In early stages of a penetration test is a best practice the gathering of the most detailed information about the target, also using public data and search engines.
theHarvesterDeveloped by Christian Martorella, this tool gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database: Passive discovery:
Active discovery:
[embed]https://github.com/laramies/theHarvester[/embed] SnitchThis tool automate information gathering process for specified domain. devil@hell:~/snitch$ python snitch.py _ __ __ _________ (_) /______/ /_ / ___/ __ / / __/ ___/ __ (__ ) / / / / /_/ /__/ / / / /____/_/ /_/_/__/___/_/ /_/ ~0.3 Usage: snitch.py [options] Options: -h, --help show this help message and exit -U [url], --url=[url] domain(s) or domain extension(s) separated by comma* -D [type], --dork=[type] dork type(s) separated by comma* -C [dork], --custom=[dork] custom dork* -O [file], --output=[file] output file -S [ip:port], --socks=[ip:port] socks5 proxy -I [seconds], --interval=[seconds] interval between requests, 2s by default -P [pages], --pages=[pages] pages to retrieve, 10 by default -v turn on verbosity Dork types: info Information leak & Potential web bugs ext Sensitive extensions docs Documents & Messages files Files & Directories soft Web software all All [embed]https://github.com/Smaash/snitch[/embed] DmitryDMitry has the ability to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups (and more) about a host. The information are gathered with following methods:
ExampleThe following command: $ dmitry -iwns -o example.out google.comcreates a report named example.out, that looks like this: HostIP:209.85.227.99 HostName:google.com Gathered Inet-whois information for 209.85.227.99 --------------------------------- OrgName: Google Inc. OrgID: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US NetRange: 209.85.128.0 - 209.85.255.255 CIDR: 209.85.128.0/17 NetName: GOOGLE NetHandle: NET-209-85-128-0-1 Parent: NET-209-0-0-0-0 NetType: Direct Allocation NameServer: NS1.GOOGLE.COM NameServer: NS2.GOOGLE.COM NameServer: NS3.GOOGLE.COM NameServer: NS4.GOOGLE.COM Comment: RegDate: 2006-01-13 Updated: 2006-06-01 OrgTechHandle: ZG39-ARIN OrgTechName: Google Inc. OrgTechPhone: +1-650-318-0200 OrgTechEmail: # ARIN WHOIS database, last updated 2010-02-06 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www.arin.net/whois_tou.html Gathered Inic-whois information for google.com --------------------------------- Domain Name: GOOGLE.COM Registrar: MARKMONITOR INC. Whois Server: whois.markmonitor.com Referral URL: http://www.markmonitor.com Name Server: NS1.GOOGLE.COM Name Server: NS2.GOOGLE.COM Name Server: NS3.GOOGLE.COM Name Server: NS4.GOOGLE.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 18-nov-2008 Creation Date: 15-sep-1997 Expiration Date: 14-sep-2011 >>> Last update of whois database: Sun, 07 Feb 2010 08:06:53 UTC <<< NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Gathered Netcraft information for google.com --------------------------------- Retrieving Netcraft.com information for google.com Netcraft.com Information gathered Gathered Subdomain information for google.com --------------------------------- Searching Google.com:80... HostName:www.google.com HostIP:209.85.227.99 Searching Altavista.com:80... Found 1 possible subdomain(s) for host google.com, Searched 0 pages containing 0 results[embed]https://www.aldeid.com/wiki/Dmitry[/embed] wig — WebApp Information Gathererwig can identify numerous Content Management Systems and other administrative applications. The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. wig also tries to guess the operating system on the server based on the ‘server’ and ‘x-powered-by’ headers. Example$ python3 wig.py example.com wig - WebApp Information Gatherer Redirected to http://www.example.com Continue? [Y|n]: Scanning http://www.example.com... _____________________________________________________ SITE INFO _____________________________________________________ IP Title 256.256.256.256 PAGE_TITLE ______________________________________________________ VERSION ______________________________________________________ Name Versions Type Drupal 7.38 CMS nginx Platform amazons3 Platform Varnish Platform IIS 7.5 Platform ASP.NET 4.0.30319 Platform jQuery 1.4.4 JavaScript Microsoft Windows Server 2008 R2 OS _____________________________________________________ SUBDOMAINS ____________________________________________________ Name Page Title IP http://m.example.com:80 Mobile Page 256.256.256.257 https://m.example.com:443 Secure Mobil Page 256.256.256.258 ____________________________________________________ INTERESTING ____________________________________________________ URL Note Type /test/ Test directory Interesting /login/ Login Page Interesting _______________________________________________ PLATFORM OBSERVATIONS _______________________________________________ Platform URL Type ASP.NET 2.0.50727 /old.aspx Observation ASP.NET 4.0.30319 /login/ Observation IIS 6.0 http://www.example.com/templates/file.css Observation IIS 7.0 https://www.example.com/login/ Observation IIS 7.5 http://www.example.com Observation _______________________________________________________ TOOLS _______________________________________________________ Name Link Software droopescan https://github.com/droope/droopescan Drupal CMSmap https://github.com/Dionach/CMSmap Drupal __________________________________________________ VULNERABILITIES __________________________________________________ Affected #Vulns Link Drupal 7.38 5 http://cvedetails.com/version/185744 _____________________________________________________________________________________________________________________ Time: 11.3 sec Urls: 310 Fingerprints: 37580[embed]https://github.com/jekyc/wig[/embed] AngryFuzz3rAngryFuzz3r is a collection of tools for pentesting to gather information and discover vulnerabilities of the targets based on Fuzzedb https://github.com/fuzzdb-project/fuzzdb project:
The tool is developed by Iheb B.Salem. Features
Usage$ python angryFuzzer.py -h Usage: angryFuzzer.py [options] Options: -h, --help show this help message and exit -q, --quiet Silent mode ,only reports -u URL, --url=URL URL of the Target -c CMS, --cms=CMS scan CMS ==> wp ,dp -w WORDLIST, --wordlist=WORDLIST Custom wordlist[embed]https://github.com/ihebski/angryFuzzer[/embed] |