If you want to rob a bank, are you going to rush in head first without any information and without preparation? What will be your chances of succeeding in your heist?
It is the same for the information gathering, this step is the most important in the context of a penetration test, it will determine your ability to find security weaknesses in the next phases of the test.
To put it simply, the more relevant information you find during this phase, the greater your chances of finding security weaknesses, so do not hesitate to take your time to accomplish this task.
subfinder -d www.example.com -all -active only -v -o output.txt # web-based DNS search
host -t ns www.example.com # DNS zone transfers
dig www.example.com # IP
With subfinder, if you want to improve the results, you can add other sources with your API keys in conf file:
https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration
nmap –Pn –sT –sV –p0-65535 <IP> # non-standard ports
ffuf -w /path/to/dico -u https://www.example.com/FFUF # directory listings
Use curl for rewiew metafiles :
curl https://www.example.com/robots.txt
curl https://www.example.com/sitemap.xml
curl https://www.example.com/.well-known/security.txt
curl https://www.example.com/humans.txt
Sometimes web applications expose the .git directory by default, this is used to store version control system data (usually git):
curl https://www.example.com/.git
Use curl :
curl -I https://www.example.com
Send malformed request with Burp Suite repeater for review error messages :
GET / SANTA CLAUS/1.1
And use Wappalyzer browser extension for identify frameworks version.
Please check whether sensitive information is exposed in the following:
- Comments <!-- ... -->
- META tags <META...>
- JavaScript code <script>...</script>