1.0 Information Gathering

1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage

  • Google Dorking (GHDB)

    • Footholds

    • Files containing usernames

    • Sensitive Directories

    • Web Server Detection

    • Vulnerable Files

    • Vulnerable Servers

    • Error Messages

    • Files containing juicy info

    • Files containing passwords

    • Sensitive Online Shopping Info

  • Shodan Dorking

    Dork to find something Juicy

    ssl.cert.subject.CN:"*.target.com" http.html:"Log in, username, password" http.title:"Admin" 200 http.html:"Test, news, support"

    Database

    TargetQuery

    MongoDB

    "MongoDB Server Information" port:27017 -authentication

    Mongo Express Web GUI - phpmyadmin like -

    "Set-Cookie: mongo-express=" "200 OK"

    MySql

    mysql port:"3306"

    elastic indices

    port:"9200" all:"elastic indices"

    PostgreSQL

    port:5432 PostgreSQL

    Exposed ports

    TargetQuery

    FTP

    proftpd port:21

    FTP with anonymous logins

    "220" "230 Login successful." port:21

    OpenSSH

    openssh port:22

    Telnet

    port:"23"

    EXIM-powered mail servers

    port:"25" product:"exim"

    Memcached - has been a major source of UDP amplification attacks leading to huge DDoS -

    port:"11211" product:"Memcached"

    Jenkins

    "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

    DNS servers

    TargetQuery

    DNS servers

    "port: 53" Recursion: Enabled

    Network infrastructure

    TargetQuery

    devices running a specific version of a RouterOS

    port:8291 os:"MikroTik RouterOS 6.45.9"

    Web servers

    TargetQuery

    Apache web servers

    product:"Apache httpd" port:"80"

    Microsoft IIS-powered websites and web servers

    product:"Microsoft IIS httpd"

    Nginx-powered websites and web servers

    product:"nginx"

    above product query can be combined like

    "port: 8080" product:"nginx"

    Operating systems

    TargetQuery

    Windows 7

    os:"windows 7"

    specific build versions of Windows 10

    os:"Windows 10 Home 19041"

    Linux-based devices

    os:"Linux"

    Filtering by country, city or location

    TargetQuery

    filter by country

    country:"UK"

    filter by city

    "city: London"

    GPS coordinates of a region or city

    geo:"51.5074, 0.1278"

    combined with other filters

    os:"windows 7" country:"UK"

    SSL certificates

    TargetQuery

    self-signed certificates

    ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com

    expired SSL certificates

    ssl.cert.expired:true

    Webcams

    TargetQuery

    self-signed certificates

    Server: SQ-WEBCAM

    filter out specific software vendors who provide software for webcams, such as Yawcam

    "Server: yawcam" "Mime-Type: text/html"

    Industrial control systems

    TargetQuery

    XZERES Wind Turbines

    title:"xzeres wind"

    Mitsubishi Electric, the MELSEC-Q protocol is commonly used by control system machines/networks

    port:5006,5007 product:mitsubishi

    electric vehicle chargers

    "Server: gSOAP/2.8" "Content-Length: 583"

    Remote Desktop

    TargetQuery

    Windows Remote Desktop

    remote desktop "port:3389"

    Linux VNC

    "authentication disabled" "RFB 003.008"

    electric vehicle chargers

    "Server: gSOAP/2.8" "Content-Length: 583"

    NAS accesses

    TargetQuery

    Samba protocol on port 445 with authentication disabled

    "Authentication: disabled" port:445

    Plex is a popular media management device used to manage photos, movies and music

    "X-Plex-Protocol" "200 OK" port:32400

    FTP-based services

    "220" "230 Login successful." port:21

    Printers and copiers

    TargetQuery

    HP-powered printers

    "Serial Number:" "Built:" "Server: HP HTTP"

    EPSON-powered printers

    "SERVER: EPSON_Linux UPnP" "200 OK"

    Xerox printers

    ssl:"Xerox Generic Root"

