INFORMATION GATHERING

  • IP address.
  • Domain name Info.
  • Technologies used.
  • Other websites on the same server.
  • DNS records.
  • Unlisted files, sub-domains, directories.

1. Whois Lookup - Find info about the owner of the target. ()

-> http://whois.domaintools.com/   https://www.whois.net/  etc.

2. Netcraft Site Report - Shows technologies used on the target.

-> http://toolbar.netcraft.com/site_report

Such as :https://sitereport.netcraft.com/?url=https%3A%2F%2Fwww.hackthissite.org%2F

3. Robtex DNS lookup - Shows comprehensive info about the target website.

-> https://www.robtex.com/

4. Discovering Websites On the Same Server

  • One server can serve a number of websites.
  • Gaining access to one can help gaining access to others.

To find websites on the same server:

(1) Use Robtex DNS lookup under"names pointing to same IP".

(2) Using bing.com, search for ip:[target ip]

5. Discovering subdomains

Knock can be used to find subdomainings of target.

(1)Download  > git clone https://github.com/guelfoweb/knock.git

(2)Navigate to knock.py >cd knock/knock.py

(3)Run it > python knock.py [target]

6. Discovering Sensitive Files

Find files&directories in target website

Tool: drib

dirb [target] [worlist] [options]

For more info run > man dirb

Analysing Discovered Files

---- Scanning URL: http://10.0.0.24/mutillidae/ ----
==> DIRECTORY: http://10.0.0.24/mutillidae/classes/
+ http://10.0.0.24/mutillidae/credits (CODE:200|SIZE:509)
==> DIRECTORY: http://10.0.0.24/mutillidae/documentation/
+ http://10.0.0.24/mutillidae/favicon.ico (CODE:200|SIZE:1150)
+ http://10.0.0.24/mutillidae/footer (CODE:200|SIZE:450)
+ http://10.0.0.24/mutillidae/header (CODE:200|SIZE:19879)
+ http://10.0.0.24/mutillidae/home (CODE:200|SIZE:2930)
==> DIRECTORY: http://10.0.0.24/mutillidae/images/
+ http://10.0.0.24/mutillidae/inc (CODE:200|SIZE:386260)
==> DIRECTORY: http://10.0.0.24/mutillidae/includes/
+ http://10.0.0.24/mutillidae/index (CODE:200|SIZE:24237)
+ http://10.0.0.24/mutillidae/index.php (CODE:200|SIZE:24237)
+ http://10.0.0.24/mutillidae/installation (CODE:200|SIZE:8138)
==> DIRECTORY: http://10.0.0.24/mutillidae/javascript/
+ http://10.0.0.24/mutillidae/login (CODE:200|SIZE:4102)
+ http://10.0.0.24/mutillidae/notes (CODE:200|SIZE:1721)
+ http://10.0.0.24/mutillidae/page-not-found (CODE:200|SIZE:705)
==> DIRECTORY: http://10.0.0.24/mutillidae/passwords/
+ http://10.0.0.24/mutillidae/phpinfo (CODE:200|SIZE:48828)
+ http://10.0.0.24/mutillidae/phpinfo.php (CODE:200|SIZE:48840)
+ http://10.0.0.24/mutillidae/phpMyAdmin (CODE:200|SIZE:174)

+ http://10.0.0.24/mutillidae/register (CODE:200|SIZE:1823)
+ http://10.0.0.24/mutillidae/robots (CODE:200|SIZE:160)
+ http://10.0.0.24/mutillidae/robots.txt (CODE:200|SIZE:160)
==> DIRECTORY: http://10.0.0.24/mutillidae/styles/ ---- Entering directory: http://10.0.0.24/mutillidae/classes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/documentation/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/javascript/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/passwords/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.0.24/mutillidae/styles/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway) -----------------
END_TIME: Fri Feb 7 16:46:55 2020
DOWNLOADED: 4612 - FOUND: 18

The URL in Red is useful to discove.

For example:

Gethering information is important, while it is harder to get useful information than before.

Ethical Hacking - Web Penetration Testing(2)的更多相关文章

  1. Ethical Hacking - Web Penetration Testing(13)

    OWASP ZAP(ZED ATTACK PROXY) Automatically find vulnerabilities in web applications. Free and easy to ...

