Information Gathering¶

Assessment Methodologies¶

Passive Info Gathering - Public available data (OSINT)
Active Info Gathering

PASSIVE INFORMATION GATHERING:¶

Website Recon & Foot printing¶

Passive Recon also require Permission ! but all the data is Publicly Available

ALL APPROACHES ARE PRACTICAL !

whatweb  : Built in Kali Linux tool

HTTrack is a website copier

sudo apt-get install webhttrack

Whois Enumeration :¶

Whois Lookup

whois <website name / DNS>

Website Footprinting with Netcraft¶

Netcraft Site Report

DNS Recon¶

dnsrecon -d <domain name>

DNS Dumpster

WAF with wafw00f¶

wafw00f GitHub Repository

wafw00f -l

Subdomain Enumeration with Sublist3r¶

Sublist3r GitHub Repository

sudo apt-get install sublist3r

python sublist3r.py -d <example.com>

Free VPN to bypass the request threshold

Google Dorking:¶

Google Dorks Cheat Sheet

Google Cheat Sheet PDF

intitle:index of

cache:example.com

inurl:auth_user_file.txt  - Exposed PAsswords

inurl:passwd.txt

Wayback Machine - Contains all older versions of example.com

Google Hacking Database

Email Harvesting with theHarvester¶

theHarvester GitHub Repository

Try spyse: API key is required but an extremly useful for Pentest

The tool gathers emails, names, subdomains, IPs and URLs using multiple public data sources.

theHarvester : on kali terminal

Leaked Password Databases¶

Have I Been Pwned

ACTIVE INFORMATION GATHERING:¶

DNS Zone Transfers:¶

SOA - Domain Authority

NS - Name Server

Practical Approach:¶

Digi Ninja - DNS ZONE TRANSFER

dnsrecon -d <zonetransfer.me>

For kali the host file is stored in:

sudo vim /etc/hosts

we can use this concept to map an IP address for an particular domain -

Example - my IP is 192.145.1.9

So after executing: dnsrecon -d <zonetransfer.me>

192.145.1.9 <domain.name that you want>

Another tool is :

dnsenum <zonetransfer.me - host address>

Another tool is :

whatis dig

dig axfr <NS> zonetransfer.me

Another tool:

fierce

SCANNING: Host Discovery With Nmap¶

ip a s 

What i found is it's more representable than compared to ifconfig

Perform a port scan on each of the scan in order to identify services running on them.

netdiscover

sudo apt-get install netdiscover -y

Port Scanning using Nmap:¶

Default Nmap scan:

nmap <target ip>

It's actually a SYN scan on 1000 of most frequently used ports.

Windows system blocks ICMP pings and as a result nmap will not work and show ping probes down. Only if you are performing on WINDOWS IP

nmap -Pn -p1-1000 <IP>

nmap -Pn -sU <IP>   : UDP ports are open in a network

nmap -Pn -F <IP> -v

namp -Pn -F -sV -0 <IP> -v

Hyper Agressive Scan : nmap -Pn -F -sv -0 -sC <IP> -v
The -sv -0 -sC [service version detection, OS detection, default nmap script scan] into one
replace this by -^

To speed up nmap - Use timing templates

nmap results into a file : nmap -Pn -F <IP> -oN <file.txt>
nmap results into a file : nmap -Pn -F <IP> -oX <file.xml>