πInformation Gathering
Passive Information Gathering & OSINT
These techniques refer to gaining information from publicly available sources
By doing so, the attacker gains information about the target, without any type of active scanning
This ensures that the target will never be aware that we are obtaining information about it, since there is no form of direct interaction
External Resources:
Google Dorks
Google can be a powerful tool for penetration testing and bug-bounty hunting. Google's crawling capabilities can help us find exposed files, scripts and other critical resources in web applications.
This blogpost can be useful if you need to learn more about google dorks.
You can also refer to the following:
Domain Information using Crt.sh & Shodan
Output and Download JSON:
curl -s https://crt.sh/\?q\=test.com\&output\=json | jq .Filter JSON by subdomains:
curl -s https://crt.sh/\?q\=test.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -uMake an ip-address wordlist:
for i in $(cat subdomainlist);do host $i | grep "has address" | grep [test.com](http://test.com/) | cut -d" " -f4 >> ip-addresses.txt;doneRun shodan on those ip addresses:
for i in $(cat ip-addresses.txt);do shodan host $i;done
Passive Domain Enumeration
| Resource/Command | Description |
|---|---|
VirusTotal | https://www.virustotal.com/gui/home/url |
Censys | https://censys.io/ |
Crt.sh | https://crt.sh/ |
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u | All subdomains for a given domain. |
curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u | All TLDs found for a given domain. |
curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u | All results across all TLDs for a given domain. |
curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u | Reverse DNS lookup on IP address. |
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u | Reverse DNS lookup of a CIDR range. |
curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "(.name_value)\n(.common_name)"' | sort -u | Certificate Transparency. |
cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done | Searching for subdomains and other information on the sources provided in the source.txt list. |
https://searchdns.netcraft.com/ | Search public information about a hostname using netcraft |
Passive Infrastructure Identification
| Resource/Command | Description |
|---|---|
Netcraft | https://www.netcraft.com/ |
WayBackMachine | http://web.archive.org/ |
WayBackURLs | https://github.com/tomnomnom/waybackurls |
waybackurls -dates https://$TARGET > waybackurls.txt | Crawling URLs from a domain with the date it was obtained. |
Active Information Gathering
By using active scans against the target, we can gain more (reliable) information about it
Whenever we are executing external scans, nmap and many other different tools can help us gain a lay of the land of the target surface
Protocols and Services Footprinting with NMAP
Scanning a target with nmap may reveal services, open ports, service versions, operating system and so on
After gaining a lay of the land of the protocols and services granted by the target, refer to the Protocols and Services Notes for more information
NMAP Scanning Options
| Nmap Option | Description |
|---|---|
| Target network range. |
| Disables port scanning. |
| Disables ICMP Echo Requests |
| Disables DNS Resolution. |
| Performs the ping scan by using ICMP Echo Requests against the target. |
| Shows all packets sent and received. |
| Displays the reason for a specific result. |
| Disables ARP Ping Requests. |
| Scans the specified top ports that have been defined as most frequent. |
| Scan all ports. |
| Scan all ports between 22 and 110. |
| Scans only the specified ports 22 and 25. |
| Scans top 100 ports. |
| Performs an TCP SYN-Scan. |
| Performs an TCP ACK-Scan. Note: best for firewall and ids/ips evasion |
| Performs an UDP Scan. |
| Scans the discovered services for their versions. |
| Perform a Script Scan with scripts that are categorized as "default". |
| List Scan - simply list targets to scan - useful to understand which targets are reachable |
| Performs a Script Scan by using the specified scripts. |
| Performs an OS Detection Scan to determine the OS of the target. |
| Performs OS Detection, Service Detection, and traceroute scans. |
| Sets the number of random Decoys that will be used to scan the target. Note: useful for firewall and ids/ips evasion |
| Specifies the network interface that is used for the scan. |
| Specifies the source IP address for the scan. |
| Specifies the source port for the scan. |
| DNS resolution is performed by using a specified name server. |
NMAP Output Options
| Nmap Option | Description |
|---|---|
| Stores the results in all available formats starting with the name of "filename". |
| Stores the results in normal format with the name "filename". |
| Stores the results in "grepable" format with the name of "filename". |
| Stores the results in XML format with the name of "filename". |
NMAP Performance Options
| Nmap Option | Description |
|---|---|
| Sets the number of retries for scans of specific ports. |
| Displays scan's status every 5 seconds. |
| Displays verbose output during the scan. |
| Sets the specified time value as initial RTT timeout. |
| Sets the specified time value as maximum RTT timeout. |
| Sets the number of packets that will be sent simultaneously. |
| Specifies the specific timing template. [0=paranoid, 5=insane] |
Vhosts, Subdomain and Web Content Fuzzing
Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.
Fuzzing techniques can also be used to discover vhosts, subdomains and web content
Refer to the Fuzzing Notes for more information
Active Infrastructure Identification
| Resource/Command | Description |
|---|---|
curl -I "http://${TARGET}" | Display HTTP headers of the target webserver. |
whatweb -a https://www.facebook.com -v | Technology identification. |
Wappalyzer | https://www.wappalyzer.com/ |
wafw00f -v https://$TARGET | WAF Fingerprinting. |
Aquatone | https://github.com/michenriksen/aquatone |
cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000 | Makes screenshots of all subdomains in the subdomain.list. |
Active Subdomain Enumeration
| Resource/Command | Description |
|---|---|
HackerTarget | https://hackertarget.com/zone-transfer/ |
SecLists | https://github.com/danielmiessler/SecLists |
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain | Zone Transfer using Nslookup against the target domain and its nameserver. |
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" | Bruteforcing subdomains. |
dnsrecon -d example.com -D subdomainwordlist.txt -t brt | Subdomain bruteforcing using dnsrecon |
dnsenum example.com | Automated enumeration using dnsenum |
DNS Enumeration
| Command | Description |
|---|---|
nslookup $TARGET | Identify the A record for the target domain. |
nslookup -query=A $TARGET | Identify the A record for the target domain. |
dig $TARGET @<nameserver/IP> | Identify the A record for the target domain. |
dig a $TARGET @<nameserver/IP> | Identify the A record for the target domain. |
nslookup -query=PTR | Identify the PTR record for the target IP address. |
dig -x @<nameserver/IP> | Identify the PTR record for the target IP address. |
nslookup -query=ANY $TARGET | Identify ANY records for the target domain. |
dig any $TARGET @<nameserver/IP> | Identify ANY records for the target domain. |
nslookup -query=TXT $TARGET | Identify the TXT records for the target domain. |
dig txt $TARGET @<nameserver/IP> | Identify the TXT records for the target domain. |
nslookup -query=MX $TARGET | Identify the MX records for the target domain. |
dig mx $TARGET @<nameserver/IP> | Identify the MX records for the target domain. |
Last updated