIS protocol is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address. In the video, the command 'whois' is mentioned as a tool to extract information about a domain, such as its creation date, update date, and registrar details, which are crucial for understanding the ownership and management of a domain.

💡Registrar

A registrar is an entity accredited by organizations like ICANN to sell domain names to the public. The video explains that public domain names are registered and managed by registrars, which are essential for understanding the administrative structure of domain name management. The example of 'Markmonitor Inc' as a registrar is given to illustrate this concept.

💡Registrant

The registrant refers to the person, corporation, or organization that registers and holds rights to a domain name. They are responsible for the payment of registration and renewal fees and updating contact information associated with the domain. In the video, 'Google LLC' is mentioned as the registrant for a domain, emphasizing the role of registrants in domain management.

💡DNS (Domain Name System)

DNS is the system that translates human-friendly domain names (like 'example.com') into IP addresses that computers use to identify each other on the network. The video mentions DNS servers and how they resolve domain names into IP addresses, which is fundamental to the functioning of the internet.

💡ViewDNS

ViewDNS is a tool mentioned in the video for various DNS-related lookups, such as finding the IP address of a domain or identifying other domains hosted on the same server. This tool is part of the OSINT toolkit for gathering intelligence on domain names and associated infrastructure.

💡Web Archive

A web archive, like the Wayback Machine mentioned in the video, is a service that periodically downloads and stores copies of web pages. It allows users to view how a website looked at a particular point in time. This is valuable for historical research or for investigations where a website's previous content is relevant.

💡Certificate Transparency (crt.sh)

Certificate Transparency is a system that adds accountability to the SSL/TLS certificate ecosystem. The video references 'crt.sh', a service that allows users to search and inspect SSL/TLS certificates. This can reveal associated domains and other details that are part of the certificate, which is useful for security analysis and understanding the scope of a website's encryption practices.

💡OSINT.sh

OSINT.sh is a collection of OSINT tools and resources mentioned in the video. It serves as a one-stop platform for various investigative tools, including those for domain analysis, website technology detection, and subdomain enumeration. The video suggests using OSINT.sh for a comprehensive approach to gathering open-source intelligence.

Highlights

Exploring the fascinating world of Open Source intelligence to uncover information associated with domain names.

A domain name is a unique address typically composed of a name and a top-level domain.

Public domain names are registered and managed by entities called registrars, governed by international organizations like ICANN.

The 'whois' command is commonly used to reveal information about a domain name, available by default on Linux machines and downloadable for Windows.

Extracting the content of a ZIP file is necessary before using 'whois' on Windows.

Using 'whois' on 'yube.com' reveals the domain was created on February 15, 2005, and last updated on January 14, 2024.

The registrar for a domain is an accredited company that sells domains to the public, exemplified by Markmonitor Inc.

ICANN provides a list of registrar IDs and their accreditation status, which can be checked for validity.

The registrant is the entity that registers and holds rights to a domain name, responsible for registration fees and contact information updates.

Administrative and technical contacts, as well as name servers, are crucial for domain management and can be revealed through 'whois'.

Some domain owners may choose to hide their information using private registration services, as seen with 'nostarche.com'.

ViewDNS is introduced as a tool for discovering DNS records and server information associated with a domain.

ViewDNS can also be used to check if certain ports are open on a server, providing basic scanning for security assessments.

Reverse DNS lookup with ViewDNS can identify all IP addresses that a domain has used, along with the last update timestamp.

Wxy is highlighted as a tool for domain registration history, showing past entities that have used a domain and their contact information if public.

The Wayback Machine is introduced for viewing historical snapshots of web pages, useful for digital investigations or understanding site evolution.

Hunter is a tool for finding email addresses associated with a domain, extracted from publicly available web pages.

Crt.sh is a resource for searching and reviewing digital certificates, including their validity dates and associated domains.

Osint.sh is a collection of various OSINT tools, including technology detection for websites and subdomain finding.

Whois history provides a timeline of domain ownership changes, contact information, and other updates.

The video concludes with a teaser for the next video on OSINT and Google Dorks, promising further insights into online investigations.