4.1 Information Gathering

Information Gathering

4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage

site:<DOMAIN>
cache:<URL>
site: <DOMAIN> (filetype:pdf OR filetype:doc OR filetype:docx OR filetype:xlsx)
theHarvester -b all -d <DOMAIN>

Evidence:

4.1.2 Fingerprint Web Server

Wappalyzer: Server results
Look for Server headers in the response
sudo nmap -sS -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt
whatweb <URL>
HTTPX

httpx -u <URL> -silent -title -follow-redirects -status-code -server -ip -content-length -tech-detect -asn -cdn -threads 100

Check if the server is running on Azure, Google or AWS infrastructure: dig <DOOMAIN>

Evidence:

4.1.3 Review Webserver Metafiles for Information Leakage

Metadata files (robots.txt,sitemaps.xml,security.txt,humans.txt,.well-known)

echo -ne 'robots.txt\nsitemaps.xml\nsecurity.txt\nhumans.txt\n.well-known\n.git' | xargs -I {} bash -c 'echo -n "{}: ";curl -k -sq -D - "https://<DOMAIN>/{}" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | head -n 1'

Wordpress Meta Data files

# Contiene información como la versión de Wordpress instalada.
/license.txt
/readme.html

#  Se utiliza para el proceso de activación por correo electrónico al configurar un nuevo sitio de WordPress.
/wp-activate.php
# Permite a un usuario crearse una cuenta.
/wp-signup.php 

/wp-admin/maint/repair.php
/wp-admin/maint/install.php
/wp-admin/upgrade.php
/wp-links-opml.php
/wp-content

# El directorio principal donde se almacenan los plugins y los temas.
/wp-content/uploads/

# El directorio donde se almacenan los archivos subidos a la plataforma.
/wp-includes/

# Es el directorio donde se almacenan los archivos principales, como certificados, fuentes, archivos JavaScript y widgets.
/wp-includes/wlwmanifest.xml

# Este endpoint se utiliza para la funcionalidad XML-RPC y puede ser objetivo de ataques de fuerza bruta.
/xml-rpc.php 
# Este endpoint se utiliza para programar cron jobs y puede ser objetivo de ataques de Denegación de Servicio Distribuido (DDoS).
/wp-cron.php

Meta tags

# Search for tags on burpsuite

# Use the following command
curl -sq <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i '<meta'

Evidence:

4.1.4 Enumerate Applications on Webserver

Non-Standard Ports

sudo nmap -sT -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt

Different Base URLs

ffuf -ac -w <WORDLIST> -of md -o base_URLs.txt -t 60 [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"] -u <https://WEBSITE.COM/FUZZ>

Virtual hosts

ffuf -ac -w /usr/share/wordlists/TopDomais/subdomains-10000.txt  -of md -o virtual_hosts.md [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"]  -u <URL> -H "Host: FUZZ.<DOMAIN>"

Evidence:

4.1.5 Review Webpage Content for Information Leakage

metadata files or meta tags -> Section 4.1.3.
comments: On BurpSuite Taget/SiteMap/<TARGET>/Engament Tools/Find Comments
JS Files: On BurpSuite Taget/SiteMap/<TARGET>/Engament Tools/Find Scripts or output from "JS Miner"
Mantra

# Obtain links from burpsuite: Sitmap
cat /tmp/burplinks.txt | sort -u | uro | mantra | tee mantra.txt

Check meta data information in files stored on the web application

exiftool * | grep -Ei 'Title|Subject|Author|Comments|Software|Company|Manager|Hyperlinks|User|device|creator|Application' | sort -u

Evidence:

4.1.6 Identify Application Entry Points

Evidence:

4.1.7 Map Execution Paths Through Application

Map the target application and understand the principal workflows:

Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch.
Data Flow (or Taint Analysis) - tests the assignment of variables via external interaction (normally users). Focuses on mapping the flow, transformation and use of data throughout an application.
Race - tests multiple concurrent instances of the application manipulating the same data.
Sitemap and HTTP History screenshots

Evidence:

4.1.8 Fingerprint Web Application Framework

Fingerprint the components being used by the web applications, more related to client side.

Wappalyzer output

Evidence:

4.1.10 Map Application Architecture

Discover if the application uses Nginx, apache, PHP, Tomcat, MySQL, Oracle. To do so, enumerate and interact with the application.

Evidence:

Last updated 1 year ago