▒█████ █████▒ █████▒ ██████ ▓█████ ▄████▄ ██▒ █▓ ▄▄▄ █ ██ ██▓ ▄▄▄█████▓ ▒██▒ ██▒▓██ ▒▓██ ▒▒██ ▒ ▓█ ▀ ▒██▀ ▀█▓██░ █▒▒████▄ ██ ▓██▒▓██▒ ▓ ██▒ ▓▒ ▒██░ ██▒▒████ ░▒████ ░░ ▓██▄ ▒███ ▒▓█ ▄▓██ █▒░▒██ ▀█▄ ▓██ ▒██░▒██░ ▒ ▓██░ ▒░ ▒██ ██░░▓█▒ ░░▓█▒ ░ ▒ ██▒▒▓█ ▄ ▒▓▓▄ ▄██▒▒██ █░░░██▄▄▄▄██ ▓▓█ ░██░▒██░ ░ ▓██▓ ░ ░ ████▓▒░░▒█░ ░▒█░ ▒██████▒▒░▒████▒▒ ▓███▀ ░ ▒▀█░ ▓█ ▓██▒▒▒█████▓ ░██████▒▒██▒ ░ ░ ▒░▒░▒░ ▒ ░ ▒ ░ ▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ░▒ ▒ ░ ░ ▐░ ▒▒ ▓▒█░░▒▓▒ ▒ ▒ ░ ▒░▓ ░▒ ░░ ░ ▒ ▒░ ░ ░ ░ ░▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░░ ▒ ▒▒ ░░░▒░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ▒ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░
03.information gathering
- first thing: collect information about the organization WHOIS.com DNS: SOA = start of authority NS = name server A = address PTR = pointer | maps an IP address to a hostname, PTR records are called reverse zones CNAME = maps an alias hostname to an A record hostname MX = mail exchange | specify a host that will accept email on behalf of a given host perform a reverse lookup = nslookup -type=PTR [ip_address] perform a request for all record = nslookup -querytype=ANY [IP/hostname] finding target IPs: -using nslookup you can get the IP address associated to each subdomain, the first step is to find all possible IPs associated to a domain or subdomain. >>... NSLOOKUP usage $ nslookup $ set querytype=ANY $ google.com $ set type=NS $ google.com netcraft.com ... infraestructure:: IIS is for Windows OS. IIS 6.0 for 2003 boxes, windows 2008 support IIS 7 and IIS 8.0 supported by windows 2012. list: - nameserver NS record - IPs - hostnames - OS version - domains/subdomains - uptimes - ISP provider TOOLS USAGE ---> netcat $ nc [ip_addr] [port] HEAD / HTTP/1.0 flag, X-Powered-By is used to reveal the technology behind the web application. cookie flag by technology: PHPSESSID = PHP | ASPSSESSIONID = .NET | JSESSION = JAVA URL rewriting, on apache with the mod_rewrite module or .htaccess On IIS is handled by Ionic Isapi Rewrite or Helicon Isapi Rewrite. ...SUBDOMAIN ENUMERATION SEARCH DNS netcraft.com another tool that can be used is google operators=google hacking !! GOOGLE HACKING! more tools for domain/sub-domain enumeration: DNS RECON SUBBRUTE FIERCE THE HARVESTER enumerate via zone transfer $ nslookup -type=NS [domain] for linux other option: $ dig @nameserver axfr [domain] ---> fingerprint third-party addons JOOMLA URL main parts $ index.php?option=%component_name%&task=%task_value% -=> index.php = it is the only script you will see, it is in charge of loading the specified component passed in via the option parameter. DOCMAN URL main parts $ index.php?option=com_docman&task=doc_view&gid=100 STEPS << 1. crawling the site: that will help to enumerate all the resources from one site. >>>... tools like burpsuite, spider scan can help to enumerate the site, however, it will not retrieve all the possible content. for that "dirbuster" will work. ******** logs and configuration files are really important, they will probably have different sensitive information like username/password, database connection info or any administrative valid information. all sites have the conf file in any place, just different folders. HTTP PUT code will work only on writable folders. even if the request is allowed, only on writable folders will succeed. when a PUT request is successfull you will receive: 201 Created ! IMPORTANT, to add the "content lenght" to the request.. HTTP OPTIONS, if the code is not allowed, probably you will get some type of 4XX or 5XX error code. || GOOGLE HACKING || intitle | site | "index of" | "directory listing for" | filetype -check for open directories, "index of" [extension] or "directory listing for" [extension] -check for files by extention type GOOGLE HACKING DATABASE FUNCTIONS | SHODAN | ////////////// *** directory enumeration: with burpsuite/intruder and dirbuster using a common wordlist