Website Recon & Footprinting
To get an IP address of a domain name (perfoms a dns lookup)
host hackersploit.org
The reason why there’s 2 ipv4 addresses is because the website is behind a firewall/proxy
You can always start from the /robots.txt file.
We can tell that the webpage is running wordpress
Another important file is the /sitemap.xml file
This is used to provide search engines with an organized way of indexing the website
With this extension, you’ll know the technology a webpage is built with. This actually does the same work as “Wappalyzer”
Performing a stealthy scan using whatweb
whatweb hackersploit.org
This website allows you to download a website from the internet to a local directory
WHOIS Enumeration
To check for information about an organization
whois hackersploit.org
Website Footprintng with Netcraft
Netcraft enumerates passively from a website gets info like whois information, ssl or tls certificate, what web technologies are being used, the name servers
DNS RECON
First tool to be looked at is dns recon
dnsrecon -d hackersploit.org
dnsrecon -d zonetransfer.me
You can tell what email server is being used by this particular company or organization
You can also use a site called dnsdumpster
WAF with wafw00f
Helps to identify if a web application is being protected by a web application firewall. It also tells you the exact web application firewall protecting the site. This tool comes preinstalled with kali
wafw00f -h
To check the list of firewall wafw00f detects
wafw00f -l
┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ wafw00f -l
______
/ \
( W00f! )
\ ____/
,, __ 404 Hack Not Found
|`-.__ / / __ __
/" _/ /_/ \ \ / /
*===* / \ \_/ / 405 Not Allowed
/ )__// \ /
/| / /---` 403 Forbidden
\\/` \ | / _ \
`\ /_\\_ 502 Bad Gateway / / \ \ 500 Internal Error
`_____``-` /_/ \_\
~ WAFW00F : v2.2.0 ~
The Web Application Firewall Fingerprinting Toolkit
[+] Can test for these WAFs:
WAF Name Manufacturer
-------- ------------
ACE XML Gateway Cisco
aeSecure aeSecure
AireeCDN Airee
Airlock Phion/Ergon
Alert Logic Alert Logic
AliYunDun Alibaba Cloud Computing
Anquanbao Anquanbao
AnYu AnYu Technologies
Approach Approach
AppWall Radware
Armor Defense Armor
ArvanCloud ArvanCloud
ASP.NET Generic Microsoft
ASPA Firewall ASPA Engineering Co.
Astra Czar Securities
AWS Elastic Load Balancer Amazon
AzionCDN AzionCDN
Azure Front Door Microsoft
Barikode Ethic Ninja
Barracuda Barracuda Networks
Bekchy Faydata Technologies Inc.
Beluga CDN Beluga
BIG-IP Local Traffic Manager F5 Networks
BinarySec BinarySec
BitNinja BitNinja
BlockDoS BlockDoS
Bluedon Bluedon IST
BulletProof Security Pro AITpro Security
CacheWall Varnish
CacheFly CDN CacheFly
Comodo cWatch Comodo CyberSecurity
CdnNS Application Gateway CdnNs/WdidcNet
ChinaCache Load Balancer ChinaCache
Chuang Yu Shield Yunaq
Cloudbric Penta Security
Cloudflare Cloudflare Inc.
Cloudfloor Cloudfloor DNS
Cloudfront Amazon
CrawlProtect Jean-Denis Brun
DataPower IBM
Cloud Protector Rohde & Schwarz CyberSecurity
DenyALL Rohde & Schwarz CyberSecurity
Distil Distil Networks
DOSarrest DOSarrest Internet Security
DDoS-GUARD DDOS-GUARD CORP.
DotDefender Applicure Technologies
DynamicWeb Injection Check DynamicWeb
Edgecast Verizon Digital Media
Eisoo Cloud Firewall Eisoo
Expression Engine EllisLab
BIG-IP AppSec Manager F5 Networks
BIG-IP AP Manager F5 Networks
Fastly Fastly CDN
FirePass F5 Networks
FortiWeb Fortinet
GoDaddy Website Protection GoDaddy
Greywizard Grey Wizard
Huawei Cloud Firewall Huawei
HyperGuard Art of Defense
Imunify360 CloudLinux
Incapsula Imperva Inc.
