Notes

Information Gathering

Pentesting begins with identifying and analysing the target to maximise coverage of the attack surface.

Passive Information Gathering

Section titled “Passive Information Gathering”

What to look for:

  • IP addresses
  • Directories hidden from search engine
  • Names
  • Email addresses
  • Phone Numbers
  • Physical Addresses
  • Web technologies used

Crawling Files of Interest

Section titled “Crawling Files of Interest”

robot.txt

Section titled “robot.txt”

Specifying folders or files that should not be indexed by search engine.

sitemap.xml

Section titled “sitemap.xml”

File in xml that is used to provide search engine and organised way to index a web page. Sitemap can sometimes reveal links that is not presented on the main web page.

Web Technology Footprinting

Section titled “Web Technology Footprinting”
  • builtwith: technology profiler, what web technology is running on the website
  • Wappalyzer: technology profiler
  • kali’s whatweb
  • HTTrack: Mirrors a site locally to analyze source code

WHOIS Enumeration

Section titled “WHOIS Enumeration”

Whois lookup - getting information about a domain. Information to look for:

  • Name Server
  • Owner personal details - Registrar (Most case information will be redacted)

Use CLI or https://whois.org

Terminal window
whois zonetransfer.me
whois 172.67.155.53

Footprinting with Netcraft

Section titled “Footprinting with Netcraft”

https://www.netcraft.com/ Use to gather information about the target domain.

  • Background
  • Network
  • SSL/TLS
  • Hosting history
  • Web trackers
  • Site technology

DNS Reconnaissance

Section titled “DNS Reconnaissance”

Records associated with a domain. Looking for:

  • Nameserver
  • A record
  • AAAA record
  • MX record

host

Section titled “host”
Terminal window
host google.com

dnsrecon

Section titled “dnsrecon”
Terminal window
dnsrecon -d zonetransfer.me

DNSdumpster

Section titled “DNSdumpster”

DNSdumpster

WAF Detection

Section titled “WAF Detection”

wafw00f

Section titled “wafw00f”
Terminal window
# list out the WAF that the tool can detect
wafw00f -l


# testing single waf instance
wafw00f hackertube.net


# testing all waf instances
wafw00f hackertube.net -a

Subdomain Enumeration

Section titled “Subdomain Enumeration”

Sublist3r

Section titled “Sublist3r”
Terminal window
sublist3r -d hackersploit.org -e google, yahoo


sublist3r -d hackersploit.org

Note: there maybe no results because the search engines has rate limiting

Google Dorks

Section titled “Google Dorks”
site:ine.com


site:ine.com inurl:admin


site:*.ine.com


site:*.ine.com intitle:admin


# directory listing
intitle: index of


cache:ine.com


inurl:auth_user_file.txt


inurl:wp-config.bak

Resources:

Email Harvesting

Section titled “Email Harvesting”

theHarvester

Section titled “theHarvester”

https://github.com/laramies/theHarvester

Terminal window
theHarvester -d hackersploit.org -b rapiddns

Leaked Password Databases

Section titled “Leaked Password Databases”

https://haveibeenpwned.com/

Active Information Gathering

Section titled “Active Information Gathering”

DNS Zone Transfers

Section titled “DNS Zone Transfers”

DNS Server

  • Cloudflare(1.1.1.1)
  • Google(8.8.8.8)

DNS Records: A, AAAA, NS, MX, CNAME, TXT, HINFO, SOA, SRC, PTR

DNS interrogation

  • Enumerating DNS records
  • Probe DNS server to provide DNS records of specific domain

DNS Zone Transfer https://digi.ninja/projects/zonetransferme.php. DNS zone transfer uses the AXFR protocol, it copies DNS records to another DNS servers. Security problems with DNS Zone Transfer such information can be leaked.

Note
Zone transfer needs to be enabled.

# Getting a copy from the primary server
dig axfr @nsztm1.digi.ninja zonetransfer.me
  • SOA - primary name server, contact details, serial number for the domain(if date is check regualarly a change could indicate some activitn in the company).
  • LOC - lcoation stored as latitude/longitude. Convert using https://www.fcc.gov/media/radio/dms-decimal.
  • SRV - often used for VOIP setups to indicate SIP servers.
  • PTR - maps ip address back to domain
dnsenum zonetransfer.me

Host files

/etc/hosts

fierce
https://github.com/mschwager/fierce
Use to actively enumerate sub domains (bruteforce).

fierce --domain zonetransfer.me

Host Discovery with Nmap

Section titled “Host Discovery with Nmap”

Discover devices on the network. Ping scan, no port scan.

# -sn IMCP echo


sudo nmap -sn 192.168.0.0/24
# uses arp requests
sudo netdiscover -i en0 -r 192.168.0.0./24

Port Scanning with Nmap

Section titled “Port Scanning with Nmap”

nmap default scan: SYN scan, 1000 common ports Windows will block icmp pings.

# Peform port scan don't ping
nmap -Pn 192.168.0.134


# Specify port
nmap -Pn -p 80 192.168.0.134


# All ports
nmap -Pn -p- 192.168.0.134


# Port range
nmap -Pn -p1-1000 192.168.0.134


# Fast scan 100 common ports
nmap -Pn -F 192.168.0.134
# udp port scan
nmap -Pn -sU 192.168.0.134


# verbose
nmap -Pn -sU 192.168.0.134 -v


# service version
nmap -Pn -F -sV 192.168.0.134


# operating system
nmap -Pn -O 192.168.0.134