Skip to content

information-gathering.md

Latest commit

 

History

History
286 lines (235 loc) · 12.1 KB

information-gathering.md

File metadata and controls

286 lines (235 loc) · 12.1 KB

🔍 Information Gathering

Passive Information Gathering & OSINT

  • These techniques refer to gaining information from publicly available sources
  • By doing so, the attacker gains information about the target, without any type of active scanning
  • This ensures that the target will never be aware that we are obtaining information about it, since there is no form of direct interaction

External Resources:

  1. OSINT Cheat Sheet
  2. Compass Security OSINT Cheat Sheet
  3. OSINT Packet

Google Dorks

Google can be a powerful tool for penetration testing and bug-bounty hunting. Google's crawling capabilities can help us find exposed files, scripts and other critical resources in web applications.

Useful resources:

Generic Queries

site:*.target.com intext:uncaught
site:*.target.com intext:error
site:*.target.com intext:parameter
site:*.target.com intext:missing
site:*.target.com intext:"stack trace"
site:*.target.com intext:php
site:*.target.com intext:jsp
site:*.target.com intext:asp
site:*.target.com intext:include_path
site:*.target.com intext:undefined
site:*.target.com intext:sql
site:*.target.com intext:invalid
site:*.target.com intext:exception
site:*.target.com intext:fatal
site:*.target.com intext:CONFIG
site:*.target.com intext:login
site:*.target.com intitle:"index of"
site:*.target.com inurl:prod
site:*.target.com inurl:&
site:*.target.com inurl:dev
site:*.target.com inurl:staging
site:*.target.com inurl:stg
site:*.target.com inurl:debug
site:*.target.com inurl:admin
site:*.target.com inurl:internal

Apache Services

site:*.target.com intitle:"apache tomcat/"
site:*.target.com "Apache Tomcat examples"
site:*.target.com intext:"apache"
site:*.target.com intitle:"Solr Admin"
site:*.target.com intext:"This is the default welcome page used to test the correct operation of the Apache2 server"
site:*.target.com intitle:"index of" "powered by apache "
site:*.target.com intext:"Apache server status for"
site:*.target.com intitle:"Apache2 Ubuntu Default Page: It works"
site:*.target.com intitle:"WAMPSERVER homepage" "Server Configuration" "Apache Version"
site:*.target.com intitle:"Test Page for the Apache HTTP Server"

Files

site:*.target.com ext:txt
site:*.target.com ext:php
site:*.target.com ext:php5
site:*.target.com ext:phtml
site:*.target.com ext:xhtml
site:*.target.com ext:key
site:*.target.com ext:pem
site:*.target.com ext:ovpn
site:*.target.com ext:log
site:*.target.com ext:asp
site:*.target.com ext:aspx
site:*.target.com ext:jsp
site:*.target.com ext:dat
site:*.target.com ext:yml
site:*.target.com ext:bak
site:*.target.com ext:zip
site:*.target.com ext:yaml
site:*.target.com ext:json
site:*.target.com ext:xml
site:*.target.com ext:env
site:*.target.com ext:conf
site:*.target.com ext:ini
site:*.target.com ext:cfg
site:*.target.com ext:cgi
site:*.target.com ext:ccm
site:*.target.com ext:sql
site:*.target.com ext:cdx
site:*.target.com ext:ics

GraphQL queries

site:*.target.com intext:"GRAPHQL_PARSE_FAILED"
site:*.target.com intext:"GRAPHQL_VALIDATION_FAILED"
site:*.target.com intext:"BAD_USER_INPUT"
site:*.target.com intext:"UNAUTHENTICATED"
site:*.target.com intext:"FORBIDDEN"
site:*.target.com intext:"PERSISTED_QUERY_NOT_FOUND"
site:*.target.com intext:"PERSISTED_QUERY_NOT_SUPPORTED"
site:*.target.com intext:"INTERNAL_SERVER_ERROR"

Domain Information using Crt.sh & Shodan

  1. Output and Download JSON:

    curl -s https://crt.sh/\?q\=test.com\&output\=json | jq .

  2. Filter JSON by subdomains:

    curl -s https://crt.sh/\?q\=test.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

  3. Make an ip-address wordlist:

    for i in $(cat subdomainlist);do host $i | grep "has address" | grep test.com | cut -d" " -f4 >> ip-addresses.txt;done

  4. Run shodan on those ip addresses:

    for i in $(cat ip-addresses.txt);do shodan host $i;done

Passive Domain Enumeration

Resource/Command Description
VirusTotal URL and domain analysis
Censys Search engine for internet-connected devices
Crt.sh Certificate search
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.\[]' | sort -u All subdomains for a given domain
curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.\[]' | sort -u All TLDs found for a given domain
curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.\[]' | sort -u All results across all TLDs for a given domain
curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.\[]' | sort -u Reverse DNS lookup on IP address
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.\[]' | sort -u Reverse DNS lookup of a CIDR range
curl -s "https://crt.sh/?q=${TARGET}\&output=json" | jq -r '.\[] | "(.name\_value)\n(.common\_name)"' | sort -u Certificate Transparency
cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done Searching for subdomains across multiple sources
Netcraft SearchDNS Search public information about a hostname

