Information Gathering

It’s a passive or active way of collecting information about your target, without directly interacting with the host/services. You scope out your attack surface.
Eg – Find domain, subdomains, IP-ranges, SSL/TLS certificates, public web pages, API endpoints, past breaches, public github repositories.

Tools

Subdomains - Subfinder, OWASP Amass, Sublist3r, nmmapper.com(website)
SSL/TLS cert - Qualys SSL Labs, crt.sh(website)
Past data breaches involving API endpoints - https://escape.tech/resources/api-threat-landscape
Webpages – robots.txt, sitemap.xml, Google dorking, Gobuster, Wayback Machine

Google Dorking Commands

Basics

site:example.com
Shows results for the domain example.com only
site:*.example.com
All subdomains of example.com (e.g. mysite.example.com)

For Login Pages

πŸ” site:example.com inurl:admin

πŸ” site:*.example.com inurl:admin/login
β†’ (β€œadmin login”) use quotes for multiword phrases

πŸ” site:*.example.com intitle:login/admin
β†’ (β€œlogin” / β€œadmin” / β€œlogin page”) use quotes for exact words

Directory Listing

πŸ” site:*.example.com intitle:"Index of /"
β†’ very useful and powerful

πŸ” site:*.example.com intitle:"index of" "parent directory"
β†’ finds pages with <title>Index of</title> containing β€œparent directory”

πŸ” site:*.example.com inurl:ftp
β†’ old but sometimes used for files/backups

πŸ” site:*.example.com inurl:wp-content
β†’ for WordPress sites

Finding Files

πŸ” site:example.com ext:xls OR ext:csv OR ext:doc

πŸ” site:example.com (ext:pdf OR filetype:pdf)
β†’ ext:pdf is more precise than filetype:pdf (other: txt, robots.txt, sitemap, docx, xlsx, log, xml)

πŸ” site:example.com filetype:env
β†’ try env, ini, sql, bak for sensitive info

Subdomain Enumeration

Websites

  • 🌐 crt.sh
  • 🌐 pentest-tools.com/information-gathering/find-subdomains-of-domain

Tools

  • πŸ› οΈ sublist3r - CLI tool for getting all the subdomains of a domain.
    step 1 β†’ git clone https://github.com/aboul3la/Sublist3r.git
    step 2 β†’ cd ~/Sublist3r
    step 3 β†’ python3 -m venv venv
    step 4 β†’ source venv/bin/activate
    step 5 β†’ pip install -r requirements.txt
    step 6 β†’ python sublist3r.py -d example.com
    step 7 β†’ python sublist3r.py -d example.com > subdomains.txt
    step 8 β†’ deactivate

for step 6 - run inside the Sublist3r directoryβ€”where the sublist3r.py file is located.
for step 7 - run if you want to save the result in a file.
for step 8 - after using you can type to exit out of venv -> virtual environment

  • shodan / spiderfoot - browsers for advance search

Directory and File Enumeration - (Gobuster)

  • Gobuster supports both protocols, and you can specify the target URL using either http:// or https://. When using HTTPS, you may encounter certificate validation errors, especially with self-signed certificates, which can be bypassed using the -k or –no-tls-validation flag to skip SSL certificate verification.