INFORMATION GATHERING

  • IP address.
  • Domain name Info.
  • Technologies used.
  • Other websites on the same server.
  • DNS records.
  • Unlisted files, sub-domains, directories.

1. Whois Lookup - Find info about the owner of the target. ()

-> http://whois.domaintools.com/   https://www.whois.net/  etc.

2. Netcraft Site Report - Shows technologies used on the target.

-> http://toolbar.netcraft.com/site_report

Such as :https://sitereport.netcraft.com/?url=https%3A%2F%2Fwww.hackthissite.org%2F

3. Robtex DNS lookup - Shows comprehensive info about the target website.

-> https://www.robtex.com/

4. Discovering Websites On the Same Server

  • One server can serve a number of websites.
  • Gaining access to one can help gaining access to others.

To find websites on the same server:

(1) Use Robtex DNS lookup under"names pointing to same IP".

(2) Using bing.com, search for ip:[target ip]

5. Discovering subdomains

Knock can be used to find subdomainings of target.

(1)Download  > git clone https://github.com/guelfoweb/knock.git

(2)Navigate to knock.py >cd knock/knock.py

(3)Run it > python knock.py [target]

6. Discovering Sensitive Files

Find files&directories in target website

Tool: drib

dirb [target] [worlist] [options]

For more info run > man dirb

Analysing Discovered Files

---- Scanning URL: http://10.0.0.24/mutillidae/ ----

==> DIRECTORY: http://10.0.0.24/mutillidae/classes/

+ http://10.0.0.24/mutillidae/credits (CODE:200|SIZE:509)

==> DIRECTORY: http://10.0.0.24/mutillidae/documentation/

+ http://10.0.0.24/mutillidae/favicon.ico (CODE:200|SIZE:1150)

+ http://10.0.0.24/mutillidae/footer (CODE:200|SIZE:450)

+ http://10.0.0.24/mutillidae/header (CODE:200|SIZE:19879)

+ http://10.0.0.24/mutillidae/home (CODE:200|SIZE:2930)

==> DIRECTORY: http://10.0.0.24/mutillidae/images/

+ http://10.0.0.24/mutillidae/inc (CODE:200|SIZE:386260)

==> DIRECTORY: http://10.0.0.24/mutillidae/includes/

+ http://10.0.0.24/mutillidae/index (CODE:200|SIZE:24237)

+ http://10.0.0.24/mutillidae/index.php (CODE:200|SIZE:24237)

+ http://10.0.0.24/mutillidae/installation (CODE:200|SIZE:8138)

==> DIRECTORY: http://10.0.0.24/mutillidae/javascript/

+ http://10.0.0.24/mutillidae/login (CODE:200|SIZE:4102)

+ http://10.0.0.24/mutillidae/notes (CODE:200|SIZE:1721)

+ http://10.0.0.24/mutillidae/page-not-found (CODE:200|SIZE:705)

==> DIRECTORY: http://10.0.0.24/mutillidae/passwords/

+ http://10.0.0.24/mutillidae/phpinfo (CODE:200|SIZE:48828)

+ http://10.0.0.24/mutillidae/phpinfo.php (CODE:200|SIZE:48840)

+ http://10.0.0.24/mutillidae/phpMyAdmin (CODE:200|SIZE:174)

+ http://10.0.0.24/mutillidae/register (CODE:200|SIZE:1823)

+ http://10.0.0.24/mutillidae/robots (CODE:200|SIZE:160)

+ http://10.0.0.24/mutillidae/robots.txt (CODE:200|SIZE:160) 

==> DIRECTORY: http://10.0.0.24/mutillidae/styles/                                                                                                                                                                                           

---- Entering directory: http://10.0.0.24/mutillidae/classes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/documentation/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/includes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/javascript/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/passwords/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.0.24/mutillidae/styles/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

-----------------

END_TIME: Fri Feb  7 16:46:55 2020

DOWNLOADED: 4612 - FOUND: 18

The URL in Red is useful to discove.

For example:

Gethering information is important, while it is harder to get useful information than before.

