INFORMATION GATHERING

  • IP address.
  • Domain name Info.
  • Technologies used.
  • Other websites on the same server.
  • DNS records.
  • Unlisted files, sub-domains, directories.

1. Whois Lookup - Find info about the owner of the target. ()

-> http://whois.domaintools.com/   https://www.whois.net/  etc.

2. Netcraft Site Report - Shows technologies used on the target.

-> http://toolbar.netcraft.com/site_report

Such as :https://sitereport.netcraft.com/?url=https%3A%2F%2Fwww.hackthissite.org%2F

3. Robtex DNS lookup - Shows comprehensive info about the target website.

-> https://www.robtex.com/

4. Discovering Websites On the Same Server

  • One server can serve a number of websites.
  • Gaining access to one can help gaining access to others.

To find websites on the same server:

(1) Use Robtex DNS lookup under"names pointing to same IP".

(2) Using bing.com, search for ip:[target ip]

5. Discovering subdomains

Knock can be used to find subdomainings of target.

(1)Download  > git clone https://github.com/guelfoweb/knock.git

(2)Navigate to knock.py >cd knock/knock.py

(3)Run it > python knock.py [target]

6. Discovering Sensitive Files

Find files&directories in target website

Tool: drib

dirb [target] [worlist] [options]

For more info run > man dirb

Analysing Discovered Files

---- Scanning URL: http://10.0.0.24/mutillidae/ ----

==> DIRECTORY: http://10.0.0.24/mutillidae/classes/

+ http://10.0.0.24/mutillidae/credits (CODE:200|SIZE:509)

==> DIRECTORY: http://10.0.0.24/mutillidae/documentation/

+ http://10.0.0.24/mutillidae/favicon.ico (CODE:200|SIZE:1150)

+ http://10.0.0.24/mutillidae/footer (CODE:200|SIZE:450)

+ http://10.0.0.24/mutillidae/header (CODE:200|SIZE:19879)

+ http://10.0.0.24/mutillidae/home (CODE:200|SIZE:2930)

==> DIRECTORY: http://10.0.0.24/mutillidae/images/

+ http://10.0.0.24/mutillidae/inc (CODE:200|SIZE:386260)

==> DIRECTORY: http://10.0.0.24/mutillidae/includes/

+ http://10.0.0.24/mutillidae/index (CODE:200|SIZE:24237)

+ http://10.0.0.24/mutillidae/index.php (CODE:200|SIZE:24237)

+ http://10.0.0.24/mutillidae/installation (CODE:200|SIZE:8138)

==> DIRECTORY: http://10.0.0.24/mutillidae/javascript/

+ http://10.0.0.24/mutillidae/login (CODE:200|SIZE:4102)

+ http://10.0.0.24/mutillidae/notes (CODE:200|SIZE:1721)

+ http://10.0.0.24/mutillidae/page-not-found (CODE:200|SIZE:705)

==> DIRECTORY: http://10.0.0.24/mutillidae/passwords/

+ http://10.0.0.24/mutillidae/phpinfo (CODE:200|SIZE:48828)

+ http://10.0.0.24/mutillidae/phpinfo.php (CODE:200|SIZE:48840)

+ http://10.0.0.24/mutillidae/phpMyAdmin (CODE:200|SIZE:174)

+ http://10.0.0.24/mutillidae/register (CODE:200|SIZE:1823)

+ http://10.0.0.24/mutillidae/robots (CODE:200|SIZE:160)

+ http://10.0.0.24/mutillidae/robots.txt (CODE:200|SIZE:160) 

==> DIRECTORY: http://10.0.0.24/mutillidae/styles/                                                                                                                                                                                           

---- Entering directory: http://10.0.0.24/mutillidae/classes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/documentation/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/includes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/javascript/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/passwords/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/styles/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

-----------------

END_TIME: Fri Feb  7 16:46:55 2020

DOWNLOADED: 4612 - FOUND: 18

The URL in Red is useful to discove.

For example:

Gethering information is important, while it is harder to get useful information than before.