Passive Infrastructure Identification

Resource/Command Description
Netcraft Internet data mining
WayBackMachine Historical website snapshots
WayBackURLs Fetch URLs from WayBackMachine
waybackurls -dates https://$TARGET > waybackurls.txt Crawling URLs from a domain with the date

Active Information Gathering

  • By using active scans against the target, we can gain more (reliable) information about it
  • Whenever we are executing external scans, nmap and many other different tools can help us gain a lay of the land of the target surface

Protocols and Services Footprinting with NMAP

  • Scanning a target with nmap may reveal services, open ports, service versions, operating system and so on
  • After gaining a lay of the land of the protocols and services granted by the target, refer to the Protocols and Services Notes for more information

NMAP Scanning Options

Nmap Option Description
10.10.10.0/24 Target network range
-sn Disables port scanning
-Pn Disables ICMP Echo Requests
-n Disables DNS Resolution
-PE Performs the ping scan by using ICMP Echo Requests against the target
--packet-trace Shows all packets sent and received
--reason Displays the reason for a specific result
--disable-arp-ping Disables ARP Ping Requests
--top-ports=<num> Scans the specified top ports that have been defined as most frequent
-p- Scan all ports
-p22-110 Scan all ports between 22 and 110
-p22,25 Scans only the specified ports 22 and 25
-F Scans top 100 ports
-sS Performs an TCP SYN-Scan
-sA Performs an TCP ACK-Scan (best for firewall and ids/ips evasion)
-sU Performs an UDP Scan
-sV Scans the discovered services for their versions
-sC Perform a Script Scan with scripts that are categorized as "default"
-sL List Scan - simply list targets to scan
--script <script> Performs a Script Scan by using the specified scripts
-O Performs an OS Detection Scan to determine the OS of the target
-A Performs OS Detection, Service Detection, and traceroute scans
-D RND:5 Sets the number of random Decoys for firewall/IDS evasion
-e Specifies the network interface that is used for the scan
-S 10.10.10.200 Specifies the source IP address for the scan
-g Specifies the source port for the scan
--dns-server <ns> DNS resolution is performed by using a specified name server

NMAP Output Options

Nmap Option Description
-oA filename Stores the results in all available formats starting with the name of "filename"
-oN filename Stores the results in normal format with the name "filename"
-oG filename Stores the results in "grepable" format with the name of "filename"
-oX filename Stores the results in XML format with the name of "filename"

NMAP Performance Options

Nmap Option Description
--max-retries <num> Sets the number of retries for scans of specific ports
--stats-every=5s Displays scan's status every 5 seconds
-v/-vv Displays verbose output during the scan
--initial-rtt-timeout 50ms Sets the specified time value as initial RTT timeout
--max-rtt-timeout 100ms Sets the specified time value as maximum RTT timeout
--min-rate 300 Sets the number of packets that will be sent simultaneously
-T <0-5> Specifies the specific timing template [0=paranoid, 5=insane]

Vhosts, Subdomain and Web Content Fuzzing

  • Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion
  • Fuzzing techniques can also be used to discover vhosts, subdomains and web content

Active Infrastructure Identification

Resource/Command Description
curl -I "http://${TARGET}" Display HTTP headers of the target webserver
whatweb -a https://www.facebook.com -v Technology identification
Wappalyzer Browser extension for tech stack detection
wafw00f -v https://$TARGET WAF Fingerprinting
Aquatone Visual inspection tool
cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000 Screenshots of all subdomains

Active Subdomain Enumeration

Resource/Command Description
HackerTarget DNS Zone Transfer
SecLists Security wordlists
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain Zone Transfer using Nslookup
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" Bruteforcing subdomains
dnsrecon -d example.com -D subdomainwordlist.txt -t brt Subdomain bruteforcing using dnsrecon
dnsenum example.com Automated enumeration using dnsenum

DNS Enumeration

Command Description
nslookup $TARGET Identify the A record for the target domain
nslookup -query=A $TARGET Identify the A record for the target domain
dig $TARGET @<nameserver/IP> Identify the A record for the target domain
dig a $TARGET @<nameserver/IP> Identify the A record for the target domain
nslookup -query=PTR Identify the PTR record for the target IP address
dig -x @<nameserver/IP> Identify the PTR record for the target IP address
nslookup -query=ANY $TARGET Identify ANY records for the target domain
dig any $TARGET @<nameserver/IP> Identify ANY records for the target domain
nslookup -query=TXT $TARGET Identify the TXT records for the target domain
dig txt $TARGET @<nameserver/IP> Identify the TXT records for the target domain
nslookup -query=MX $TARGET Identify the MX records for the target domain
dig mx $TARGET @<nameserver/IP> Identify the MX records for the target domain