1.0 Information Gathering

1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage

• Google Dorking (GHDB)

  • Footholds

  • Files containing usernames

  • Sensitive Directories

  • Web Server Detection

  • Vulnerable Files

  • Vulnerable Servers

  • Error Messages

  • Files containing juicy info

  • Files containing passwords

  • Sensitive Online Shopping Info

• Shodan Dorking

  Dork to find something Juicy

  ssl.cert.subject.CN:"*.target.com" http.html:"Log in, username, password" http.title:"Admin" 200 http.html:"Test, news, support"

  Database

  Target	Query
  MongoDB	"MongoDB Server Information" port:27017 -authentication
  Mongo Express Web GUI - phpmyadmin like -	"Set-Cookie: mongo-express=" "200 OK"
  MySql	mysql port:"3306"
  elastic indices	port:"9200" all:"elastic indices"
  PostgreSQL	port:5432 PostgreSQL

  Exposed ports

  Target	Query
  FTP	proftpd port:21
  FTP with anonymous logins	"220" "230 Login successful." port:21
  OpenSSH	openssh port:22
  Telnet	port:"23"
  EXIM-powered mail servers	port:"25" product:"exim"
  Memcached - has been a major source of UDP amplification attacks leading to huge DDoS -	port:"11211" product:"Memcached"
  Jenkins	"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

  DNS servers

  Target	Query
  DNS servers	"port: 53" Recursion: Enabled

  Network infrastructure

  Target	Query
  devices running a specific version of a RouterOS	port:8291 os:"MikroTik RouterOS 6.45.9"

  Web servers

  Target	Query
  Apache web servers	product:"Apache httpd" port:"80"
  Microsoft IIS-powered websites and web servers	product:"Microsoft IIS httpd"
  Nginx-powered websites and web servers	product:"nginx"
  above product query can be combined like	"port: 8080" product:"nginx"

  Operating systems

  Target	Query
  Windows 7	os:"windows 7"
  specific build versions of Windows 10	os:"Windows 10 Home 19041"
  Linux-based devices	os:"Linux"

  Filtering by country, city or location

  Target	Query
  filter by country	country:"UK"
  filter by city	"city: London"
  GPS coordinates of a region or city	geo:"51.5074, 0.1278"
  combined with other filters	os:"windows 7" country:"UK"

  SSL certificates

  Target	Query
  self-signed certificates	ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
  expired SSL certificates	ssl.cert.expired:true

  Webcams

  Target	Query
  self-signed certificates	Server: SQ-WEBCAM
  filter out specific software vendors who provide software for webcams, such as Yawcam	"Server: yawcam" "Mime-Type: text/html"

  Industrial control systems

  Target	Query
  XZERES Wind Turbines	title:"xzeres wind"
  Mitsubishi Electric, the MELSEC-Q protocol is commonly used by control system machines/networks	port:5006,5007 product:mitsubishi
  electric vehicle chargers	"Server: gSOAP/2.8" "Content-Length: 583"

  Remote Desktop

  Target	Query
  Windows Remote Desktop	remote desktop "port:3389"
  Linux VNC	"authentication disabled" "RFB 003.008"
  electric vehicle chargers	"Server: gSOAP/2.8" "Content-Length: 583"

  NAS accesses

  Target	Query
  Samba protocol on port 445 with authentication disabled	"Authentication: disabled" port:445
  Plex is a popular media management device used to manage photos, movies and music	"X-Plex-Protocol" "200 OK" port:32400
  FTP-based services	"220" "230 Login successful." port:21

  Printers and copiers

  Target	Query
  HP-powered printers	"Serial Number:" "Built:" "Server: HP HTTP"
  EPSON-powered printers	"SERVER: EPSON_Linux UPnP" "200 OK"
  Xerox printers	ssl:"Xerox Generic Root"

  Useful Filter Searches for BB

  kibana content-length:217 net:”cidr”
  org:”Amazon” ssl:”target”
  ssl:”target”
  html:”Dashboard Jenkins” http.component:”jenkins”
  http.title:”302 Found”
  http.component%3A”java”
  <https://www.shodan.io/host/ip#9200>
  <https://www.shodan.io/host/ip>
  X-Redirect-By: WordPress ssl:”name”
  query: html:”eBay Inc. All Right Reserved”
  X-Amz-Bucket-Region
  x-jenkins 200
  X-Generator: Drupal 7
  ssl:Google
  org:’Name’ port:’80’
  all:”mongodb server information” all:”metrics”
  port:27017 -all:”partially” all:”fs.files”
  port:”9200" all:”elastic indices”
  product:elastic port:9200
  product: CouchDB
  title:”system dashboard” html:jira
  product: “apache tomcat”
  ssl%3A”development”+org%3A”Amazon.com”+port%3A”number”
  http.component:ruby port:3000
  html:”secret_key_base”
  html:”rack.version”
  http.html:QUERY ssl:”domain.com”
  http.favicon.hash:81586312 200
  html:/dana-na/ Pulse Secure VPN exploit

