1.0 Information Gathering
1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage
Google Dorking (GHDB)
Footholds
Files containing usernames
Sensitive Directories
Web Server Detection
Vulnerable Files
Vulnerable Servers
Error Messages
Files containing juicy info
Files containing passwords
Sensitive Online Shopping Info
Shodan Dorking
Dork to find something Juicy
Database
Target Query MongoDB
"MongoDB Server Information" port:27017 -authentication
Mongo Express Web GUI - phpmyadmin like -
"Set-Cookie: mongo-express=" "200 OK"
MySql
mysql port:"3306"
elastic indices
port:"9200" all:"elastic indices"
PostgreSQL
port:5432 PostgreSQL
Exposed ports
Target Query FTP
proftpd port:21
FTP with anonymous logins
"220" "230 Login successful." port:21
OpenSSH
openssh port:22
Telnet
port:"23"
EXIM-powered mail servers
port:"25" product:"exim"
Memcached - has been a major source of UDP amplification attacks leading to huge DDoS -
port:"11211" product:"Memcached"
Jenkins
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
DNS servers
Target Query DNS servers
"port: 53" Recursion: Enabled
Network infrastructure
Target Query devices running a specific version of a RouterOS
port:8291 os:"MikroTik RouterOS 6.45.9"
Web servers
Target Query Apache web servers
product:"Apache httpd" port:"80"
Microsoft IIS-powered websites and web servers
product:"Microsoft IIS httpd"
Nginx-powered websites and web servers
product:"nginx"
above product query can be combined like
"port: 8080" product:"nginx"
Operating systems
Target Query Windows 7
os:"windows 7"
specific build versions of Windows 10
os:"Windows 10 Home 19041"
Linux-based devices
os:"Linux"
Filtering by country, city or location
Target Query filter by country
country:"UK"
filter by city
"city: London"
GPS coordinates of a region or city
geo:"51.5074, 0.1278"
combined with other filters
os:"windows 7" country:"UK"
SSL certificates
Target Query self-signed certificates
ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
expired SSL certificates
ssl.cert.expired:true
Webcams
Target Query self-signed certificates
Server: SQ-WEBCAM
filter out specific software vendors who provide software for webcams, such as Yawcam
"Server: yawcam" "Mime-Type: text/html"
Industrial control systems
Target Query XZERES Wind Turbines
title:"xzeres wind"
Mitsubishi Electric, the MELSEC-Q protocol is commonly used by control system machines/networks
port:5006,5007 product:mitsubishi
electric vehicle chargers
"Server: gSOAP/2.8" "Content-Length: 583"
Remote Desktop
Target Query Windows Remote Desktop
remote desktop "port:3389"
Linux VNC
"authentication disabled" "RFB 003.008"
electric vehicle chargers
"Server: gSOAP/2.8" "Content-Length: 583"
NAS accesses
Target Query Samba protocol on port 445 with authentication disabled
"Authentication: disabled" port:445
Plex is a popular media management device used to manage photos, movies and music
"X-Plex-Protocol" "200 OK" port:32400
FTP-based services
"220" "230 Login successful." port:21
Printers and copiers
Target Query HP-powered printers
"Serial Number:" "Built:" "Server: HP HTTP"
EPSON-powered printers
"SERVER: EPSON_Linux UPnP" "200 OK"
Xerox printers
ssl:"Xerox Generic Root"
Useful Filter Searches for BB
GitLab
org:"Target" http.title:"GitLab"
Default creds : Username: root & pass: 5iveL!fe Username: admin & Pass: 5iveL!fe
Github Dorking
Specify a target, and always use double quotes as best practice. Eg “target.com”
Specify a Keyword that you want to Dork for. Eg: “password” or “secret”
Specify a language. This means, the programming language.Eg: language:"bash"`
Specify the keywords that you don’t want to see in the response:org:targetCompany language:"bash" "password" "secret" NOT test
Dork to find something Juicy
Keywords
Viewing Cached Content (cache:target.com)
Web Archive
1.2 Fingerprint Web Server
tool: whatweb
ext: wappalyzer
manual: response and error messages
1.3 Review Webserver Metafiles for Information Leakage
robots.txt
META Tags
sitemap.xml
security.txt or .well-known/security.txt
humans.txt
.well-known/ (brute-force or google well known for specific target)
1.4 Enumerate Applications on Webserver
Non-standard URLs
web server is mis-configured and allows directory browsing (Vuln Scanner)
use google dorking may figure theme out (site:target.com)
non published apps "intelligent guessing" (Vuln Scanner) https:// www.example.com/webmail → https://webmail.example.com/ or https://mail.example.com/
Non-standard Ports
port scanners like nmap easily identify that (nmap –Pn –sT –sV –p0-65535 192.168.1.100)
Virtual Hosts
DNS Zone Transfers (tool: dnsrecon)
DNS Inverse Queries