    Useful Filter Searches for BB

    kibana content-length:217 net:”cidr”
    org:”Amazon” ssl:”target”
    ssl:”target”
    html:”Dashboard Jenkins” http.component:”jenkins”
    http.title:”302 Found”
    http.component%3A”java”
    <https://www.shodan.io/host/ip#9200>
    <https://www.shodan.io/host/ip>
    X-Redirect-By: WordPress ssl:”name”
    query: html:”eBay Inc. All Right Reserved”
    X-Amz-Bucket-Region
    x-jenkins 200
    X-Generator: Drupal 7
    ssl:Google
    org:’Name’ port:’80’
    all:”mongodb server information” all:”metrics”
    port:27017 -all:”partially” all:”fs.files”
    port:”9200" all:”elastic indices”
    product:elastic port:9200
    product: CouchDB
    title:”system dashboard” html:jira
    product: “apache tomcat”
    ssl%3A”development”+org%3A”Amazon.com”+port%3A”number”
    http.component:ruby port:3000
    html:”secret_key_base”
    html:”rack.version”
    http.html:QUERY ssl:”domain.com”
    http.favicon.hash:81586312 200
    html:/dana-na/ Pulse Secure VPN exploit

    GitLab

    org:"Target" http.title:"GitLab"

    Default creds : Username: root & pass: 5iveL!fe Username: admin & Pass: 5iveL!fe

  • Github Dorking

    1. Specify a target, and always use double quotes as best practice. Eg “target.com

    1. Specify a Keyword that you want to Dork for. Eg: “password” or “secret”

    2. Specify a language. This means, the programming language.Eg: language:"bash"`

    3. Specify the keywords that you don’t want to see in the response:org:targetCompany language:"bash" "password" "secret" NOT test

    SECRET GITHUB DORKING METHODOLOGY UNRAVELLED!
    1. When you go to do Github Dorking, what is the first thing you do?
    ==> You find your target's Github Page.
    2. Then 50% of the time, you won't find leaks on their main github page, are there any other in-scope pages for github dorking?
    ==> Yes! When you go to the target's github page, if you scroll down you will see a tab called People.
    It has the employees that are officially working with your target.
    3. Now from the People tab go to any employee's github page. 
    ==> All of the Employees mentioned in the People tab are in-scope for Github dorking! How cool is that?! You just got more attack surface!
    Now remember that these employees have a life other than working for your target. 
    Means they can push sensitive  leaks but they might be of the employee's private project.(maybe his personal projects)
    So don't get too hyped when you see a leak by an employee, try to verify that it is information for your target, and not an external/private project of the employee.
    4. The best tip:
    Sometimes you wont be able to find leaks by the employees in the People tab, don't worry there is still a little something to get you more attack surface :)
    ==>
    Fact- If any of the employees have leaked sensitive information in their Github Repo which is related to the company, that's a bug!
    Now we are gonna find the external yet still in-scope employees :)
    Use this google dork-
    site:linkedin.com intext:software engineer at TargetORG
    This will find you employees that work for your target company, but still are not listed in People tab. Why? 
    ==>
     Maybe because they are meant to kept secret and they post sensitive stuff... You never know. Now that you found some more employees, you will find their Github Pages. Usually all Software engineers have a github page.
    To find their Github page use this google dork:
    site:github.com intext:the_employee_here
    or simply search "github the_employee_here"
    Now you got a lot of stuff to github dork to! Now you might actually find leaks!!

    Dork to find something Juicy

    "target.com" language:python "secret" "password" "key" NOT support NOT docs NOT sandbox NOT docker NOT container NOT test NOT fake

    Keywords

    Jenkins
    Jira
    OTP
    oauth
    authoriztion
    password
    pwd
    ftp
    ssh
    dotfiles
    JDBC
    token
    user
    pass
    secret
    SecretAccessKey
    AWS_SECRET_ACCESS_KEY
    credentials
    config
    security_credentials
  • Viewing Cached Content (cache:target.com)

  • Web Archive

  • 1.2 Fingerprint Web Server

  • 1.3 Review Webserver Metafiles for Information Leakage

    • robots.txt

    • META Tags

    • sitemap.xml

    • security.txt or .well-known/security.txt

    • humans.txt

    • .well-known/ (brute-force or google well known for specific target)

  • 1.4 Enumerate Applications on Webserver

    • Non-standard URLs

    • Non-standard Ports

      • port scanners like nmap easily identify that (nmap –Pn –sT –sV –p0-65535 192.168.1.100)

    • Virtual Hosts

      • DNS Zone Transfers (tool: dnsrecon)

      • DNS Inverse Queries

      • Web-based DNS Searches (site:https://searchdns.netcraft.com/?host)