  GitLab

  org:"Target" http.title:"GitLab"

  Default creds : Username: root & pass: 5iveL!fe Username: admin & Pass: 5iveL!fe

• Github Dorking

  1. Specify a target, and always use double quotes as best practice. Eg “target.com”

  1. Specify a Keyword that you want to Dork for. Eg: “password” or “secret”

  2. Specify a language. This means, the programming language.Eg: language:"bash"`

  3. Specify the keywords that you don’t want to see in the response:org:targetCompany language:"bash" "password" "secret" NOT test

  SECRET GITHUB DORKING METHODOLOGY UNRAVELLED!
  1. When you go to do Github Dorking, what is the first thing you do?
  ==> You find your target's Github Page.
  2. Then 50% of the time, you won't find leaks on their main github page, are there any other in-scope pages for github dorking?
  ==> Yes! When you go to the target's github page, if you scroll down you will see a tab called People.
  It has the employees that are officially working with your target.
  3. Now from the People tab go to any employee's github page. 
  ==> All of the Employees mentioned in the People tab are in-scope for Github dorking! How cool is that?! You just got more attack surface!
  Now remember that these employees have a life other than working for your target. 
  Means they can push sensitive  leaks but they might be of the employee's private project.(maybe his personal projects)
  So don't get too hyped when you see a leak by an employee, try to verify that it is information for your target, and not an external/private project of the employee.
  4. The best tip:
  Sometimes you wont be able to find leaks by the employees in the People tab, don't worry there is still a little something to get you more attack surface :)
  ==>
  Fact- If any of the employees have leaked sensitive information in their Github Repo which is related to the company, that's a bug!
  Now we are gonna find the external yet still in-scope employees :)
  Use this google dork-
  site:linkedin.com intext:software engineer at TargetORG
  This will find you employees that work for your target company, but still are not listed in People tab. Why? 
  ==>
   Maybe because they are meant to kept secret and they post sensitive stuff... You never know. Now that you found some more employees, you will find their Github Pages. Usually all Software engineers have a github page.
  To find their Github page use this google dork:
  site:github.com intext:the_employee_here
  or simply search "github the_employee_here"
  Now you got a lot of stuff to github dork to! Now you might actually find leaks!!

  Dork to find something Juicy

  "target.com" language:python "secret" "password" "key" NOT support NOT docs NOT sandbox NOT docker NOT container NOT test NOT fake

  Keywords

  Jenkins
  Jira
  OTP
  oauth
  authoriztion
  password
  pwd
  ftp
  ssh
  dotfiles
  JDBC
  token
  user
  pass
  secret
  SecretAccessKey
  AWS_SECRET_ACCESS_KEY
  credentials
  config
  security_credentials

• searchcode.com

• Viewing Cached Content (cache:target.com)

• Web Archive

• 1.2 Fingerprint Web Server

  • tool: whatweb

  • ext: wappalyzer

  • site:https://w3techs.com/sites

  • site:https://builtwith.com/

  • manual: response and error messages

• 1.3 Review Webserver Metafiles for Information Leakage

  • robots.txt

  • META Tags

  • sitemap.xml

  • security.txt or .well-known/security.txt

  • humans.txt

  • .well-known/ (brute-force or google well known for specific target)

• 1.4 Enumerate Applications on Webserver

  • Non-standard URLs

    • web server is mis-configured and allows directory browsing (Vuln Scanner)

    • use google dorking may figure theme out (site:target.com)

    • non published apps "intelligent guessing" (Vuln Scanner) https:// www.example.com/webmail → https://webmail.example.com/ or https://mail.example.com/

  • Non-standard Ports

    • port scanners like nmap easily identify that (nmap –Pn –sT –sV –p0-65535 192.168.1.100)

  • Virtual Hosts

    • DNS Zone Transfers (tool: dnsrecon)