Web-based DNS Searches (site:https://searchdns.netcraft.com/?host)
Reverse-IP Services Domain Tools Reverse IP (requires free membership) DNSstuff (multiple services available) Net Square (multiple queries on domains and IP addresses, requires installation)
Googling
Digital Certificates Common Name (CN) and Subject Alternate Name (SAN) on the certificate may contain one or more hostnames
1.5 Review Webpage Content for Information Leakage
Review Webpage Comments and Metadata
Identifying JavaScript Code and Gathering JavaScript Files → API keys, internal IP addresses, sensitive routes, or credentials
Identifying Source Map Files /static/js/main.chunk.js → /static/js/main.chunk.js.map output be like
Identify Redirect Responses which Leak Information the redirect response itself may still contain content which isn’t shown in the browser but is indeed transmitted to the client use proxy to check this
1.6 Identify Application Entry Points
interesting parameters in the URL, custom headers, or body of the requests/responses
Requests
Identify where GETs are used and where POSTs are used.
Identify all parameters used in a POST request (these are in the body of the request).
Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren’t seen unless a proxy or view the HTML source code is used. In addition, the next page shown, its data, and the level of access can all be different depending on the value of the hidden parameter(s).
Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).
Identify all the parameters of the query string. These usually are in a pair format, such as
foo=bar
. Also note that many parameters can be in one query string such as separated by a&
,\\~
,:
, or any other special character or encoding.A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute the attacks. The tester needs to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure each one of them is identified.
Also pay attention to any additional or custom type headers not typically seen (such as
debug: false
).
Responses
Identify where new cookies are set (
Set-Cookie
header), modified, or added to.Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
Also note where any interesting headers are used. For example,
Server: BIG-IP
indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then the tester might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.
OWASP Attack Surface Detector (CLI or Burp Ext)
1.7 Map Execution Paths Through Application
Spidering
1.8 Fingerprint Web Application Framework
Black-Box Testing
HTTP headers
Cookies
HTML source code
Specific files and folders
File extensions
Error messages
HTTP Headers (
X-Powered-By
,X-Generator
)Cookies
HTML Source Code (
<meta>
)Specific Files and Folders (dirbusting, CHANGELOG file) *Tip:
before starting with dirbusting, check the robots.txt file first.
dirbusting with* good file lists FuzzDB wordlists of predictable files/folders.
File Extensions
Error Messages
Common Identifiers
Cookies
Framework Cookie name Zope
zope3
CakePHP
cakephp
VIVVO
VivvoSessionId
Wix
LEPTON
lep[some_numeric_value]+sessionid
Dynamicweb
Dynamicweb
TYPO3
fe_typo_user
MODx
SN4[12symb]
Kentico CMS
CMSPreferredCulture
InstantCMS
InstantCMS[logdate]
Indico
MAKACSESSION
ImpressCMS
ICMSession
Hotaru CMS
hotaru_mobile
Graffiti CMS
graffitibot
EPiServer
EPiTrace, EPiServer
e107
e107_tz
DotNetNuke
DotNetNukeAnonymous
Django CMS
django
AMPcms
AMP
1C-Bitrix
BITRIX_
WordPress
wp-settings
phpBB
phpbb3_
Laravel
laravel_session
Kohana
kohanasession
HTML Source Code
Application Keyword WordPress
<meta name="generator" content="WordPress 3.9.2" />
phpBB
<body id="phpbb"
DotNetNuke
DNN Platform -http://www.dnnsoftware.com
Drupal
<meta name="Generator" content="Drupal 7 (http://drupal.org)" />
Joomla
<meta name="generator" content="Joomla! - Open Source Content Management" />
Mediawiki
<meta name="generator" content="MediaWiki 1.21.9" />
General Markers
%framework_name%
powered by
built upon
running
Specific Markers
Framework Keyword Adobe ColdFusion
<!-- START headerTags.cfm
Microsoft ASP.NET
__VIEWSTATE
Indexhibit
ndxz-studio
Business Catalyst
<!-- BC_OBNW -->
ZK
<!-- ZK
1.9 Fingerprint Web Application
merged into 1.9
1.10 Map Application Architecture
Application Components
Web Server
Platform-as-a-Service (PaaS)
Serverless
Microservices
Static Storage
Database (port scan, error messages, google fu for errors, guess)
Authentication
Web server configuration (including
.htaccess
files) or hard-coding passwords in scripts.Usually shows up as HTTP Basic authentication, indicated by a pop-up in the browser and a
WWW-Authenticate: Basic
HTTP header.
