TwitterBlog

4.1 Information Gathering

Information Gathering

4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage

site:<DOMAIN>
cache:<URL>
site: <DOMAIN> (filetype:pdf OR filetype:doc OR filetype:docx OR filetype:xlsx)
theHarvester -b all -d <DOMAIN>

Evidence:

4.1.2 Fingerprint Web Server

httpx -u <URL> -silent -title -follow-redirects -status-code -server -ip -content-length -tech-detect -asn -cdn -threads 100

Evidence:

4.1.3 Review Webserver Metafiles for Information Leakage

echo -ne 'robots.txt\nsitemaps.xml\nsecurity.txt\nhumans.txt\n.well-known\n.git' | xargs -I {} bash -c 'echo -n "{}: ";curl -k -sq -D - "https://<DOMAIN>/{}" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | head -n 1'

  • Wordpress Meta Data files

# Contiene información como la versión de Wordpress instalada.
/license.txt
/readme.html

#  Se utiliza para el proceso de activación por correo electrónico al configurar un nuevo sitio de WordPress.
/wp-activate.php
# Permite a un usuario crearse una cuenta.
/wp-signup.php 

/wp-admin/maint/repair.php
/wp-admin/maint/install.php
/wp-admin/upgrade.php
/wp-links-opml.php
/wp-content

# El directorio principal donde se almacenan los plugins y los temas.
/wp-content/uploads/

# El directorio donde se almacenan los archivos subidos a la plataforma.
/wp-includes/

# Es el directorio donde se almacenan los archivos principales, como certificados, fuentes, archivos JavaScript y widgets.
/wp-includes/wlwmanifest.xml

# Este endpoint se utiliza para la funcionalidad XML-RPC y puede ser objetivo de ataques de fuerza bruta.
/xml-rpc.php 
# Este endpoint se utiliza para programar cron jobs y puede ser objetivo de ataques de Denegación de Servicio Distribuido (DDoS).
/wp-cron.php
# Search for tags on burpsuite

# Use the following command
curl -sq <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i '<meta'

Evidence:

4.1.4 Enumerate Applications on Webserver

sudo nmap -sT -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt
ffuf -ac -w <WORDLIST> -of md -o base_URLs.txt -t 60 [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"] -u <https://WEBSITE.COM/FUZZ> 
ffuf -ac -w /usr/share/wordlists/TopDomais/subdomains-10000.txt  -of md -o virtual_hosts.md [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"]  -u <URL> -H "Host: FUZZ.<DOMAIN>"

Evidence:

4.1.5 Review Webpage Content for Information Leakage

# Obtain links from burpsuite: Sitmap
cat /tmp/burplinks.txt | sort -u | uro | mantra | tee mantra.txt
exiftool * | grep -Ei 'Title|Subject|Author|Comments|Software|Company|Manager|Hyperlinks|User|device|creator|Application' | sort -u

Evidence:

4.1.6 Identify Application Entry Points

Evidence:

4.1.7 Map Execution Paths Through Application

Map the target application and understand the principal workflows:

Evidence:

4.1.8 Fingerprint Web Application Framework

Fingerprint the components being used by the web applications, more related to client side.

Evidence:

4.1.10 Map Application Architecture

Discover if the application uses Nginx, apache, PHP, Tomcat, MySQL, Oracle. To do so, enumerate and interact with the application.

Evidence:

Last updated