Website (external)

• DNS Reconnaissance

  • Command/tool: dig example.com

  • Online resource: https://dnsdumpster.com/

  • Online resource: https://searchdns.netcraft.com/

• Check Wayback machine to view old files like robots.txt and URLs - maybe some of the old functionality still exists in the new site. Tools: waybackurls.py (https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050)

• Subdomain discovery

  • Tool: knockpy (https://github.com/guelfoweb/knock)

  • Tool: sublist3r (https://github.com/aboul3la/Sublist3r) Example command: python sublis3r.py -d example.com -p 80 443

  • Tool: SubBrute (https://github.com/TheRook/subbrute) Example command: ./subbrute.py example.com

  Vulnerability Scanning

  • Run a web vulnerability scanner against the asset. Tool: nikto --host www.example.com

Miscellaneous

• Check page source for comments and information

• Check robots.txt file

• Run through transactions and collect the user flow to check for vulnerabilities Tool: BurpSuite

Map the application

• Spidering Tool: BurpSuite

• Brute force / dictionary attack tool Tool: dirsearch Tool: feroxbuster Tool: gobuster

• Application-specific wordlists

Information to collect

• Software used, and version (check "about", look for copyright years, "help" links that lead to documentation)

• Login pages

• Directories

• External user input (search bars, contact us forms)

• php info pages

Exploits

• Check for software used

  • "Powered by" banners at the bottom of the site

  • Identifiers or comments in page source code

  • Versions can be found in copyright year, "help" links, "about" links

• Search for default usernames and passwords

• Search for exploits (CVEs)