Information Gathering Methodology

Before Start Web Pentesting

🔰Find SubDomains:

⇒ https://subdomainfinder.c99.nl/

🔰Use HTTPROBE: To Find HTTP, HTTPS links subdomain

⇒ https://github.com/tomnomnom/httprobe.git

🔰Use AQUA TONE: Visit all subdomains and take a screenshot

⇒ https://github.com/michenriksen/aquatone.git

🔰Use SUBZY: Use for subdomain takeover

⇒ https://github.com/LukaSikic/subzy.git

Step 1: Select the Target And Find Subdomains

✅ Find Subdomains and select low visitors subdomains using this website to get more vulnerabilities

WolframAlpha

✅ Find a Subdomain Using Kali Linux

Amass
Knockpy
Sublist3r
subfinder
Gau

🔰KnockPy: We have this tool to actually start enumerating subdomains with different API keys

🔰Install in Kali Linux :

⇒ apt-get install knockpy

🔰Sublist3r: This is the tool we use to enumerate subdomains again because these tools try to find subdomains using OSINT.

🔰Install in Kali Linux

⇒ apt-get install sublist3r

🔰🔰 Amass: Sub Domain Finder Tools

⇒ amass enum -d example.com -passive -o /output location / demo.txt

🔰Gau :

⇒ https://github.com/lc/gau.git

🔰🔰Use these 4 tools then combine all subdomains and use the grep command to find a specific Target 🔰🔰

✅ Find active subdomains using (MassDNS)

⇒ git clone https://github.com/blechschmidt/massdns.git

⇒ cd massdns

⇒ make

⇒ cd bin

✅ Use this command to locally access

⇒ cp massdns /usr/local/bin

✅ How to use MassDNS

⇒ massdns -r /root/Tools/massdns/lists/resolvers.txt -t A -o S /root/Desktop/demo.txt -w /root/Downloads/subdomain.txt

✅ Remove CN , A and other unwanted Character

sed 's/A.*//' livehosts.txt | sed 's/CN.*//' | sed 's/\..$//' > live_subdomains.txt

's/A.*//' livehosts.txt ⇒ Removes everything after A

sed 's/CN.*//* ⇒ Removes everything after CN

sed 's/\..$//' ⇒ Removes. at the end of domains

Step 2: Get More Details About the Subdomain using Online Tools

✅Central Ops

🔰Domain Whois Record 🔰DNS Records 🔰Traceroute 🔰Network Whois record 🔰Service Scan

✅DnsDumpster

This a free domain research online tool that can discover hosts related to a domain. It helps to find out
🔰Subdomains,
🔰HTTP headers,
🔰banner grabbing,
🔰MX Records,
🔰DNS Servers,
🔰TXT Records, etc.

It helps a lot in gathering information about the target.

✅Netcraft

This a website that monitors the uptime of every website available online. Netcraft gives you some more information about websites like

🔰NetBlocks, 🔰OS name, 🔰Site reports which include site title, site rank, site description, and many more things.

Netcraft is also a good online tool for recon

✅Crt.sh

This is a website that has certificate transparency logs for every website. It will give you some details about the certificate issue name, and some helpful stuff.

✅Yougetsignal

This is a website that has certificate transparency logs for every website. It will give you some details about the certificate issue name, and some helpful stuff.

✅IP Range Finder

This can help you to have a clear image of where the IPP address of particular domain covers. We can do this with the help of the following:

Step 3: Get More Details about the target using Search Engine

✅ Recon Using Advance Search Engine

🔰Shodan.io

🔰Censys.io

✅Shodan.io

It's a public search engine that you can use to find some IPs or subdomains which are available on the internet and can have critical vulnerabilities.

Step 4: Let's find External links, JavaScript files, Parameters, Endpoint, and Hidden Parameters for your target

✅Online Tools

✅VirusTotal :

We can use this website to find some external links to our target

✅Dlg to check CNAME

You can use this to verify that the subdomain is ready to takeover

https://toolbox.googleapps.com/apps/dig/

✅Using Kali Linux

✅Domain Profiler

🔰Email hosting, 🔰DNS hosting, and 🔰Domain registrar of the target website.

⇒ git clone: https://github.com/jpf/domain-profiler.git

⇒ ./profile example.com

✅Photon *********

This is a tool that can help gather much critical info like some

🔰Key test files, 🔰Secret API keys, 🔰Robot.txt URL find and more things

⇒ apt-get install photon

✅Linkfinder

To discover endpoints and their parameters in javascript files

⇒ apt-get install python3-pip

⇒ git clone: https://github.com/GerbenJavado/LinkFinder.git

⇒ cd LinkFinder

⇒ python3 linkfinder.py

✅Arjun

This is used to find hidden parameters for your target

https://github.com/s0md3v/Arjun.git

✅Retire.js

This is a burp suite extension that will automatically scan the javascript link you find from the link finder to find a vulnerability in them.

VIDEO REFERENCE IN HINDI

Step#: Some More Useful tools

🔰 BASIC RECON WITH WHOIS LOOKUP
https://whois.domaintools.com/

🔰 GATHERING DNS INFORMATION
https://www.robtex.com/

🔰 FINDING DIFFERENT DOMAINS ON THE SAME SERVER(REVERSE DNS)
https://www.robtex.com/
BING ip:192.xxxx.xx.xxx or you can use google.

🔰 DISCOVERING SOME SENSITIVE FILES
We will use a tool called dirb in Kali Linux

VIDEO REFERENCE IN HINDI

TIPS

🔰Always check the subdomain pointing IP address, if it is pointing to any internal IP addresses ex: 10.x.x.x or 172.x.x.x or 192.168.x.x or 169.254.x.x then find an SSRF and hit that subdomain using the SSRF (win easy bounty).

🔰Especially for forgot password check if the before changed email's forgot password link is still active after changing the current email to update. Which leads to Account Takeover. Nowadays this is vulnerable to most of the sites

🔰For shodan dork ssl:http://target.com search it on shodan Now click on the left side more button here you can find many filters like HTTP.title HTTP. component. So you can get more juicy results…

🔰Start with passive reconnaissance by gathering information about the target organization and its assets. This can be done by performing Google dorks, checking social media profiles, and analyzing the company's website and subdomains.

🔰install the TRUFFLEHOG chrome extension and auto-hunt Sensitive info in JS files by just browsing the web app.

Advance Information Gathering methodology

Information Gathering Methodology