Ethical Hacking - Web Penetration Testing(2)
INFORMATION GATHERING
- IP address.
- Domain name Info.
- Technologies used.
- Other websites on the same server.
- DNS records.
- Unlisted files, sub-domains, directories.
1. Whois Lookup - Find info about the owner of the target. ()
-> http://whois.domaintools.com/ https://www.whois.net/ etc.
2. Netcraft Site Report - Shows technologies used on the target.
-> http://toolbar.netcraft.com/site_report
Such as :https://sitereport.netcraft.com/?url=https%3A%2F%2Fwww.hackthissite.org%2F
3. Robtex DNS lookup - Shows comprehensive info about the target website.
4. Discovering Websites On the Same Server
- One server can serve a number of websites.
- Gaining access to one can help gaining access to others.
To find websites on the same server:
(1) Use Robtex DNS lookup under"names pointing to same IP".
(2) Using bing.com, search for ip:[target ip]
5. Discovering subdomains
- Subdomain.target.com
- Ex:https://www.hackthissite.org/
Knock can be used to find subdomainings of target.
(1)Download > git clone https://github.com/guelfoweb/knock.git
(2)Navigate to knock.py >cd knock/knock.py
(3)Run it > python knock.py [target]
6. Discovering Sensitive Files
Find files&directories in target website
Tool: drib
dirb [target] [worlist] [options]
For more info run > man dirb
Analysing Discovered Files
---- Scanning URL: http://10.0.0.24/mutillidae/ ---- ==> DIRECTORY: http://10.0.0.24/mutillidae/classes/ + http://10.0.0.24/mutillidae/credits (CODE:200|SIZE:509) ==> DIRECTORY: http://10.0.0.24/mutillidae/documentation/ + http://10.0.0.24/mutillidae/favicon.ico (CODE:200|SIZE:1150) + http://10.0.0.24/mutillidae/footer (CODE:200|SIZE:450) + http://10.0.0.24/mutillidae/header (CODE:200|SIZE:19879) + http://10.0.0.24/mutillidae/home (CODE:200|SIZE:2930) ==> DIRECTORY: http://10.0.0.24/mutillidae/images/ + http://10.0.0.24/mutillidae/inc (CODE:200|SIZE:386260) ==> DIRECTORY: http://10.0.0.24/mutillidae/includes/ + http://10.0.0.24/mutillidae/index (CODE:200|SIZE:24237) + http://10.0.0.24/mutillidae/index.php (CODE:200|SIZE:24237) + http://10.0.0.24/mutillidae/installation (CODE:200|SIZE:8138) ==> DIRECTORY: http://10.0.0.24/mutillidae/javascript/ + http://10.0.0.24/mutillidae/login (CODE:200|SIZE:4102) + http://10.0.0.24/mutillidae/notes (CODE:200|SIZE:1721) + http://10.0.0.24/mutillidae/page-not-found (CODE:200|SIZE:705) ==> DIRECTORY: http://10.0.0.24/mutillidae/passwords/ + http://10.0.0.24/mutillidae/phpinfo (CODE:200|SIZE:48828) + http://10.0.0.24/mutillidae/phpinfo.php (CODE:200|SIZE:48840) + http://10.0.0.24/mutillidae/phpMyAdmin (CODE:200|SIZE:174) + http://10.0.0.24/mutillidae/register (CODE:200|SIZE:1823) + http://10.0.0.24/mutillidae/robots (CODE:200|SIZE:160) + http://10.0.0.24/mutillidae/robots.txt (CODE:200|SIZE:160) ==> DIRECTORY: http://10.0.0.24/mutillidae/styles/ ---- Entering directory: http://10.0.0.24/mutillidae/classes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/documentation/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/javascript/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/passwords/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/styles/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Fri Feb 7 16:46:55 2020 DOWNLOADED: 4612 - FOUND: 18
The URL in Red is useful to discove.
For example:
Gethering information is important, while it is harder to get useful information than before.
