Web app info gathering

whois.domaintools.com

use freemind to store this info;

testing dns
– nslookup > set querytype=mx > [domain name]
– nslookup > set querytype=any [gets all dns records];

Netcraft
– “what's the site running”
– find OS and more of web server;

Web app fingerprinting

Netcat
– nc microsoft.com 80 → HEAD / HTTP/1.0 [hit return two times]; - server, x-powered-by,
etc.

Whatweb – fingerprinting tool;

– ./whatweb microsoft.com -v
– retrieves so much info!
– Specific versions of asp.net, windows, etc.

Wappalyzer – plugin tool for firefox

– automatically fingerprints site as you go through it;
– get even more info than whatweb;

Dirbuster
– java application designed to bruteforce directories and filenames on web applications;
– custom lists to find hidden files and directories;
– gui tool;
– pure brute force – every possible combo; list brute force – less than pure and from wordlists
which we have to specify;
– with pure brute force, have to select the character set to use;
– file extensions to search for: e.g. bak.old;
With the above files, like “user.bak” can right click → view response [to see what's in file];
Another interesting file above is “include/config.old” which when → view response → shows info
for the database connection;

Subdomain enumeration

– site:.cbs.com -site:www.cbs.com [final part excludes www.cbs.com]

– when find subdomains, add -site to exclude them and find more:
– site:.cbs.com -site:www.cbs.com -site:radio.cbs.com [etc.]
– searchdns.netcraft.com → *.cbs.com

dnsenum
– enumerate with google:

-p limit to 20 pages on google

-s limit to 100 subdomain results;
– also tries a zone transfer;

subbrute
– dictionary attack to discover all available domains [note can also do this from dnsenum];
– uses an inbuilt wordlist, but can also do custom ones;

– can store this stuff in files too – grepable and normal I believe;

Crawling & Spidering

with burpe
– target → scope → past url
– filter → display only inscope items
– spider → spider is paused [now spider starts];