From 9bf7637cb64d0f65cc8c8e85a59af587322e9d2f Mon Sep 17 00:00:00 2001 From: amandaguglieri Date: Fri, 2 Feb 2024 20:42:23 +0100 Subject: [PATCH] eWPT: Notes on Information gathering module --- docs/53-dns.md | 2 +- docs/cpts-index.md | 4 +- docs/ewpt-preparation.md | 5 ++ ...numeration.md => information-gathering.md} | 46 +++++++++++++++++-- mkdocs.yml | 4 +- 5 files changed, 52 insertions(+), 9 deletions(-) rename docs/{web-enumeration.md => information-gathering.md} (87%) diff --git a/docs/53-dns.md b/docs/53-dns.md index cbfb9ea5e5..0403654920 100644 --- a/docs/53-dns.md +++ b/docs/53-dns.md @@ -68,7 +68,7 @@ DNS is mainly unencrypted. Devices on the local WLAN and Internet providers can 1.1.1.1 is **a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet**. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available. -[See DNS enumeration](web-enumeration.md) +[See DNS enumeration](information-gathering.md) ## DNS transfer zones diff --git a/docs/cpts-index.md b/docs/cpts-index.md index 0a6a336a4b..0929f04a45 100644 --- a/docs/cpts-index.md +++ b/docs/cpts-index.md @@ -14,8 +14,8 @@ tags: | -- | --- | -- | -- | | 01 | Penetration Testing Process | [Penetration Testing Process](penetration-testing-process.md) | 6 hours | | 02 | Network Enumeration with Nmap | [(Almost) all about nmap](nmap.md) | 7 hours | -| 03 | Footprinting | [Introduction to footprinting](footprinting.md)
[Infrastructure and web enumeration](web-enumeration.md)
Some services: [FTP](21-ftp.md), [SMB](137-138-139-445-smb.md), [NFS](2049-nfs-network-file-system.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP3](110-143-993-995-imap-pop3.md),[SNMP](161-162-snmp.md), [MySQL](3306-mariadb-mysql.md), [Oracle TNS](1521-oracle-transparent-network-substrate.md), [IPMI](623-intelligent-platform-management-interface-ipmi.md), [SSH](22-ssh.md), [RSYNC](873-rsync.md), [R Services](512-513-514-r-services.md), [RDP](3389-rdp.md), [WinRM](5985-5986-winrm-windows-remote-management.md), [WMI](135-windows-management-instrumentation-wmi.md) | 2 days | -| 04 | Information Gathering - Web Edition | [Information Gathering - Web Edition](web-enumeration.md). With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md) | 7 hours | +| 03 | Footprinting | [Introduction to footprinting](footprinting.md)
[Infrastructure and web enumeration](information-gathering.md)
Some services: [FTP](21-ftp.md), [SMB](137-138-139-445-smb.md), [NFS](2049-nfs-network-file-system.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP3](110-143-993-995-imap-pop3.md),[SNMP](161-162-snmp.md), [MySQL](3306-mariadb-mysql.md), [Oracle TNS](1521-oracle-transparent-network-substrate.md), [IPMI](623-intelligent-platform-management-interface-ipmi.md), [SSH](22-ssh.md), [RSYNC](873-rsync.md), [R Services](512-513-514-r-services.md), [RDP](3389-rdp.md), [WinRM](5985-5986-winrm-windows-remote-management.md), [WMI](135-windows-management-instrumentation-wmi.md) | 2 days | +| 04 | Information Gathering - Web Edition | [Information Gathering - Web Edition](information-gathering.md). With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md) | 7 hours | | 05 | Vulnerability Assessment | [Vulnerability Assessment](vulnerability-assessment.md):
[Nessus](nessus.md), [Openvas](openvas.md) | 2 hours | | 06 | File Transfer techniques | File Transfer Techniques:
[Linux](transferring-files-techniques-linux.md), [Windows](transferring-files-techniques-windows.md), [Code- netcat python php and others](transferring-files-techniques-code.md), [Bypassing file upload restrictions](../webexploitation/file-upload), [File encryption](file-encryption.md), [Evading techniques when transferring files](transferring-files-evading-detection.md), [LOLbas Living off the land binaries](lolbins-lolbas-gtfobins.md) | 3 hours | | 07 | Shells & Payloads | [Bind shells](bind-shells.md), [Reverse shells](reverse-shells.md), [Spawn a shell](spawn-a-shell.md), [Web shells](web-shells.md) ([Laudanum](laudanum.md) and [nishang](nishang.md)) | 2 days | diff --git a/docs/ewpt-preparation.md b/docs/ewpt-preparation.md index 74aff9ca42..22eaf0f588 100644 --- a/docs/ewpt-preparation.md +++ b/docs/ewpt-preparation.md @@ -24,3 +24,8 @@ tags: - [OWASP](OWASP/index.md) - [http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines](http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines - [Phases of a web application security testing](penetration-testing-process.md) + + +## Web Enumeration & Information Gathering + +- [Information gathering](information-gathering.md) \ No newline at end of file diff --git a/docs/web-enumeration.md b/docs/information-gathering.md similarity index 87% rename from docs/web-enumeration.md rename to docs/information-gathering.md index b8a721cf26..86e0f68db9 100644 --- a/docs/web-enumeration.md +++ b/docs/information-gathering.md @@ -1,15 +1,38 @@ --- -title: Web enumeration +title: Information gathering author: amandaguglieri draft: false TableOfContents: true tags: - pentesting - - web pentesting - - enumeration + - web + - pentesting + - enumeraInformation + - Gathering + - "-" + - Web + - Editiontion --- -# Web enumeration +# Information gathering + +Information gathering is typically broken down into two types: + +- **Passive information gathering** - Involves gathering as much information as possible without actively engaging with the target. +- **Active information gathering/Enumeration** - Involves gathering as much information as possible by actively engaging with the target system. (You will require authorization in order to perform active information gathering). + +**What Information Are We Looking For?** Website & domain ownership. IP addresses, domains and subdomains. Hidden files & directories. Hosting infrastructure (web server, CMS, database etc). Presence of defensive solutions like a web application firewall (WAF). + +| Passive Information Gathering | Active Information Gathering/Enumeration | +|---|---| +|Identifying domain names and domain ownership information.|Identify website content structure.| +|Discovering hidden/disallowed files and directories.|Downloading & analyzing website/web app source code.| +|Identifying web server IP addresses & DNS records.|Port scanning & service discovery.| +|Identifying web technologies being used on target sites.|Web server fingerprinting.| +|WAF detection.|Web application scanning.| +|Identifying subdomains.|DNS Zone Transfers.| +|Identify website content structure.|Subdomain enumeration via Brute-Force.| + Along with all these tools and techniques it is always recommendable to review: @@ -18,6 +41,8 @@ Along with all these tools and techniques it is always recommendable to review: ## Infrastructure checks + + ### Hostname discovery ```shell-session @@ -130,6 +155,19 @@ for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-11000 ### Passive web server enumeration +#### host command + +DNS lookup utility. + +``` +host domain.com +``` + +#### whois command + +WHOIS is a query and response protocol that is used to query databases that store the registered users or organizations of an internet resource like a domain name or an IP address block. + +WHOIS lookups can be performed through the command line interface via the whois client or through some third party web-based tools to lookup the domain ownership details from different databases. ```shell-session whois $TARGET diff --git a/mkdocs.yml b/mkdocs.yml index 16199252bf..dd2ad61653 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -453,8 +453,8 @@ nav: - 12.API Testing: - 12.1. Testing GraphQL: OWASP/WSTG-APIT-01.md - Penetration testing process: penetration-testing-process.md - - Information Gathering: footprinting.md - - Enumeration phase: web-enumeration.md + - Information Gathering: information-gathering.md + - Enumeration phase: footprinting.md - Vulnerability assessment: vulnerability-assessment.md - Web Exploitation: - webexploitation/index.md