Information Gathering

What to gather?

To gather:

  1. Infrastructure (Web server, CMS, Database ...)

  2. Application Logic

  3. IP / Domains / Subdomains

  4. Virtual hosts

General steps:

  1. Use whois to find out the possible infrastruture

  2. Use nslookup to find the IP addresses of the domain

  3. Use whois again to find information about the found IP addresses

  4. Use arin.net / whois.domaintools.com / ripe.net to find the ISP

  5. Use Netcraft to do research on the domain

Gathering techniques

Whois

Example sources:

  • https://whois.domaintools.com

Gather:

  • Technical information

  • IP Address (e.g. DNS server)

  • ISP

DNS

We may use nslookup :

nslookup -type=<record_type> <ip_address / domain>

To query all records:

nslookup -type=ANY <domain>

Infrastructure

Find out the web application type and version (e.g. Apache / IIS).

Fingerprint

https://wiki.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004)wiki.owasp.org
LogoOWASP Web Security Testing Guide | OWASP Foundation

Find out:

  1. URL rewriting

  2. Load balancing

  3. Script engine (PHP / Python / Perl / ...)

Method 1: HTTP Response

For example, Apache server may respond with a HTTP header Server: Apache .

Method 2: Netcraft

Again, you may use https://www.netcraft.com to check the web server analysis.

Method 3: netcat

nc <target> <port>
HEAD / HTTP/1.0

See if the response has the fields Server / X-Powered-By .

Also, the set-cookie could also reveal the technology behind. For example:

  • PHPSESSID > PHP

  • ASPSSESSIONID > .NET

  • JSESSION > Java

Method 4: WhatWeb

LogoGitHub - urbanadventurer/WhatWeb: Next generation web scannerGitHub
whatweb <target_domain>
whatweb -v <target_domain>

Method 5: Wappalyzer

This is a browser plugin. When browsing a site, this plugin shows the technology behind.

Fingerprint Webserver Modules

Examples of modules are mod_rewrite and .htaccess in Apache. These handle URL rewriting. Or in IIS, Ionic Isapi Rewrite or Helicon Isapi Rewrite do the same thing.

Enumerate Subdomains

Methods:

  • Netcraft

  • Google

  • Crawling / Brute force

  • Tools

  • Zone transfers

Google Method:

site:.xxx.com -inurl:www.
site:.xxx.com -site:www.xxx.com

TheHarvester

theharvester

-d:    Domain to search
-l:    Limit the resutls to work with
-b:    Data source (e.g. bing / google / linkedin / ...)
-f:    Output to HTML / XML

Example:

theharvester -d google.com -b google -l 100 -f ./google-harvester.html

Zone Transfer

On Windows:

nslookup -type=NS <domain>

nslookup 
server <NameServer>
ls -d <domain>

Or using dig:

dig @nameserver AXFR <domain>

Find Virtual hosts

Use fierce to find them ...

fierce -dns <domain>

Frameworks and Applications

Common applications:

  • Forums (phpBB, vBulletin)

  • CMS (Joomla, Drupal)

  • CRM / Blog (WordPress, Moveable types)

  • Social networking scripts

For the application exact version (which is important when we want to find an exploit of the application), we may:

  • Browse the website and look at the URL / appearance / logic

  • Page source: HTML comments / HTTP header

  • Response Header

For example, in Joomla, the uri is like:

index.php/?option=%3Ccomponent%3E&task=%3Ccomponent_option%3E

By inspecting the option parameter, we may know the add-on installed.

Custom Applications

When seeing a customized application, ask yourself:

  1. Purpose?

  2. User Registration?

  3. Admin panel?

  4. Does it take inputs from users? What kind of input?

  5. Any file uploads function?

  6. What technology? JS / AJAX / Flash / ...

We could use Burp Suite as a Crawler to enumerate the sitemap. (Note: Spider is no longer free in Burp Suite)

It it always good to draw a logical diagram / flow chart / block diagram to visualize the application flow. After understanding the logic, think about the attack surface. For example:

  • Client-side validation

    • SQLi / XSS (could use Firebug to help)

  • Database Interaction

    • SQLi

  • File upload / download

    • RFI / LFI

    • Webshell

  • Display of user supplied data

    • XSS

  • Redirections

    • HTTP response splitting / Header manipulation

  • Access controls / protected pages

    • Authentication bypass

  • Error messages

    • Sensitive information disclosure

  • Charting

    • Draw a table of attack surface for each component

Enumerate Resources

Files / Directory

  1. Spidering in Burp Suite Proxy.

  2. GoBuster / DirBuster

Interesting file extensions:

  • .bak

  • _bak

  • 01

  • 001

  • inc - include file (ASP)

  • bac

Users

Try to use the error messages to determine whether the user exists.

Tools: Burp Suite / Patator

Relevant Information via Misconfigurations

  • Directory listing

  • Logs / Configurations Files

    • configuration.php

    • configuration.php.bak

    • configuration.php.old

HTTP Verbs / File Upload

If a site allowsPUT method, there is a chance that we can upload something, provided that the directory is writable. To check, first do OPTIONS method:

OPTIONS / HTTP/1.1
Host: <site>

Then try:

PUT /writable_dir/test.html HTTP/1.1
Content-length: xxx

[CONTENT OF TEST.HTML]

If the response is 201 Created , we may try to upload reverse shell! Note that the Content-length is the request payload that should be calculated.

Google Hacking

https://www.exploit-db.com/google-hacking-databasewww.exploit-db.com
Google Search Operators - Google Guide

Keywords:

  • intitle:

  • site:

  • filetype:"xxx"

  • "Index of"

  • "Directory listing for"

Shodan

LogoShodanShodan

PreviousRelated Linux CommandNextScanning

Last updated