We covered another case of Open Source Intelligence where we used investigated a domain name using different open source intelligence (OSINT) tools to uncover its history. We also used the wayback machine “archive.org” to look at the past appeareances of the given domain and extract other hints. We found that one of the given domains uses PBNs or private blog networks to build and establish a set of backlinks in order to trick search engine to rank it higher. This was part of TryHackMe WebOSINT room.
The Complete Practical Web Application Penetration Testing Course
Highlights
What is OSINT?
OSINT is the process of gathering information about the target’s system, network and defenses using passive methods. OSINT includes collecting and gathering data from publicly available sources, such as DNS registrars, web searches, security-centric search engines like Shodan and Censys, Social media websites such as Facebook, Instagram,Reddit,Linkedin,etc.
Another type of open source intelligence is information about vulnerabilities and other security flaws, including sources like the Common Vulnerabilities and Exposures (CVE) and
Common Weakness Enumeration (CWE) resources.
OSINT Domain Tools
ViewDNS.info provides a convenient UI for looking up registration information on a target website. Using this information, it may be possible to draw certain conclusions that are not clearly spelled out, such as whether the website is hosted on a shared or dedicated IP address. The answer to this question can imply things about the website’s budget as well as traffic.
OSINT For The Web
Often, clues about a website and its creator/owner may be unintentionally left behind in the source code of the website. Pretty much every web browser will have a method of doing this. It is well worth taking the time to become acquainted with how this works in your browser of choice. For Chrome on MacOS, you’ll go to the top menu bar and choose View > Developer > View Source.
Clues such as Google analytics property ID, Adsense ID, developer comments or even email addresses can be found using this technique.
P.S: Check out also Open Source Intelligence Tools and Techniques
Room Answers
What is the name of the company the domain was registered with?
NameCheap, Inc
What phone number is listed for the registration company? (do not include country code or special characters/spaces)
9854014545
What is the first nameserver listed for the site?
NS1.BRAINYDNS.COM
What is listed for the name of the registrant?
redacted for privacy
What country is listed for the registrant?
IGuideClaus2020
Iceland
BWhat is the first name of the blog’s author?
Steve
What city and country was the author writing from?
Gwangju, south korea
[Research] What is the name (in English) of the temple inside the National Park the author frequently visits?Jeungsimsa Temple
What was RepublicOfKoffee.com’s IP address as of October 2016?
Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses?
shared
What is the second nameserver listed for the domain?
NS2.HEAT.NET
What IP address was the domain listed on as of December 2011?
72.52.192.240
Based on domains that share the same IP, what kind of hosting service is the domain owner using?
shared
On what date did was the site first captured by the internet archive? (MM/DD/YY format)
06/01/97
What is the first sentence of the first body paragraph from the final capture of 2001?
After years of great online gaming, it’s time to say good-bye
Using your search engine skills, what was the name of the company that was responsible for the original version of the site?
segasoft
What does the first header on the site on the last capture of 2010 say?
Heat.net – Heating and Cooling
How many internal links are in the text of the article?
5
How many external links are in the text of the article?
1
Website in the article’s only external link ( that isn’t an ad)
purchase.org
Try to find the Google Analytics code linked to the site
UA-251372-24
Is the the Google Analytics code in use on another website? Yay or nay
nay
Does the link to this website have any obvious affiliate codes embedded with it? Yay or Nay
nay
Use the tools in Task 4 to confirm the link between the two sites. Try hard to figure it out without the hint.
Liquid Web, L.L.C
OSINT Challenge Key takeaways
Although there are loads of advertisements on our target website, that is probably a tiny percentage of the money this site makes.
It would require further investigation to confirm this but it’s a good bet that the creators of these two sites make most of their money by functioning as what’s called a private blog network (PBN). PBNs exist for one purpose: to convince the search engine algorithms that another site should rank higher in the search engine results.
Modern search engines work by mapping the internet by its links. This gets extremely complicated very quickly, but as a generalization they work on a few assumptions:
- How well a site answers users’ questions on a topic can be evaluated by the incoming, outgoing, and internal links it has. The presence of a lot of links to website A from websites B, C, D, and E is taken as a sign that website A is authoritative on the topic. Outgoing links are treated a little differently. Too many outgoing links can hurt a site’s ranking, but search engines also assume that a website with too few outgoing links is probably not answering users’ questions very well either.
- How authoritative the websites are that are sending and receiving links. If your site gets plugged in a New York Times article, that will earn far more ‘Google juice’ than a plug on CedarHillsHomeownersAssociation.xyz.
- Relevance of the incoming links to a site. A link to a site from top tier websites like the New York Times is always going to be a very good thing. Almost as good, though, would be a link from a reputable website dedicated to the same topic as yours. The relevance of the language used in the hyperlink itself is also an important part of this consideration.
Let’s say we are creating a new website. In order to get some SEO juice flowing to it, we’ll need to get another website to start linking to our site as fast as possible. A common (white hat) method of doing this would be volunteering to write free blog articles on other websites in exchange for links back to your site.
As you can imagine, this takes a lot of time. It is a long term endeavor that could take six months or so to see results, depending on how much competition there is for the keywords you are targeting.
Thinking like a hacker here, what’s a good way to give your new website (called ‘money site’) a faster boost in the search engine rankings? Highlight the below section once you have an idea in your head.
By setting up a separate website that is completely under your control and exists for the sole purpose of telling search engines that your main site should rank higher in searches than it rightfully deserves.
That’s right, heat[.]net, in its current form is probably not designed for human eyes at all. It is designed primarily to trick the search engines into placing purchase[.]org higher in the search results than it would have otherwise.
Purchase[.]org appears to be a drop shipping e-commerce site, which probably earns its owner substantially more money than heat[.]net. It needs that sweet sweet SEO juice to push it up the search engine results pages (AKA SERPs) though.
Is all of this ethical? Good question. Google, for one, would clearly define this practice as black hat and is constantly trying to improve its algorithms to penalize sites that do this kind of thing. As of this writing, though, it is not illegal.
Is the site a scam? It is worth considering how much time and effort that goes into setting up a PBN. A PBN ideally has a minimum of 50 pages of unique, natural-sounding and on-topic articles. That’s a lot of time and effort that went into getting a fast, short-term bump in the rankings, rather than into other aspects of the business, or even something as simple and affordable as pay-per-click marketing.
On the other hand, you might be surprised to learn just how common it is for websites to hire SEO agencies. Some of these agencies, whether they admit it or not, have hundreds of PBNs and a staff of writers (usually offshore) pumping out content designed solely for the consumption of the search algorithms.
Video Walkthrough