      • Reverse-IP Services Domain Tools Reverse IP (requires free membership) DNSstuff (multiple services available) Net Square (multiple queries on domains and IP addresses, requires installation)

      • Googling

      • Digital Certificates Common Name (CN) and Subject Alternate Name (SAN) on the certificate may contain one or more hostnames

      openssl s_client -connect 93.184.216.34:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -E 'DNS:|Subject:'
      
      Subject: C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, CN = www.example.org
      DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
  • 1.5 Review Webpage Content for Information Leakage

    • Review Webpage Comments and Metadata

    • Identifying JavaScript Code and Gathering JavaScript Files → API keys, internal IP addresses, sensitive routes, or credentials

    • Identifying Source Map Files /static/js/main.chunk.js → /static/js/main.chunk.js.map output be like

      {
        "version": 3,
        "file": "static/js/main.chunk.js",
        "sources": [
          "/home/sysadmin/cashsystem/src/actions/index.js",
          "/home/sysadmin/cashsystem/src/actions/reportAction.js",
          "/home/sysadmin/cashsystem/src/actions/cashoutAction.js",
          "/home/sysadmin/cashsystem/src/actions/userAction.js",
          "..."
        ],
        "..."
      } 
    • Identify Redirect Responses which Leak Information the redirect response itself may still contain content which isn’t shown in the browser but is indeed transmitted to the client use proxy to check this

  • 1.6 Identify Application Entry Points

    • interesting parameters in the URL, custom headers, or body of the requests/responses

      • Requests

        • Identify where GETs are used and where POSTs are used.

        • Identify all parameters used in a POST request (these are in the body of the request).

        • Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren’t seen unless a proxy or view the HTML source code is used. In addition, the next page shown, its data, and the level of access can all be different depending on the value of the hidden parameter(s).

        • Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).

        • Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, \\~, :, or any other special character or encoding.

        • A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute the attacks. The tester needs to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure each one of them is identified.

        • Also pay attention to any additional or custom type headers not typically seen (such as debug: false).

      • Responses

        • Identify where new cookies are set (Set-Cookie header), modified, or added to.

        • Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).

        • Also note where any interesting headers are used. For example, Server: BIG-IP indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then the tester might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.

    • OWASP Attack Surface Detector (CLI or Burp Ext)

  • 1.7 Map Execution Paths Through Application

    • Spidering

  • 1.8 Fingerprint Web Application Framework

    • Black-Box Testing

    • HTTP headers

    • Cookies

    • HTML source code

    • Specific files and folders

    • File extensions

    • Error messages

    • HTTP Headers (X-Powered-By , X-Generator)

    • Cookies

    • HTML Source Code (<meta>)

    • Specific Files and Folders (dirbusting, CHANGELOG file) *Tip:

    • before starting with dirbusting, check the robots.txt file first.

    • dirbusting with* good file lists FuzzDB wordlists of predictable files/folders.

    • File Extensions

    • Error Messages

    • Common Identifiers

      Cookies

      FrameworkCookie name

      Zope

      zope3

      CakePHP

      cakephp

      VIVVO

      VivvoSessionId

      Wix

      LEPTON

      lep[some_numeric_value]+sessionid

      Dynamicweb

      Dynamicweb

      TYPO3

      fe_typo_user

      MODx

      SN4[12symb]

      Kentico CMS

      CMSPreferredCulture

      InstantCMS

      InstantCMS[logdate]

      Indico

      MAKACSESSION

      ImpressCMS

      ICMSession

      Hotaru CMS

      hotaru_mobile

      Graffiti CMS

      graffitibot

      EPiServer

      EPiTrace, EPiServer

      e107

      e107_tz

      DotNetNuke

      DotNetNukeAnonymous

      Django CMS

      django

      AMPcms

      AMP

      1C-Bitrix

      BITRIX_

      WordPress

      wp-settings

      phpBB

      phpbb3_

      Laravel

      laravel_session

      Kohana

      kohanasession

      HTML Source Code

      ApplicationKeyword

      WordPress

      <meta name="generator" content="WordPress 3.9.2" />

      phpBB

      <body id="phpbb"

