Location>code7788 >text

One article on information punching - super detailed!

Popularity:852 ℃/2024-10-21 23:50:52

Web information management

0x01 Information architecture

Programming language: search engines, file suffixes, and building combinatorial projections.

Middleware: port scanning, looking at return packets

Domain name assets: collection, analysis

Operating system: case, ttl value, fingerprint recognition

WINDOWS NT/2000   TTL:128
WINDOWS 95/98     TTL:32
UNIX              TTL:255
LINUX             TTL:64
WIN7          	  TTL:64

Social engineering: phishing emails, social engineering attacks

Asset monitoring: git asset monitoring

Web applications: plug-ins, applications, environments

0x02 Domain Name

2.1 Real ip acquisition

2.1.1 Introduction to real ip

In some websites deployed with cdn acceleration when we directly ping packets or visit our ip is the cdn host IP is not the real IP

2.1.2 cdn

2.1.2.1 What is cdn?
  • Content Delivery Network (CDN): refers to the use of node servers distributed in different regions to form a traffic distribution management platform, providing users with decentralized content storage and caching services.
  • In the process of penetration testing, we often encounter websites with CDN, which is a content distribution network that mainly solves the problem of low network speed performance caused by transmission distance and different operator nodes. To put it simply, it is a group of high-speed cache servers on the docking points between different carriers, and the static data resources that users often access are directly cached to the node servers, and when the user requests again, it will be directly distributed to the node servers close to the user's response to the user, and the response will be made from the remote Web servers when the user has an actual data interaction, so that the website response speed and user experience can be greatly improved. This can greatly improve the website response speed and user experience.
2.1.2.2 cdn identification

  • Super ping

    The presence of multiple ip's that are not the same proves that there is a cdn

    ITDOG:/ping//ping/
nodecook:/zh/ping
Webmaster Tools:/
LoveWar.com:/
ITDOG:/ping/

  • nslookup domain name resolution

    nslookup <url address>.

2.2 Sub-domains

2.2.1 Excavation

  • page recognition

    Accurate collection of subdomains through web pages containing links

  • Survey and mapping tools

    Collected through mapping gong tools

    Microsteps:/3
360kuake:https://quake.
fofa:/
Zhong Kui's Eye:/
Eagle Figure:/

  • Domain Mining Tools

    oneforall
Subfinder
lauer
DNSRecon
......

  • rewind

    ip138:https://site./
......

  • domain name resolution

    ip138:https://site./

2.2.2 Comprehensive Sub-Domain Search Tool

/subdomain/
/subdomain/
/
/
/
/v5/mapping

2.3 Other information collection on the website

2.3.1 whois queries

Online Tools

Webmaster's home domain; /

Love Station domain name; /

Tencent cloud domain name; /

MOCL domain name; /

Domain name of LoveName.com; https:///domain/

YiName.com domain name; /

China WANN domain name; /

Western Digital domain names; /

XINNET domain name WHOIS; /domain/whois/

NANET domain name W;/

China Resource Domain Name: /domain/

Sanwu domain name: https://cp./chinese/

Xinwang Internet domain name: /show/domain/whois/

Foreign WHOIS information query:/

Domain name reverse lookup:
/
/

icp filing query:
/
/
/

2.3.2 Site information

2.3.2.1 Stack building stations

  • MERN Stack (MongoDB, , React, )

    The MERN stack is a full-stack JavaScript solution for building modern web applications.

  • MongoDB: NoSQL database, suitable for storing unstructured data.

    : A lightweight web application framework based on.
React: JavaScript library developed by Facebook for building user interfaces.
React: A server-side environment for running JavaScript.

  • MEAN Stack (MongoDB, , Angular, )

    MEAN stack is similar to MERN, but uses Angular instead of React
Angular: A framework developed by Google for building dynamic web applications.

  • LEMP Stack (Linux, Nginx, MySQL, PHP)

    The LEMP stack is similar to LAMP, except that it uses Nginx as the web server.
Nginx: A high-performance HTTP and reverse proxy server suitable for handling highly concurrent requests.

  • MEVN Stack (MongoDB, , , )

     The MEVN stack is also a full-stack JavaScript solution, used instead of React or Angular.
: An incremental framework for building user interfaces.

  • .NET Stack (Windows, IIS, SQL Server, )

    The .NET stack is primarily oriented towards the Windows platform.

  • Windows: Operating system.

    IIS: Internet Information Services, a Web server component on Windows.
SQL Server: Microsoft's relational database management system.
SQL Server: Microsoft's Web application framework that supports multiple programming languages.

  • Ruby on Rails with PostgreSQL

    Ruby on Rails: an MVC framework for rapid development of Web applications .
PostgreSQL: a powerful open source object-relational database system .

  • Django with PostgreSQL or MySQL

    Django: A high-level Python web framework that encourages rapid development and a clean, pragmatic design.
PostgreSQL/MySQL: Database management systems.

  • Java EE Stack (Apache Tomcat, MySQL, Java)

    Apache Tomcat: Java Servlet container.
MySQL: Relational database management system.
Java: Programming language, the Java EE specification provides the standard for enterprise application development.

