Information Gathering
Introduction
Passive Information Gathering
Website Recon & Footprinting
What are we looking for:
- IP Addresses
- Directories hidden from search engines
- Names
- Email addresses
- Phone Numbers
- Physical addresses
- Web technologies being used
# The whatis command is used to get brief information about Linux commands or functions.
whatis host
host hackersploit.org
https://hackersploit.org/robots.txt
sitemaps.org
https://hackersploit.org/sitemap.xml
https://hackersploit.org/sitemaps.xml
Whois Enumeration
Website Footprinting With Netcraft
DNS Recon
TO-DO
Create a list of DNS records types. Ex: AAAA, TXT, MS, MX...
dnsrecon (cli tool)
DNSRecon
DNSRecon is a Python script that provides the ability to perform:
- Check all NS Records for Zone Transfers.
- Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
- Perform common SRV Record Enumeration.
- Top Level Domain (TLD) Expansion.
- Check for Wildcard Resolution.
- Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
- Perform a PTR Record lookup for a given IP Range or CIDR.
- Check a DNS Server Cached records for A, AAAA and CNAME.
- Records provided a list of host records in a text file to check.
- Enumerate Hosts and Subdomains using Google.
DNSRecon Homepage
dnsrecon | Kali Linux Tools
dnsdumpster.com (web tool)
DNSdumpster
DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
WAF With wafw00f
WAFW00F
This package identifies and fingerprints Web Application Firewall (WAF) products using the following logic:
- Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
- If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
- If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to the attacks.
WAFW00F Homepage
wafw00f | Kali Linux Tools
wafw00f hackersploit.org
# Option: -a or --findall --> MEANS --> Testing For All Possible WAF Instances
wafw00f hackersploit.org -a
Subdomain Enumeration With Sublist3r
Sublist3r
This package contains a Python security tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting over the network. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
Sublist3r Homepage
sublist3r | Kali Linux Tools
sudo apt install sublist3r
sublist3r -d hackersploit.org
sublist3r -d hackersploit.org -e google,yahoo
Google Dorks
TO-DO
Google Dorks Ex:
Google Homepage
Google Hacking Database
site:ine.com
site:ine.com inurl:admin
site:*.ine.com
site:*.ine.com inurl:admin
site:*.ine.com intitle:admin
site:*.ine.com filetype:pdf
site:ine.com instructors
intitle:index of
cache:ine.com
waybackmachine -> https://archive.org/web/
inurl:auth_user_file.txt
inurl:passwd.txt
Email Harvesting With theHarvester
theHarvester
The package contains a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).
theHarvester Homepage
theHarvester | Kali Linux Tools
Leaked Password Databases
Active Information Gathering
DNS Zone Transfers
DNS
- Domain Name System (DNS) is a protocol that is used to resolve domain names/hostnames to IP addresses.
- During the early days of the internet, users would have to remember the IP addresses of the sites that they wanted to visit, DNS resolves this issue by mapping domain names (easier to recall) to their respective IP addresses.
- A DNS server (nameserver) is like a telephone directory that contains domain names and their corresponding IP addresses.
- A plethora of public DNS servers have been set up by companies like Cloudflare (1.1.1.1) and Google (8.8.8.8). These DNS servers contain the records of almost all domains on the internet.
DNS Records
- A - Resolves a hostname or domain to an IPv4 address.
- AAAA - Resolves a hostname or domain to an IPv6 address.
- NS - Reference to the domains nameserver.
- MX - Resolves a domain to a mail server.
- CNAME - Used for domain aliases.
- TXT - Text record.
- HINFO - Host information.
- SOA - Domain authority.
- SRV - Service records.
- PTR - Resolves an IP address to a hostname.
DNS Interrogation
- DNS interrogation is the process of enumerating DNS records for a specific domain.
- The objective of DNS interrogation is to probe a DNS server to provide us with DNS records for a specific domain.
- This process can provide with important information like the IP address of a domain, subdomains, mail server addresses etc.
DNS Zone Transfer
- In certain cases DNS server admins may want to copy or transfer zone files from one DNS server to another. This process is known as a zone transfer.
- If misconfigured and left unsecured, this functionality can be abused by attackers to copy the zone file from the primary DNS server to another DNS server.
- A DNS Zone transfer can provide penetration testers with a holistic view of an organization's network layout.
- Furthermore, in certain cases, internal network addresses may be found on an organization's DNS servers.
Info
sudo vim /etc/hosts
Host Discovery With Nmap
nmap
Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and commandline modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.
Nmap Homepage
Nmap | Kali Linux Tools
Port Scanning With Nmap
# default nmap scan
nmap 10.4.19.218
# ultrapassa ping not permited
nmap -Pn 10.4.19.218
# tcp ports
# all
nmap -Pn -p- 10.4.19.218
# some ports
nmap -Pn -p 80,445,3389 10.4.19.218
# range
nmap -Pn -p1-100 10.4.19.218
# fast scan
nmap -Pn -F 10.4.19.218
# udp port
nmap -Pn -sU 10.4.19.218
# fast and verbosity
nmap -Pn -F 10.4.19.218 -v
# service version scan
nmap -Pn -F -sV 10.4.19.218
# OS system detect
nmap -Pn -F -sV -O 10.4.19.218 -v
# list nmap scripts
nmap -Pn -F -sV -O -sC 10.4.19.218 -v
# nmap agrresive scan
nmap -Pn -F -A 10.4.19.218 -v
# speed scan
nmap -Pn -F -T5 -sV -O -sC 10.4.19.218 -v
# output to file
nmap -Pn -F 10.4.19.218 -oN test.txt
nmap -Pn -F 10.4.19.218 -oX test.xml