Website (external)

• DNS Reconnaissance

  • Command/tool: dig example.com

  • Online resource:

  • Online resource:

• Check Wayback machine to view old files like robots.txt and URLs - maybe some of the old functionality still exists in the new site. Tools: waybackurls.py ()

• Subdomain discovery

  • Tool: knockpy ()

  • Tool: sublist3r () Example command: python sublis3r.py -d example.com -p 80 443

  • Tool: SubBrute () Example command: ./subbrute.py example.com

  Vulnerability Scanning

  • Run a web vulnerability scanner against the asset. Tool: nikto --host www.example.com

Miscellaneous

• Check page source for comments and information

• Check robots.txt file

• Run through transactions and collect the user flow to check for vulnerabilities Tool: BurpSuite

Map the application

• Spidering Tool: BurpSuite

• Brute force / dictionary attack tool Tool: dirsearch Tool: feroxbuster Tool: gobuster

• Application-specific wordlists

Information to collect

• Software used, and version (check "about", look for copyright years, "help" links that lead to documentation)

• Login pages

• Directories

• External user input (search bars, contact us forms)

• php info pages

Exploits

• Check for software used

  • "Powered by" banners at the bottom of the site

  • Identifiers or comments in page source code

  • Versions can be found in copyright year, "help" links, "about" links

• Search for default usernames and passwords

• Search for exploits (CVEs)