  • Flask or Django with SQLite or PostgreSQL (Python)

    Use Python's lightweight frameworks Flask or Django with SQLite or PostgreSQL databases.

  • Flask: Lightweight web application framework.

    SQLite: Lightweight embedded database engine.

  • Core (Cross-Platform)

     Core: Microsoft's cross-platform web framework for Windows, Linux and macOS.
SQL Server/MySQL/PostgreSQL: Database options.
2.3.2.2 Software development of sites

Sites built by building software such as phpstudy and pagoda, for example, each have their own characteristics.

  • How to tell if it's a software website
    Grab the packet, look at the SERVER line, generally more detailed is to use the building software to build, the following is a comparison of the
  • Judgement of website building software
    The best thing is to build one by hand with the latest modification of the building software, usually the same version of the building software gives the same middleware and each has its own characteristics.
    For example, if a website is built by Pagoda, its port 8888 is generally its management website, and you can use port 8888 to try to access it.
  • Another example is the website built by phpstudy, usually there will be a phpmyadmin directory, try to visit this kind of directory, if the normal jump back to the obvious, then basically it is Phpstudy

Server operating systems

  • Identified by ping packet field
  • Fingerprint Recognition Tool
2.3.2.3 Browser Syntax Searching

Google Chrome Common Syntax

Basic Search Syntax
intitle: Finds pages with specific keywords in the page title.
Example: intitle: "index of"

inurl: Finds pages with a specific keyword in the URL.
Example: inurl: "admin"

filetype: Finds a specific type of file.
Example: filetype:pdf "security report"
site: Limit search results to a specific site.
Example: site.

related: Finds other sites related to the specified site.
Example: related.

cache: View Google's cached version of a page.
Example: cache.

define: Finds the definition of a word.
Example: define:information

Advanced Search Syntax
intext: Finds pages that contain specific text in the body of the page.
Example: intext: "confidential"

link: Finds pages that link to a specific URL.
Example: link.

info: Displays some basic information about the URL.
Example: info.

allintitle: The page title contains all the given phrases.
Example: allintitle: "index of"

allinurl: The URL contains all the given phrases.
Example: allinurl: "login"

allintext: The text of the body contains all the given phrases.
Example: allintext: "secret document"

Combinations
You can use a combination of the above syntaxes to further refine your search results. Example:

intitle: "index of" filetype:pdf site.
This search statement will look for documents that contain index of in the title and are in PDF format.

Common syntax of baidu browser

Generic Search Syntax
intitle: Search for a specific keyword contained in the title of a web page.
For example: intitle:backoffice management can find pages with "backoffice management" in the title.

inurl: Searches for a specific keyword in the URL.
For example: inurl:/wp-admin/ finds pages with "/wp-admin/" in the URL.

filetype: Search for a specific type of file.
For example: filetype:pdf Security Report You can find the security report file in PDF format.

site: Limits the search to a specific site.
Example: site: Search within a site only.

double quotes ("...") : Searches for exact matching phrases.
For example: "default password" will only return pages that contain the full phrase "default password".

Minus sign (-): excludes pages with specific keywords.
Example: login page -test excludes login pages containing "test".

Common applications
Finding the login page
inurl:/login
intitle: "login page"

Finding configuration files or sensitive documents
filetype:txt config
filetype:xml password

Find subdomains
site:.
Combined with the subdomain enumeration tool, you can find undisclosed subdomains more efficiently.
Finding development or test environments

intitle: "Development Environment"

intitle: "test server"

2.4 Information on ports and their corresponding services

2.4.1 Using port scanning tools

Nmap is a powerful network exploration tool and port scanning tool that can be used to discover hosts and services. Example:

TCP SYN scan: nmap -sS -p- <target>, scans all TCP ports.
TCP Connection Scan: nmap -sT -p 80,443 <target>, scans specified ports (e.g. HTTP and HTTPS).
UDP scanning: nmap -sU -p 161 <target>, scans UDP ports (e.g. SNMP).
Service version detection: nmap -sV -p 80,443 <target>, detects the service version.
Operating system detection: nmap -O <target>, detects the type of operating system.

2.4.2 Querying with Whois

A Whois query can be used to obtain the registration information of the target domain name, including IP address, etc., so that further port scanning can be performed. For example:

whois <domain>

2.4.3 DNS enumeration

Use tools such as DNSRecon or Layer subdomain miner to discover other domains or subdomains related to the target domain.