    • DNS Inverse Queries

    • Web-based DNS Searches (site:https://searchdns.netcraft.com/?host)

    • Reverse-IP Services Domain Tools Reverse IP (requires free membership) DNSstuff (multiple services available) Net Square (multiple queries on domains and IP addresses, requires installation)

    • Googling

    • Digital Certificates Common Name (CN) and Subject Alternate Name (SAN) on the certificate may contain one or more hostnames

    openssl s_client -connect 93.184.216.34:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -E 'DNS:|Subject:'
    
    Subject: C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, CN = www.example.org
    DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net

• 1.5 Review Webpage Content for Information Leakage

  • Review Webpage Comments and Metadata

  • Identifying JavaScript Code and Gathering JavaScript Files → API keys, internal IP addresses, sensitive routes, or credentials

  • Identifying Source Map Files /static/js/main.chunk.js → /static/js/main.chunk.js.map output be like

    {
      "version": 3,
      "file": "static/js/main.chunk.js",
      "sources": [
        "/home/sysadmin/cashsystem/src/actions/index.js",
        "/home/sysadmin/cashsystem/src/actions/reportAction.js",
        "/home/sysadmin/cashsystem/src/actions/cashoutAction.js",
        "/home/sysadmin/cashsystem/src/actions/userAction.js",
        "..."
      ],
      "..."
    } 

  • Identify Redirect Responses which Leak Information the redirect response itself may still contain content which isn’t shown in the browser but is indeed transmitted to the client use proxy to check this

• 1.6 Identify Application Entry Points

  • interesting parameters in the URL, custom headers, or body of the requests/responses

    • Requests

      • Identify where GETs are used and where POSTs are used.

      • Identify all parameters used in a POST request (these are in the body of the request).

      • Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren’t seen unless a proxy or view the HTML source code is used. In addition, the next page shown, its data, and the level of access can all be different depending on the value of the hidden parameter(s).

      • Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).

      • Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, \\~, :, or any other special character or encoding.

      • A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute the attacks. The tester needs to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure each one of them is identified.

      • Also pay attention to any additional or custom type headers not typically seen (such as debug: false).

    • Responses

      • Identify where new cookies are set (Set-Cookie header), modified, or added to.

      • Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).

      • Also note where any interesting headers are used. For example, Server: BIG-IP indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then the tester might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.

  • OWASP Attack Surface Detector (CLI or Burp Ext)

• 1.7 Map Execution Paths Through Application

  • Spidering

• 1.8 Fingerprint Web Application Framework

  • Black-Box Testing

  • HTTP headers

  • Cookies

  • HTML source code

  • Specific files and folders

  • File extensions

  • Error messages

  • HTTP Headers (X-Powered-By , X-Generator)

  • Cookies

  • HTML Source Code (<meta>)

  • Specific Files and Folders (dirbusting, CHANGELOG file) *Tip:

  • before starting with dirbusting, check the robots.txt file first.

  • dirbusting with* good file lists FuzzDB wordlists of predictable files/folders.

  • File Extensions

  • Error Messages

  • Common Identifiers

    Cookies

    Framework	Cookie name
    Zope	zope3
    CakePHP	cakephp
    VIVVO	VivvoSessionId
    Wix	Domain=.wix.com
    LEPTON	lep[some_numeric_value]+sessionid
    Dynamicweb	Dynamicweb
    TYPO3	fe_typo_user
    MODx	SN4[12symb]
    Kentico CMS	CMSPreferredCulture
    InstantCMS	InstantCMS[logdate]
    Indico	MAKACSESSION
    ImpressCMS	ICMSession
    Hotaru CMS	hotaru_mobile
    Graffiti CMS	graffitibot
    EPiServer	EPiTrace, EPiServer
    e107	e107_tz
    DotNetNuke	DotNetNukeAnonymous
    Django CMS	django
    AMPcms	AMP
    1C-Bitrix	BITRIX_
    WordPress	wp-settings
    phpBB	phpbb3_
    Laravel	laravel_session
    Kohana	kohanasession

    HTML Source Code

    Application	Keyword
    WordPress	<meta name="generator" content="WordPress 3.9.2" />
    phpBB	<body id="phpbb"
    DotNetNuke	DNN Platform -http://www.dnnsoftware.com
    Drupal	<meta name="Generator" content="Drupal 7 (http://drupal.org)" />
    Joomla	<meta name="generator" content="Joomla! - Open Source Content Management" />
    Mediawiki	<meta name="generator" content="MediaWiki 1.21.9" />

