4.1 Information Gathering
site:<DOMAIN>
cache:<URL>
site: <DOMAIN> (filetype:pdf OR filetype:doc OR filetype:docx OR filetype:xlsx)
theHarvester -b all -d <DOMAIN>
Evidence:
4.1.2 Fingerprint Web Server
httpx -u <URL> -silent -title -follow-redirects -status-code -server -ip -content-length -tech-detect -asn -cdn -threads 100
Evidence:
echo -ne 'robots.txt\nsitemaps.xml\nsecurity.txt\nhumans.txt\n.well-known\n.git' | xargs -I {} bash -c 'echo -n "{}: ";curl -k -sq -D - "https://<DOMAIN>/{}" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | head -n 1'
Wordpress Meta Data files
# Contiene información como la versión de Wordpress instalada.
/license.txt
/readme.html
# Se utiliza para el proceso de activación por correo electrónico al configurar un nuevo sitio de WordPress.
/wp-activate.php
# Permite a un usuario crearse una cuenta.
/wp-signup.php
/wp-admin/maint/repair.php
/wp-admin/maint/install.php
/wp-admin/upgrade.php
/wp-links-opml.php
/wp-content
# El directorio principal donde se almacenan los plugins y los temas.
/wp-content/uploads/
# El directorio donde se almacenan los archivos subidos a la plataforma.
/wp-includes/
# Es el directorio donde se almacenan los archivos principales, como certificados, fuentes, archivos JavaScript y widgets.
/wp-includes/wlwmanifest.xml
# Este endpoint se utiliza para la funcionalidad XML-RPC y puede ser objetivo de ataques de fuerza bruta.
/xml-rpc.php
# Este endpoint se utiliza para programar cron jobs y puede ser objetivo de ataques de Denegación de Servicio Distribuido (DDoS).
/wp-cron.php
# Search for tags on burpsuite
# Use the following command
curl -sq <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i '<meta'
Evidence:
sudo nmap -sT -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt
ffuf -ac -w <WORDLIST> -of md -o base_URLs.txt -t 60 [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"] -u <https://WEBSITE.COM/FUZZ>
ffuf -ac -w /usr/share/wordlists/TopDomais/subdomains-10000.txt -of md -o virtual_hosts.md [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"] -u <URL> -H "Host: FUZZ.<DOMAIN>"
Evidence:
# Obtain links from burpsuite: Sitmap
cat /tmp/burplinks.txt | sort -u | uro | mantra | tee mantra.txt
exiftool * | grep -Ei 'Title|Subject|Author|Comments|Software|Company|Manager|Hyperlinks|User|device|creator|Application' | sort -u
Evidence:
Responses
Identify where new cookies are set (
Set-Cookie
header), modified, or added to.Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
Also note where any interesting headers are used.
Show Sitemap links obtained from the previous sections.
Evidence:
Map the target application and understand the principal workflows:
Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch.
Data Flow (or Taint Analysis) - tests the assignment of variables via external interaction (normally users). Focuses on mapping the flow, transformation and use of data throughout an application.
Race - tests multiple concurrent instances of the application manipulating the same data.
Sitemap and HTTP History screenshots
Evidence:
Fingerprint the components being used by the web applications, more related to client side.
Wappalyzer output
Evidence:
4.1.10 Map Application Architecture
Discover if the application uses Nginx, apache, PHP, Tomcat, MySQL, Oracle. To do so, enumerate and interact with the application.
Evidence:
Last updated