IndusGuard Indusface
Instart DX Instart Logic
ISA Server Microsoft
Janusec Application Gateway Janusec
Jiasule Jiasule
Kona SiteDefender Akamai
KS-WAF KnownSec
KeyCDN KeyCDN
LimeLight CDN LimeLight
LiteSpeed LiteSpeed Technologies
Open-Resty Lua Nginx FLOSS
Oracle Cloud Oracle
Malcare Inactiv
MaxCDN MaxCDN
Mission Control Shield Mission Control
ModSecurity SpiderLabs
NAXSI NBS Systems
Nemesida PentestIt
NevisProxy AdNovum
NetContinuum Barracuda Networks
NetScaler AppFirewall Citrix Systems
Newdefend NewDefend
NexusGuard Firewall NexusGuard
NinjaFirewall NinTechNet
NullDDoS Protection NullDDoS
NSFocus NSFocus Global Inc.
OnMessage Shield BlackBaud
Palo Alto Next Gen Firewall Palo Alto Networks
PerimeterX PerimeterX
PentaWAF Global Network Services
pkSecurity IDS pkSec
PT Application Firewall Positive Technologies
PowerCDN PowerCDN
Profense ArmorLogic
Puhui Puhui
Qcloud Tencent Cloud
Qiniu Qiniu CDN
Qrator Qrator
Reblaze Reblaze
RSFirewall RSJoomla!
RequestValidationMode Microsoft
Sabre Firewall Sabre
Safe3 Web Firewall Safe3
Safedog SafeDog
Safeline Chaitin Tech.
SecKing SecKing
eEye SecureIIS BeyondTrust
SecuPress WP Security SecuPress
SecureSphere Imperva Inc.
Secure Entry United Security Providers
SEnginx Neusoft
ServerDefender VP Port80 Software
Shield Security One Dollar Plugin
Shadow Daemon Zecure
SiteGround SiteGround
SiteGuard Sakura Inc.
Sitelock TrueShield
SonicWall Dell
UTM Web Protection Sophos
Squarespace Squarespace
SquidProxy IDS SquidProxy
StackPath StackPath
Sucuri CloudProxy Sucuri Inc.
Tencent Cloud Firewall Tencent Technologies
Teros Citrix Systems
Trafficshield F5 Networks
TransIP Web Firewall TransIP
URLMaster SecurityCheck iFinity/DotNetNuke
URLScan Microsoft
UEWaf UCloud
Varnish OWASP
Viettel Cloudrity
VirusDie VirusDie LLC
Wallarm Wallarm Inc.
WatchGuard WatchGuard Technologies
WebARX WebARX Security Solutions
WebKnight AQTRONIX
WebLand WebLand
wpmudev WAF Incsub
RayWAF WebRay Solutions
WebSEAL IBM
WebTotem WebTotem
West263 CDN West263CDN
Wordfence Defiant
WP Cerber Security Cerber Tech
WTS-WAF WTS
360WangZhanBao 360 Technologies
XLabs Security WAF XLabs
Xuanwudun Xuanwudun
Yundun Yundun
Yunsuo Yunsuo
Yunjiasu Baidu Cloud Computing
YXLink YxLink Technologies
Zenedge Zenedge
ZScaler Accenture
Shieldon Firewall Shieldon.io
wafw00f hackersploit.org
To test for all possible WAF instances
wafw00f hackersploit.org -a
Subdomain Enumeration With Sublist3r
sublist3r -h
We weren’t able to find any subdomain
Google Dorks
site:ine.com
To look for admin panels
site:ine.com inurl:admin
To look for forums
site:ine.com inurl:forun
To enumerate subdomains via google
site:*.ine.com (this will show subdomains for ine.com)
Looking for subdomains with an admin panel
site:*ine.com intitle:admin
To find files in subdomains
site:*ine.com filetype:pdf
Information requiring employees
site:ine.com employees
Searching for sites with directory listing available
intitle:index of
To check how a website looked like before upgrading, you can also use the wayback machine for this
cache:ine.com
To look for sites with passwords
inurl:auth_user_file.txt
You can also use Google Hacking Database
Email Harvesting With theHarvester
theHarvester -h
theHarvester -d hackersploit.org -b crtsh,dnsdumpster,duckduckgo,rapiddns
“-b” is the switch for source
theHarvester also does subdomain enumeration
Leaked Password Databases
This is to check if the owner of a email address have has his password leaked before
The website that will be used is Have I been Pwned
All you do is put the email of the employee you found when you were harvesting here to check if you’ll find leaked passwords