      DotNetNuke

      Drupal

      <meta name="Generator" content="Drupal 7 (http://drupal.org)" />

      Joomla

      <meta name="generator" content="Joomla! - Open Source Content Management" />

      Mediawiki

      <meta name="generator" content="MediaWiki 1.21.9" />

      General Markers

      • %framework_name%

      • powered by

      • built upon

      • running

      Specific Markers

      FrameworkKeyword

      Adobe ColdFusion

      <!-- START headerTags.cfm

      Microsoft ASP.NET

      __VIEWSTATE

      Indexhibit

      ndxz-studio

      Business Catalyst

      <!-- BC_OBNW -->

      ZK

      <!-- ZK

  • 1.9 Fingerprint Web Application

    merged into 1.9

  • 1.10 Map Application Architecture

    • Application Components

      • Web Server

      • Platform-as-a-Service (PaaS)

      • Serverless

      • Microservices

      • Static Storage

      • Database (port scan, error messages, google fu for errors, guess)

      • Authentication

        • Web server configuration (including .htaccess files) or hard-coding passwords in scripts.

          • Usually shows up as HTTP Basic authentication, indicated by a pop-up in the browser and a WWW-Authenticate: Basic HTTP header.

        • Local user accounts in a database.

          • Usually integrated into a form or API endpoint on the application.

        • An existing central authentication source such as Active Directory or an LDAP server.

          • May use NTLM authentication, indicated by a WWW-Authenticate: NTLM HTTP header.

          • May be integrated into the web application in a form.

          • May require the username to be entered in the “DOMAIN\username” format, or may give a dropdown of available domains.

        • Single Sign-On (SSO) with either an internal or external provider.

          • Typically uses OAuth, OpenID Connect, or SAML.

      • Third Party Services and APIs

    • Network Components

      • Reverse Proxy

        • A mismatch between the front end server and the back end application (such as a Server: nginx header with an ASP.NET application).

        • Duplicate headers (especially the Server header).

        • Multiple applications hosted on the same IP address or domain (especially if they use different languages).

      • Load Balancer

        • Inconsistent system times.

        • Different internal IP addresses or hostnames in detailed error messages.

        • Different addresses returned from Server-Side Request Forgery (SSRF).

        • They may also be indicated by the presence of specific cookies (for example, F5 BIG-IP load balancers will create a cookie called BIGipServer.

      • Content Delivery Network (CDN)

        Facing IP belong to CDN try this ti identify Web Application IP

        • Emails sent by the application may come direct from the back end server, which could reveal it’s IP address.

        • DNS grinding, zone transfers or certificate transparency lists for domain may reveal it on a subdomain.

        • Scanning the IP ranges known to be used by the company may find the back end server.

        • Exploiting Server-Side Request Forgery (SSRF) may reveal the IP address.

        • Detailed error messages from the application may expose IP addresses or hostnames.

    • Security Components

      • Network Firewall -Tier 1-

        To detect this, perform a port scan of the server and examine the results. closed → server, WAF → filtered

        • If the majority of the ports are shown as “closed” (i.e, they return a RST packet in response to the initial SYN packet) then this suggests that the server may not be protected by a firewall. If the ports are shown as “filtered” (i.e, no response is received when sending a SYN packet to an unused port) then a firewall is most likely to be in place.

        • Additionally, if inappropriate services are exposed to the world (such as SMTP, IMAP, MySQL, etc), this suggests that either there is not firewall in place, or that the firewall is badly configured.

      • Network Intrusion Detection (IDS) and Prevention (IPS) System -Tier 2-

        A network Intrusion Detection System (IDS) detects suspicious or malicious network-level activity (such as port or vulnerability scanning) and raises alerts. An Intrusion Prevention System (IPS) is similar, but also takes action to prevent the activity - usually by blocking the source IP address.

      • Web Application Firewall (WAF)

        A WAF can be deployed in multiple locations, including:

        • On the web server itself.

        • On a separate virtual machine or hardware appliance.

        • In the cloud in front of the back end server.

        Because a WAF blocks malicious requests, it can be detected by adding common attack strings to parameters and observing whether or not they are blocked. For example, try adding a parameter called foo with a value such as ' UNION SELECT 1 or ><script>alert(1)</script>. If these requests are blocked then it suggests that there may be a WAF in place. Additionally, the contents of the block pages may provide information about the specific technology that is in use. Finally, some WAFs may add cookies or HTTP headers to responses that can reveal their presence.

        If a cloud-based WAF is in use, then it may be possible to bypass it by directly accessing the back end server, using the same methods discussed in the Content Delivery Network section.

Last updated