Scribd
Upload
41 views3 pages

EJPT

The document outlines assessment methodologies for information gathering in penetration testing, emphasizing both passive and active techniques. It details various tools and methods for gathering data about a target, including web information gathering, DNS reconnaissance, and subdomain enumeration. Additionally, it covers the use of Google dorking and email harvesting for collecting sensitive information, concluding with techniques for DNS zone transfers and port scanning using Nmap.

Uploaded by

theliinkworld
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
41 views3 pages

EJPT

The document outlines assessment methodologies for information gathering in penetration testing, emphasizing both passive and active techniques. It details various tools and methods for gathering data about a target, including web information gathering, DNS reconnaissance, and subdomain enumeration. Additionally, it covers the use of Google dorking and email harvesting for collecting sensitive information, concluding with techniques for DNS zone transfers and port scanning using Nmap.

Uploaded by

theliinkworld
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

EJPT:

:Assessment Methodologies: Information Gathering :


INFO GATHERING:
First and most important phase of a pentest.
Passive gathering:get the information about target without engaging with target
online sources google,facebook,snapchat.Domian names,sub domain enumeration,target
employees data, personal emails and any leaked creds emails etc..
Active gathering: Get information about the target with egaging with target.
Searching for vulnerabilities in target system, discovering web technologies
extensions,plugins. Discovering internal network scanning the host to look for
common vulns and more information about the target to start exploiting it port
scanning web bruteforcing,exploiting vulnerabilities present.

WEB Info Gathering:


Doing a directory bruteforce on the target web.
Seraching for robots.txt file may have some sensitive directories exposed.
Serach for web technologies plugins being used by web using firefox addons: Built
with and wappalyzer(i use this as deafult while bug hunting really helpful)

Using WHATWEB:
whatweb target.com
Also we can use hTTrack to download whole websites(din't knew useful maybe)
Whois is enum:(passive info gathering)
whois target.com
Get the details like domain server url, registrar name, contact details, url
registration date , expiry date etc..

WEB footprinting with netcraft


DNS RECON:
using dns recon tool a (pyhton script)
Usage: dnsrecon -d domain.com
We can get mail server addreses:
MX _dc-mx.2c2a3526b376.hackersploit.org 198.54.120.212
MX _dc-mx.2c2a3526b376.hackersploit.org 64:ff9b::c636:78d4
We can use dnsdumpster to get more finely arranged info for reseraching.
WEB application firewall detction:
there are various way to do so we can check using wappalyzer or try simply use
<script>alert(00)</script>
to trigger the firewall of webapp.

Tools that can be used to do so:


WAFW00F:
Usage: wafw00f target.com
[*] Checking https://target.com
[+] The site https://target.com is behind Sucuri CloudProxy (Sucuri Inc.) WAF.

[~] Number of requests: 2


Result looks like this it will tell if the website if it is behind a firewall or
not and identify the firewall being used
SUBDOMAIN ENUMERATION USING sublist3r:(nice tool also useful during big hunting)
Usage: there are lot of command for it using it to directly generate subdomain list
and filter out all inactive domains with httpx and many oneliners for it can be
found on twiterr
We can specify wht serach engines to use during sub domain enumeration just add
your api keys in it config file (recommended to use github,shodan,censys and
virustotal)
sublist3er -d target.com -e google.com,shodan,virustotal.com
or use sublist3er -d target.com to (use all serach engines)
I use AMASS mostly a great subdomain enum tool.
There are lot's of tool for sub domain enumeration.

GOOGLE DORKING:
A very useful website with lotof usefulgoogle dorks
(https://taksec.github.io/google-dorks-bug-bounty/)
Basic dorks
site:ine.com (only results for ine.com)
site:ine.com inurl:admin (searching for admin panels or specific thing for a web
login forms etc anything)
site:*.ine.com (showing all domains tht ends with ine.com. Sub domain enumeration
with google dorking)
site:*.ine.com intitle:admin (subdomains with admin in their url)
site:*.ine.com filetype:pdf (to serach for pdf files on ine.com can use xml,csv,ppt
etc any)
intitle:index of google.com (any web you want to search for)
WAYBACK MACHINES is also a very useful tool to look for sub domains cached data of
web can lead to sensisteve data sometimes or can even show what a website looked
like in its' old time specify the time.
Seraching for files like passwords keys etc
inurl:auth_key target.com
inurl:apikeys target.com
We can also do github dorking for a target it can sometimes leak passowrds,api
keys,sensitev info the dev forgot to remove.
Look for useful dorks GHDB(google hacking database).

Email harvesting The Harvester (finding leaked emails):


usage:
theHarvester -d target.com -b google,baidu,linkedin (specify the search engines you
wanna use for searching emails).
FINDING Leaked email passwords:
Use haveibeen pwned site to check if your email pass has been pwned leaked anywhere
through a data breach.
END OF PASSIVE INFO GATHERING:)

ACTIVE INFORMATION GATHERING(interacting with the host deeper dive into the host):
DNS ZONE TRANSFERS:
What is dns?(domain name system)
A Dns is like telephone book having all domain names and their ip addreses like whe
click on a contact on phone and it knows what number to dail when a specific
contact name is clicked ssme with dns server.
Contents of a DNS server:
A:domain name or domain ipv4 address
AAAA:domain name or domain ipv6 addresses
MX: mail server
TXT: text records
CNAME: domain aliases
HINFO:host info
SOA:domain authority

DNS interrogation:
finding the mail server,subdomains,dns records for specific ip address or domain.

DNS zone transfer:


In it a organizations intenal network ip can be found and can provide a hlistic
veiw of a network of a company or a system.
we will use zonetransfer.me web for testing.
Performing Zone transfer on zonetransfer:
dnsenum target.com
it will do a zone tranfer if the target is vulnerable.
We can use dig for the same thing
dig axfr dns @servername domain name
(more research on it)

HOST DISCOVERY AND PORT SCANNING WITH NMAP:


(we can't scan windows systems directly with simple nmap ip address command it
blocks tcp hosts)
So we do a port scna we just do a port scan we aren't checking host's live or dead
status so won't get blocked.
nmap -Pn ip(This is a TCP port scan)
To scan specific port only
nmap -Pn -p 80,22,8080 ip
nmap -Pn -sU ip (This performs a UDP scan)
To discover a service n detection he target:
nmap -Pn -F -sV ip (here -F is used to scan most common 100 ports this scan is fast
i recommend going with default scan during hunting or pentesting and -sV is for
service detection)
nmap -Pn -F -sV -O ip -v(Operating system detecion scan)
nmap -sV -vv --script vuln ip (run nmap script scan to identify vulnerabilities in
the services of a target's open ports)
nmap -Pn -F -sV ip -oN ouput.txt (saving output to a txt file).

LAB:
Windows Recon:
It was nothing much was just asked to do a nmap scan identify all open ports and
their services script scan which was taught in the vedio
END:)
:Asessment Methodologies: Information Gathering:

You might also like