eWPT: Notes on Information gathering module

amandaguglieri · Feb 2, 2024 · 9bf7637 · 9bf7637
1 parent 775b446
commit 9bf7637
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 9 deletions.
diff --git a/docs/53-dns.md b/docs/53-dns.md
@@ -68,7 +68,7 @@ DNS is mainly unencrypted. Devices on the local WLAN and Internet providers can
 1.1.1.1 is **a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet**. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available.
 
 
-[See DNS enumeration](web-enumeration.md)
+[See DNS enumeration](information-gathering.md)
 
 
 ## DNS transfer zones

diff --git a/docs/cpts-index.md b/docs/cpts-index.md
@@ -14,8 +14,8 @@ tags:
 | -- | --- |  --  | -- |
 | 01 | Penetration Testing Process | [Penetration Testing Process](penetration-testing-process.md) | 6 hours |
 | 02 | Network Enumeration with Nmap | [(Almost) all about nmap](nmap.md)  | 7 hours |
-| 03 | Footprinting | [Introduction to footprinting](footprinting.md) <br>[Infrastructure and web enumeration](web-enumeration.md)  <br>Some services:  [FTP](21-ftp.md), [SMB](137-138-139-445-smb.md), [NFS](2049-nfs-network-file-system.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP3](110-143-993-995-imap-pop3.md),[SNMP](161-162-snmp.md), [MySQL](3306-mariadb-mysql.md), [Oracle TNS](1521-oracle-transparent-network-substrate.md), [IPMI](623-intelligent-platform-management-interface-ipmi.md), [SSH](22-ssh.md), [RSYNC](873-rsync.md), [R Services](512-513-514-r-services.md), [RDP](3389-rdp.md), [WinRM](5985-5986-winrm-windows-remote-management.md), [WMI](135-windows-management-instrumentation-wmi.md) | 2 days |
-| 04 | Information Gathering - Web Edition | [Information Gathering - Web Edition](web-enumeration.md). With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md) | 7 hours |
+| 03 | Footprinting | [Introduction to footprinting](footprinting.md) <br>[Infrastructure and web enumeration](information-gathering.md)  <br>Some services:  [FTP](21-ftp.md), [SMB](137-138-139-445-smb.md), [NFS](2049-nfs-network-file-system.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP3](110-143-993-995-imap-pop3.md),[SNMP](161-162-snmp.md), [MySQL](3306-mariadb-mysql.md), [Oracle TNS](1521-oracle-transparent-network-substrate.md), [IPMI](623-intelligent-platform-management-interface-ipmi.md), [SSH](22-ssh.md), [RSYNC](873-rsync.md), [R Services](512-513-514-r-services.md), [RDP](3389-rdp.md), [WinRM](5985-5986-winrm-windows-remote-management.md), [WMI](135-windows-management-instrumentation-wmi.md) | 2 days |
+| 04 | Information Gathering - Web Edition | [Information Gathering - Web Edition](information-gathering.md). With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md) | 7 hours |
 | 05 | Vulnerability Assessment | [Vulnerability Assessment](vulnerability-assessment.md): <br> [Nessus](nessus.md), [Openvas](openvas.md)  | 2 hours | 
 | 06 | File Transfer techniques | File Transfer Techniques:  <br>[Linux](transferring-files-techniques-linux.md), [Windows](transferring-files-techniques-windows.md), [Code- netcat python php and others](transferring-files-techniques-code.md), [Bypassing file upload restrictions](../webexploitation/file-upload), [File encryption](file-encryption.md), [Evading techniques when transferring files](transferring-files-evading-detection.md), [LOLbas Living off the land binaries](lolbins-lolbas-gtfobins.md) |  3 hours |  
 | 07 | Shells & Payloads | [Bind shells](bind-shells.md), [Reverse shells](reverse-shells.md), [Spawn a shell](spawn-a-shell.md), [Web shells](web-shells.md) ([Laudanum](laudanum.md) and [nishang](nishang.md)) | 2 days | 

diff --git a/docs/ewpt-preparation.md b/docs/ewpt-preparation.md
@@ -24,3 +24,8 @@ tags:
 	- [OWASP](OWASP/index.md)
 	- [http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines](http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
 - [Phases of a web application security testing](penetration-testing-process.md)
+
+
+## Web Enumeration & Information Gathering
+
+- [Information gathering](information-gathering.md)
diff --git a/docs/web-enumeration.md → docs/information-gathering.md b/docs/web-enumeration.md → docs/information-gathering.md
@@ -1,15 +1,38 @@
 ---
-title: Web enumeration
+title: Information gathering
 author: amandaguglieri
 draft: false
 TableOfContents: true
 tags:
   - pentesting
-  - web pentesting
-  - enumeration
+  - web
+  - pentesting
+  - enumeraInformation
+  - Gathering
+  - "-"
+  - Web
+  - Editiontion
 ---
 
-# Web enumeration
+# Information gathering
+
+Information gathering is typically broken down into two types: 
+
+- **Passive information gathering** - Involves gathering as much information as possible without actively engaging with the target. 
+- **Active information gathering/Enumeration** - Involves gathering as much information as possible by actively engaging with the target system. (You will require authorization in order to perform active information gathering).
+
+**What Information Are We Looking For?** Website & domain ownership. IP addresses, domains and subdomains. Hidden files & directories. Hosting infrastructure (web server, CMS,  database etc). Presence of defensive solutions like a web application firewall (WAF).
+
+| Passive Information Gathering | Active Information Gathering/Enumeration |
+|---|---|
+|Identifying domain names and domain ownership information.|Identify website content structure.|
+|Discovering hidden/disallowed files and directories.|Downloading & analyzing website/web app source code.|
+|Identifying web server IP addresses & DNS records.|Port scanning & service discovery.|
+|Identifying web technologies being used on target sites.|Web server fingerprinting.|
+|WAF detection.|Web application scanning.|
+|Identifying subdomains.|DNS Zone Transfers.|
+|Identify website content structure.|Subdomain enumeration via Brute-Force.|
+
 
 Along with all these tools and techniques it is always recommendable to review:
 
@@ -18,6 +41,8 @@ Along with all these tools and techniques it is always recommendable to review:
 
 
 ## Infrastructure checks
+
+
 ### Hostname discovery
 
 ```shell-session
@@ -130,6 +155,19 @@ for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-11000
 
 ### Passive web server enumeration
 
+#### host command
+
+DNS lookup utility. 
+
+```
+host domain.com
+```
+
+#### whois command
+
+WHOIS is a query and response protocol that is used to query databases that store the registered users or organizations of an internet resource like a domain name or an IP address block.
+
+WHOIS lookups can be performed through the command line interface via the whois client or through some third party web-based tools to lookup the domain ownership details from different databases.
 
 ```shell-session
  whois $TARGET

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -453,8 +453,8 @@ nav:
           - 12.API Testing:
             - 12.1. Testing GraphQL: OWASP/WSTG-APIT-01.md
         - Penetration testing process: penetration-testing-process.md
-        - Information Gathering: footprinting.md
-        - Enumeration phase: web-enumeration.md
+        - Information Gathering: information-gathering.md
+        - Enumeration phase: footprinting.md
         - Vulnerability assessment: vulnerability-assessment.md
         - Web Exploitation:
           - webexploitation/index.md