Local user accounts in a database.
Usually integrated into a form or API endpoint on the application.
An existing central authentication source such as Active Directory or an LDAP server.
May use NTLM authentication, indicated by a
WWW-Authenticate: NTLM
HTTP header.May be integrated into the web application in a form.
May require the username to be entered in the “DOMAIN\username” format, or may give a dropdown of available domains.
Single Sign-On (SSO) with either an internal or external provider.
Typically uses OAuth, OpenID Connect, or SAML.
Third Party Services and APIs
Network Components
Reverse Proxy
A mismatch between the front end server and the back end application (such as a
Server: nginx
header with an ASP.NET application).This can sometimes lead to request smuggling vulnerabilities.
Duplicate headers (especially the
Server
header).Multiple applications hosted on the same IP address or domain (especially if they use different languages).
Load Balancer
Inconsistent system times.
Different internal IP addresses or hostnames in detailed error messages.
Different addresses returned from Server-Side Request Forgery (SSRF).
They may also be indicated by the presence of specific cookies (for example, F5 BIG-IP load balancers will create a cookie called BIGipServer.
Content Delivery Network (CDN)
Facing IP belong to CDN try this ti identify Web Application IP
Emails sent by the application may come direct from the back end server, which could reveal it’s IP address.
DNS grinding, zone transfers or certificate transparency lists for domain may reveal it on a subdomain.
Scanning the IP ranges known to be used by the company may find the back end server.
Exploiting Server-Side Request Forgery (SSRF) may reveal the IP address.
Detailed error messages from the application may expose IP addresses or hostnames.
Security Components
Network Firewall -Tier 1-
To detect this, perform a port scan of the server and examine the results. closed → server, WAF → filtered
If the majority of the ports are shown as “closed” (i.e, they return a
RST
packet in response to the initialSYN
packet) then this suggests that the server may not be protected by a firewall. If the ports are shown as “filtered” (i.e, no response is received when sending aSYN
packet to an unused port) then a firewall is most likely to be in place.Additionally, if inappropriate services are exposed to the world (such as SMTP, IMAP, MySQL, etc), this suggests that either there is not firewall in place, or that the firewall is badly configured.
Network Intrusion Detection (IDS) and Prevention (IPS) System -Tier 2-
A network Intrusion Detection System (IDS) detects suspicious or malicious network-level activity (such as port or vulnerability scanning) and raises alerts. An Intrusion Prevention System (IPS) is similar, but also takes action to prevent the activity - usually by blocking the source IP address.
Web Application Firewall (WAF)
A WAF can be deployed in multiple locations, including:
On the web server itself.
On a separate virtual machine or hardware appliance.
In the cloud in front of the back end server.
Because a WAF blocks malicious requests, it can be detected by adding common attack strings to parameters and observing whether or not they are blocked. For example, try adding a parameter called
foo
with a value such as' UNION SELECT 1
or><script>alert(1)</script>
. If these requests are blocked then it suggests that there may be a WAF in place. Additionally, the contents of the block pages may provide information about the specific technology that is in use. Finally, some WAFs may add cookies or HTTP headers to responses that can reveal their presence.If a cloud-based WAF is in use, then it may be possible to bypass it by directly accessing the back end server, using the same methods discussed in the Content Delivery Network section.
Last updated