πŸ”Information Gathering

Passive Information Gathering & OSINT

  • These techniques refer to gaining information from publicly available sources

  • By doing so, the attacker gains information about the target, without any type of active scanning

  • This ensures that the target will never be aware that we are obtaining information about it, since there is no form of direct interaction

External Resources:


Google Dorks

Google can be a powerful tool for penetration testing and bug-bounty hunting. Google's crawling capabilities can help us find exposed files, scripts and other critical resources in web applications.

This blogpost can be useful if you need to learn more about google dorks.

You can also refer to the following:

Generic Queries

site:*.target.com intext:uncaught

site:*.target.com intext:error

site:*.target.com intext:parameter

site:*.target.com intext:missing

site:*.target.com intext:"stack trace"

site:*.target.com intext:php

site:*.target.com intext:jsp

site:*.target.com intext:asp

site:*.target.com intext:include_path

site:*.target.com intext:undefined

site:*.target.com intext:sql

site:*.target.com intext:invalid

site:*.target.com intext:exception

site:*.target.com intext:fatal

site:*.target.com intext:CONFIG

site:*.target.com intext:login

site:*.target.com intitle:"index of"

site:*.target.com inurl:prod

site:*.target.com inurl:&

site:*.target.com inurl:dev

site:*.target.com inurl:staging

site:*.target.com inurl:stg

site:*.target.com inurl:debug

site:*.target.com inurl:admin

site:*.target.com inurl:internal

Apache Services

site:*.target.com intitle:"apache tomcat/"

site:*.target.com "Apache Tomcat examples"

site:*.target.com intext:"apache"

site:*.target.com intitle:"Solr Admin"

site:*.target.com intext:"This is the default welcome page used to test the correct operation of the Apache2 server"

site:*.target.com intitle:"index of" "powered by apache "

site:*.target.com intext:"Apache server status for"

site:*.target.com intitle:"Apache2 Ubuntu Default Page: It works"

site:*.target.com intitle:"WAMPSERVER homepage" "Server Configuration" "Apache Version"

site:*.target.com intitle:"Test Page for the Apache HTTP Server"

Files

site:*.target.com ext:txt

site:*.target.com ext:php

site:*.target.com ext:php5

site:*.target.com ext:phtml

site:*.target.com ext:xhtml

site:*.target.com ext:key

site:*.target.com ext:pem

site:*.target.com ext:ovpn

site:*.target.com ext:log

site:*.target.com ext:asp

site:*.target.com ext:aspx

site:*.target.com ext:jsp

site:*.target.com ext:dat

site:*.target.com ext:ovpn

site:*.target.com ext:yml

site:*.target.com ext:bak

site:*.target.com ext:zip

site:*.target.com ext:yaml

site:*.target.com ext:json

site:*.target.com ext:xml

site:*.target.com ext:env

site:*.target.com ext:conf

site:*.target.com ext:ini

site:*.target.com ext:cfg

site:*.target.com ext:cgi

site:*.target.com ext:ccm

site:*.target.com ext:sql

site:*.target.com ext:cdx

site:*.target.com ext:ics

GraphQL queries

site:*.target.com intext:"GRAPHQL_PARSE_FAILED"

site:*.target.com intext:"GRAPHQL_VALIDATION_FAILED"

site:*.target.com intext:"BAD_USER_INPUT"

site:*.target.com intext:"UNAUTHENTICATED"

site:*.target.com intext:"FORBIDDEN"

site:*.target.com intext:"PERSISTED_QUERY_NOT_FOUND"

site:*.target.com intext:"PERSISTED_QUERY_NOT_SUPPORTED"

site:*.target.com intext:"INTERNAL_SERVER_ERROR"


Domain Information using Crt.sh & Shodan

  1. Output and Download JSON: curl -s https://crt.sh/\?q\=test.com\&output\=json | jq .

  2. Filter JSON by subdomains: curl -s https://crt.sh/\?q\=test.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

  3. Make an ip-address wordlist: for i in $(cat subdomainlist);do host $i | grep "has address" | grep [test.com](http://test.com/) | cut -d" " -f4 >> ip-addresses.txt;done

  4. Run shodan on those ip addresses: for i in $(cat ip-addresses.txt);do shodan host $i;done


Passive Domain Enumeration


Passive Infrastructure Identification


Active Information Gathering

  • By using active scans against the target, we can gain more (reliable) information about it

  • Whenever we are executing external scans, nmap and many other different tools can help us gain a lay of the land of the target surface


Protocols and Services Footprinting with NMAP

  • Scanning a target with nmap may reveal services, open ports, service versions, operating system and so on

  • After gaining a lay of the land of the protocols and services granted by the target, refer to the Protocols and Services Notes for more information


NMAP Scanning Options


NMAP Output Options


NMAP Performance Options


Vhosts, Subdomain and Web Content Fuzzing

  • Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.

  • Fuzzing techniques can also be used to discover vhosts, subdomains and web content

  • Refer to the Fuzzing Notes for more information


Active Infrastructure Identification


Active Subdomain Enumeration

DNS Enumeration

Last updated