    General Markers

    • %framework_name%

    • powered by

    • built upon

    • running

    Specific Markers

    Framework	Keyword
    Adobe ColdFusion	<!-- START headerTags.cfm
    Microsoft ASP.NET	__VIEWSTATE
    Indexhibit	ndxz-studio
    Business Catalyst	<!-- BC_OBNW -->
    ZK	<!-- ZK

• 1.9 Fingerprint Web Application

  merged into 1.9

• 1.10 Map Application Architecture

  • Application Components

    • Web Server

    • Platform-as-a-Service (PaaS)

    • Serverless

    • Microservices

    • Static Storage

    • Database (port scan, error messages, google fu for errors, guess)

    • Authentication

      • Web server configuration (including .htaccess files) or hard-coding passwords in scripts.

        • Usually shows up as HTTP Basic authentication, indicated by a pop-up in the browser and a WWW-Authenticate: Basic HTTP header.

      • Local user accounts in a database.

        • Usually integrated into a form or API endpoint on the application.

      • An existing central authentication source such as Active Directory or an LDAP server.

        • May use NTLM authentication, indicated by a WWW-Authenticate: NTLM HTTP header.

        • May be integrated into the web application in a form.

        • May require the username to be entered in the “DOMAIN\username” format, or may give a dropdown of available domains.

      • Single Sign-On (SSO) with either an internal or external provider.

        • Typically uses OAuth, OpenID Connect, or SAML.

    • Third Party Services and APIs

  • Network Components

    • Reverse Proxy

      • A mismatch between the front end server and the back end application (such as a Server: nginx header with an ASP.NET application).

        • This can sometimes lead to request smuggling vulnerabilities.

      • Duplicate headers (especially the Server header).

      • Multiple applications hosted on the same IP address or domain (especially if they use different languages).

    • Load Balancer

      • Inconsistent system times.

      • Different internal IP addresses or hostnames in detailed error messages.

      • Different addresses returned from Server-Side Request Forgery (SSRF).

      • They may also be indicated by the presence of specific cookies (for example, F5 BIG-IP load balancers will create a cookie called BIGipServer.

    • Content Delivery Network (CDN)

      Facing IP belong to CDN try this ti identify Web Application IP

      • Emails sent by the application may come direct from the back end server, which could reveal it’s IP address.

      • DNS grinding, zone transfers or certificate transparency lists for domain may reveal it on a subdomain.

      • Scanning the IP ranges known to be used by the company may find the back end server.

      • Exploiting Server-Side Request Forgery (SSRF) may reveal the IP address.

      • Detailed error messages from the application may expose IP addresses or hostnames.

  • Security Components

    • Network Firewall -Tier 1-

      To detect this, perform a port scan of the server and examine the results. closed → server, WAF → filtered

      • If the majority of the ports are shown as “closed” (i.e, they return a RST packet in response to the initial SYN packet) then this suggests that the server may not be protected by a firewall. If the ports are shown as “filtered” (i.e, no response is received when sending a SYN packet to an unused port) then a firewall is most likely to be in place.

      • Additionally, if inappropriate services are exposed to the world (such as SMTP, IMAP, MySQL, etc), this suggests that either there is not firewall in place, or that the firewall is badly configured.

    • Network Intrusion Detection (IDS) and Prevention (IPS) System -Tier 2-

      A network Intrusion Detection System (IDS) detects suspicious or malicious network-level activity (such as port or vulnerability scanning) and raises alerts. An Intrusion Prevention System (IPS) is similar, but also takes action to prevent the activity - usually by blocking the source IP address.

    • Web Application Firewall (WAF)

      A WAF can be deployed in multiple locations, including:

      • On the web server itself.

      • On a separate virtual machine or hardware appliance.

      • In the cloud in front of the back end server.

      Because a WAF blocks malicious requests, it can be detected by adding common attack strings to parameters and observing whether or not they are blocked. For example, try adding a parameter called foo with a value such as ' UNION SELECT 1 or ><script>alert(1)</script>. If these requests are blocked then it suggests that there may be a WAF in place. Additionally, the contents of the block pages may provide information about the specific technology that is in use. Finally, some WAFs may add cookies or HTTP headers to responses that can reveal their presence.

      If a cloud-based WAF is in use, then it may be possible to bypass it by directly accessing the back end server, using the same methods discussed in the Content Delivery Network section.