The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Information Gathering
  • 4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage
  • 4.1.2 Fingerprint Web Server
  • 4.1.3 Review Webserver Metafiles for Information Leakage
  • 4.1.4 Enumerate Applications on Webserver
  • 4.1.5 Review Webpage Content for Information Leakage
  • 4.1.6 Identify Application Entry Points
  • 4.1.7 Map Execution Paths Through Application
  • 4.1.8 Fingerprint Web Application Framework
  • 4.1.10 Map Application Architecture
  1. Web (OWASP Test cases)

4.1 Information Gathering

Information Gathering

4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage

site:<DOMAIN>
cache:<URL>
site: <DOMAIN> (filetype:pdf OR filetype:doc OR filetype:docx OR filetype:xlsx)
theHarvester -b all -d <DOMAIN>

Evidence:

​

4.1.2 Fingerprint Web Server

httpx -u <URL> -silent -title -follow-redirects -status-code -server -ip -content-length -tech-detect -asn -cdn -threads 100

Evidence:

​

4.1.3 Review Webserver Metafiles for Information Leakage

echo -ne 'robots.txt\nsitemaps.xml\nsecurity.txt\nhumans.txt\n.well-known\n.git' | xargs -I {} bash -c 'echo -n "{}: ";curl -k -sq -D - "https://<DOMAIN>/{}" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | head -n 1'
  • Wordpress Meta Data files

# Contiene información como la versión de Wordpress instalada.
/license.txt
/readme.html
​
#  Se utiliza para el proceso de activación por correo electrónico al configurar un nuevo sitio de WordPress.
/wp-activate.php
# Permite a un usuario crearse una cuenta.
/wp-signup.php 
​
/wp-admin/maint/repair.php
/wp-admin/maint/install.php
/wp-admin/upgrade.php
/wp-links-opml.php
/wp-content
​
# El directorio principal donde se almacenan los plugins y los temas.
/wp-content/uploads/
​
# El directorio donde se almacenan los archivos subidos a la plataforma.
/wp-includes/
​
# Es el directorio donde se almacenan los archivos principales, como certificados, fuentes, archivos JavaScript y widgets.
/wp-includes/wlwmanifest.xml
​
# Este endpoint se utiliza para la funcionalidad XML-RPC y puede ser objetivo de ataques de fuerza bruta.
/xml-rpc.php 
# Este endpoint se utiliza para programar cron jobs y puede ser objetivo de ataques de Denegación de Servicio Distribuido (DDoS).
/wp-cron.php
# Search for tags on burpsuite
​
# Use the following command
curl -sq <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i '<meta'

Evidence:

​

4.1.4 Enumerate Applications on Webserver

sudo nmap -sT -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt
ffuf -ac -w <WORDLIST> -of md -o base_URLs.txt -t 60 [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"] -u <https://WEBSITE.COM/FUZZ> 
ffuf -ac -w /usr/share/wordlists/TopDomais/subdomains-10000.txt  -of md -o virtual_hosts.md [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"]  -u <URL> -H "Host: FUZZ.<DOMAIN>"

Evidence:

​

4.1.5 Review Webpage Content for Information Leakage

# Obtain links from burpsuite: Sitmap
cat /tmp/burplinks.txt | sort -u | uro | mantra | tee mantra.txt
exiftool * | grep -Ei 'Title|Subject|Author|Comments|Software|Company|Manager|Hyperlinks|User|device|creator|Application' | sort -u

Evidence:

​

4.1.6 Identify Application Entry Points

Evidence:

​

4.1.7 Map Execution Paths Through Application

Map the target application and understand the principal workflows:

Evidence:

​

4.1.8 Fingerprint Web Application Framework

Fingerprint the components being used by the web applications, more related to client side.

Evidence:

​

4.1.10 Map Application Architecture

Discover if the application uses Nginx, apache, PHP, Tomcat, MySQL, Oracle. To do so, enumerate and interact with the application.

Evidence:

​

Last updated 6 months ago