  2. Ethical Hacking - Web Penetration Testing(8)

    SQL INJECTION WHAT IS SQL? Most websites use a database to store data. Most data stored in it(userna ...

  3. Ethical Hacking - Web Penetration Testing(10)

    SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...

  4. Ethical Hacking - Web Penetration Testing(6)

    REMOTE FILE INCLUSION Similar to local file inclusion. But allows an attacker to read ANY file from ...

  5. Ethical Hacking - Web Penetration Testing(1)

    How to hack a website? An application installed on a computer. ->web application pen-testing A co ...

  6. Python Ethical Hacking - WEB PENETRATION TESTING(1)

    WHAT IS A WEBSITE Computer with OS and some servers. Apache, MySQL ...etc. Cotains web application. ...

  7. Python Ethical Hacking - WEB PENETRATION TESTING(2)

     CRAWING DIRECTORIES Directories/folders inside the web root. Can contain files or other directories ...

  8. Ethical Hacking - Web Penetration Testing(12)

    XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript code into the page ...

  9. Ethical Hacking - Web Penetration Testing(11)

    SQL INJECTION Preventing SQLi Filters can be bypassed. Use a blacklist of commands? Still can be byp ...

  10. Ethical Hacking - Web Penetration Testing(9)

    SQL INJECTION Discovering SQLi in GET Inject by browser URL. Selecting Data From Database Change the ...

随机推荐

  1. Mybatis框架介绍

    MyBatis 本是apache的一个开源项目iBatis, 2010年这个项目由apache software foundation 迁移到了google code,并且改名为MyBatis.201 ...

  2. 【vue】axios二次封装,更好的管理api接口和使用

    在现在的前端开发中,前后端分离开发比较主流,所以在封装方法和模块化上也是非常需要掌握的一门技巧.而axios的封装也是非常的多,下面的封装其实跟百度上搜出来的axios封装或者axios二次封装区别不 ...

  3. 2020 最新 Kubernetes实战指南

    1.Kubernetes带来的变革   对于开发人员 由于公司业务多,开发环境.测试环境.预生产环境和生产环境都是隔离的,而且除了生产环境,为了节省成本,其他环境可能是没有日志收集的,在没有用k8s的 ...

  4. #linux vscode 保存总提示“Retry as sudo”

    linux中,对不同路径下的文件,系统默认指定了不同的操作权限(读/写/执行),出现这个问题是由于文件的权限不足造成的.(路径为/opt/lampp/htdocs/LearnPHP_jayce/hel ...

  5. 如何运用Linux进行查看tomcat日志

    第一步:进入tomcat目录下的logs.cd home /tomcat/logs 第二步:运行并查看日志:tail -f catalina.out 第三步:想终止查看:ctrl +c退出 第四步:比 ...

  6. spring boot 和shiro的代码实战demo

    spring boot和shiro的代码实战 首先说明一下,这里不是基础教程,需要有一定的shiro知识,随便百度一下,都能找到很多的博客叫你基础,所以这里我只给出代码. 官方文档:http://sh ...

  7. 逻辑式编程语言极简实现(使用C#) - 1. 逻辑式编程语言介绍

    相信很多朋友对于逻辑式编程语言,都有一种最熟悉的陌生人的感觉.一方面,平时在书籍.在资讯网站,偶尔能看到一些吹嘘逻辑式编程的话语.但另一方面,也没见过周围有人真正用到它(除了SQL). 遥记当时看&l ...

  8. 前端基础:”天龙八步“细说浏览器输入URL后发生了什么

    参考:https://www.xuecaijie.com/it/157.html#1Q64p5DeC8dKFF 本文摘要: 1.DNS域名解析: 2.建立TCP连接: 3.发送HTTP请求: 4.服务 ...

  9. js事件入门(5)

    5.窗口事件 5.1.onload事件 元素加载完成时触发,常用的就是window.onload window.onload = function(){ //等页面加载完成时执行这里的代码 } 5.1 ...

  10. 常用的rac搭建相关

    平时自己测试环境搭建用,部分参数是不规范的. 生产请按照官方文档或者公司标准化文档来做. 共享硬盘: disk.locking = "FALSE" diskLib.dataCach ...