Ethical Hacking - Web Penetration Testing(2)的更多相关文章

  1. Ethical Hacking - Web Penetration Testing(13)

    OWASP ZAP(ZED ATTACK PROXY) Automatically find vulnerabilities in web applications. Free and easy to ...

  2. Ethical Hacking - Web Penetration Testing(8)

    SQL INJECTION WHAT IS SQL? Most websites use a database to store data. Most data stored in it(userna ...

  3. Ethical Hacking - Web Penetration Testing(10)

    SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...

  4. Ethical Hacking - Web Penetration Testing(6)

    REMOTE FILE INCLUSION Similar to local file inclusion. But allows an attacker to read ANY file from ...

  5. Ethical Hacking - Web Penetration Testing(1)

    How to hack a website? An application installed on a computer. ->web application pen-testing A co ...

  6. Python Ethical Hacking - WEB PENETRATION TESTING(1)

    WHAT IS A WEBSITE Computer with OS and some servers. Apache, MySQL ...etc. Cotains web application. ...

  7. Python Ethical Hacking - WEB PENETRATION TESTING(2)

     CRAWING DIRECTORIES Directories/folders inside the web root. Can contain files or other directories ...

  8. Ethical Hacking - Web Penetration Testing(12)

    XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript code into the page ...

  9. Ethical Hacking - Web Penetration Testing(11)

    SQL INJECTION Preventing SQLi Filters can be bypassed. Use a blacklist of commands? Still can be byp ...

  10. Ethical Hacking - Web Penetration Testing(9)

    SQL INJECTION Discovering SQLi in GET Inject by browser URL. Selecting Data From Database Change the ...

随机推荐

  1. 【解读】TCP三次握手和四次挥手

    TCP有6种标识:    1.SYN(建立连接) 2.ACK(确认) 3.PSH(传送) 4.FIN(结束) 5.RST(重置) 6.URG(紧急) 一.TCP三次握手   第一次握手(发送:连接请求 ...

  2. Spring-AOP:一、注解demo及基本概念

    切面:Aspect 切面=切入点+通知.在老的spring版本中通常用xml配置,现在通常是一个类带上@Aspect注解.切面负责将 横切逻辑(通知) 编织 到指定的连接点中. 目标对象:Target ...

  3. JDK8--03:lambda表达式语法

    对于lambda表达式的基础语法,一个是要了解lambda表达式的基础语法,另外一个是需要了解函数式接口 一.lambda表达式基础语法描述 java8中引入了新的操作符  ->  ,可以称为l ...

  4. Python实用笔记 (7)高级特性——切片

    列表L = ['Michael', 'Sarah', 'Tracy', 'Bob', 'Jack'] 取前3个元素 >>> L[0:3] ['Michael', 'Sarah', ' ...

  5. electron打造桌面应用

    Electron 将网页打包成桌面应用(web页面生成exe) http://m.blog.csdn.net/u014563989/article/details/75045052 Electron学 ...

  6. js事件入门(4)

    4.表单事件 表单事件处理主要用来验证表单,可以处理用户在表单上所做的任何操作. 4.1.onsubmit事件 当用户点击submit按钮来提交表单时,就会触发onsubmit事件,如果事件处理程序返 ...

  7. myeclipse集成jad反编译步骤

    (1) 将jad.exe放到java的jdk\bin目录下(2) 将jadeclipse插件net.sf.jadclipse_3.3.0.jar 拷贝到myeclipse安装目\Common\plug ...

  8. spring quartz 每30分钟执行一次cronExpression表达式怎么写

      <cron-expression>0 0/30 * * * ?</cron-expression>:每隔30分钟 <cron-expression>0 0/15 ...

  9. HDU3686 Traffic Real Time Query【缩点+lca】

    题目 City C is really a nightmare of all drivers for its traffic jams. To solve the traffic problem, t ...

  10. xshell链接到Linux后启动和关闭tomcat

    1.用xshell.链接到服务器 2.使用ps -ef|grep tomcat 3.停止tomcat服务,使用命令:systemctl  stop adq-dses.service 4.再次查看tom ...