Ethical Hacking - Web Penetration Testing(2)的更多相关文章

  1. Ethical Hacking - Web Penetration Testing(13)

    OWASP ZAP(ZED ATTACK PROXY) Automatically find vulnerabilities in web applications. Free and easy to ...

  2. Ethical Hacking - Web Penetration Testing(8)

    SQL INJECTION WHAT IS SQL? Most websites use a database to store data. Most data stored in it(userna ...

  3. Ethical Hacking - Web Penetration Testing(10)

    SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...

  4. Ethical Hacking - Web Penetration Testing(6)

    REMOTE FILE INCLUSION Similar to local file inclusion. But allows an attacker to read ANY file from ...

  5. Ethical Hacking - Web Penetration Testing(1)

    How to hack a website? An application installed on a computer. ->web application pen-testing A co ...

  6. Python Ethical Hacking - WEB PENETRATION TESTING(1)

    WHAT IS A WEBSITE Computer with OS and some servers. Apache, MySQL ...etc. Cotains web application. ...

  7. Python Ethical Hacking - WEB PENETRATION TESTING(2)

     CRAWING DIRECTORIES Directories/folders inside the web root. Can contain files or other directories ...

  8. Ethical Hacking - Web Penetration Testing(12)

    XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript code into the page ...

  9. Ethical Hacking - Web Penetration Testing(11)

    SQL INJECTION Preventing SQLi Filters can be bypassed. Use a blacklist of commands? Still can be byp ...

  10. Ethical Hacking - Web Penetration Testing(9)

    SQL INJECTION Discovering SQLi in GET Inject by browser URL. Selecting Data From Database Change the ...

随机推荐

  1. .NET Core Hangfire周期性作业调度问题

    前言 四月中旬Hangfire团队发布了1.7.11版本,在使用周期性作业调度过程中发现一个问题,这个问题应该一直未解决,故做此记录,希望遇到的童鞋根据项目业务而避开这个问题. 周期性作业调度 我们依 ...

  2. package.json 文件说明:

    package.json 文件属性说明: name - 包名. version - 包的版本号. description - 包的描述. homepage - 包的官网 url . author - ...

  3. 15.DRF-分页

    Django rest framework(6)----分页 第一种分页 PageNumberPagination 基本使用 (1)urls.py urlpatterns = [ re_path('( ...

  4. elasticsearch中query和filter的区别

    参考博客来自: https://mp.weixin.qq.com/s/tiiveCW3W-oDIgxvlwsmXA?utm_medium=hao.caibaojian.com&utm_sour ...

  5. 分布式系统框架Spring+Redis+SSO视频课程

    1.视频讲解的参看博客 这应该是第一个简单的分布式系统soa入门的基础,视频中对sao面向服务编程讲解的很透彻,第redis缓存讲解的也比较清楚,讲解了sso单点登录使用token的方式,还有cas实 ...

  6. vs code 初始化vue项目框架

    1.首先安装npm组件  下载地址:https://nodejs.org/en/ 安装完 2.配置环境变量 3.验证是否成功 node -v npm -v 4.替换npm 输入npm install ...

  7. application.yml和application.properties文件的区别

    maven项目 .yml文件时树状结构,层级浅时比较方便,层级深的时候就比较麻烦了 .properties文件时属性访问结构,层级深浅对它来说是一样的,而且相较于.yml类型的文件比较好配置,但缺点也 ...

  8. Kafka 可视化监控和管理 UI工具评估

    以下内容,来自网络资料整理和个人安装使用结果.后续会持续更新

  9. cf1216E2 Numerical Sequence (hard version)(思维)

    cf1216E2 Numerical Sequence (hard version) 题目大意 一个无限长的数字序列,其组成为\(1 1 2 1 2 3 1.......1 2 ... n...\), ...

  10. linux安装phantomjs

    一.下载PhantomJS: 从官网http://phantomjs.org/download.html下载linux64位的安装包即  phantomjs-2.1.1-linux-x86_64.ta ...