DNSRecon: dnsrecon -d <domain> -r <resolver>
Layer Sub-Domain Digger: layer_subdomain_brute <options>

2.4.4 Using online port scanning tools

There are many online port scanning services that can be used directly in a browser, for example:

: /port/
Postjson: /

2.4.5 Manual use of command line tools

Netcat: can be used to test whether a single port is open.

nc -zv <target> <port>

Telnet: can also be used to test ports.

telnet <target> <port>

2.4.6 Use of automated tools

Metasploit: contains a number of modules for port scanning and service probing

msfconsole
use auxiliary/scanner/portscan/tcp
set RHOSTS <target>
run

2.5 Catalog Scanning

2.5.1 Common Sensitive Directories



Website Backup Files/Data: Online Compressor(Files)/Empire Backup King(Data)
Backend login directory: /admin /.manage
Installation package (source code): non-open source, commercial / zip file / install
Directory for file upload: /upload /
Directory for file upload - webshell
mysql management interface: web page to manage / phpadmin
Program installation path: /install
php probe:phpinfo/elegant needle detects blackness (idiom); fig. discredit with the help of an elegant needle
Text editor
linux: user-cat /etc/passwd password-cat /etc/shadow execution sudo-cat /etc/sudoers
macOS : .DS_Store folder custom attributes of hidden files (must be deleted)
Temporary files for editor : .swp
Directory traversal tomcat WEB-INF
Other unconventional files: /

2.5.2 Tool scanning

Imperial Sword
dirb
Burp Suite
DirBrute
Dirsearch
Dirmap
wfuzz
Cast Sword

2.6 Packet capture analysis

2.6.1 Purpose

  • Understanding Communication Behavior: By analyzing the packets, you can understand the details of the interaction between the web application and the external system.
  • Detecting security vulnerabilities: Identify leakage of sensitive information in data packets, weak authentication mechanisms, etc.
  • Simulated Attacks: Simulate attacks based on captured packets to verify the security of the system.
  • Problem Diagnosis: Helps network administrators and developers diagnose network problems or application failures.

2.6.2 Common tools:

  • Wireshark
  • Fiddle
  • Burp Suite
  • tcpdump
  • cURL

2.6.3 Analyzing packets

  • Using Display Filters: Use display filters in captured packets to find specific packets of interest.
  • Check protocol fields: Look carefully at the protocol fields in the packet, such as HTTP request headers, response headers, cookies, etc.
  • Analyze sensitive information: Check for the presence of sensitive information such as plaintext passwords and API keys.
  • Look for unusual behavior: watch for unusual response codes or unusual request patterns

0x03 Source Code

Category: CMS open source, closed source

3.1 CMS Identification

3.1.1 Identification methods

3.1.1.1 Manual identification

  • Recognized by page features and footer information

    The name of the cms will be left in the footer declaration section

  • Checking website source code

    CMSs usually leave some specific markup in the source code of a web page, such as HTML<meta> tags contained in thegeneratorattribute in addition to checking for a specific filename or path, for example/wp-admin/(WordPress) or/admin/(Joomla), etc.

  • File and directory characteristics

    Different CMSes will have their own unique file and directory structures. For example, WordPress may havewp-contentdirectory, whereas Joomla may haveadministratorCatalogs can identify the type of CMS by looking for these specific files or directories.

  • JavaScript and CSS files

    CMSs usually load specific JavaScript and CSS files on the page. By analyzing the names and content of these files, it can also help to identify the CMS

  • HTTP response header information

    Some CMSs will include specific information in the HTTP response header, such asX-Powered-Byfield, which can be used to identify CMS type 2.1.1.2

3.1.1.2 Tool identification
  • Cloud knows fingerprint recognition
  • Tidal Fingerprinting
  • Tool identification tidefinger
  • Online Fingerprint Recognition
  • wappalyzer browser plugin
  • whatweb (local)

3.2 Be able to recognize CMS's

3.2.1 CMS open source

If the target website is built using an open source CMS (Content Management System), you can download the latest version of the source code by visiting the official website. For example, there are official releases for WordPress, Drupal, etc.

3.2.2 Utilization of search engines

Using specific query statements through search engines, it is sometimes possible to find some unprotected source code files. For example, using the Google Hacking trick, by using a query such asfiletype:zip intext:source codeWith such search terms, it is possible to find the zip file where the source code is stored.

3.2.3 Utilization of publicly available code repositories

Developers sometimes inadvertently upload source code for projects on publicly available code repositories such as GitHub, Gitee, and other platforms, which may contain sensitive information. It is possible to find the project repository in question by searching for relevant keywords or the developer's username.

3.3 Failure to recognize CMS

  • (PHP feature)

  • git source code leak:

  • svn source code leak:

  • hg source code leak:

  • Website backup zip file leaks:

  • web-INF/Leaks.

  • DS_store file leak:

  • SWP file leak:

  • CVS Leak:

  • bzr leaks:

  • github source code leak:

3.4 Black source code:

  • interdependent

0x04 Collection of business information

4.1 Basic information of concern

  • Basic enterprise information: including company name, registered address, legal representative, registered capital, business scope and so on.
  • Shareholder information: Understand the company's ownership structure and identify major shareholders and their shareholdings.
  • Financial information: Although financial information is usually more sensitive, some financial reports are available through public channels.
  • Legal Status: Includes the company's record of legal proceedings, record of administrative penalties, etc.
  • Technical information: software, hardware and service providers used, etc. This information helps to identify possible technical vulnerabilities.
  • Domain name information: including the main domain name, subdomain name, side site and other information.
  • Network information: including IP addresses, open ports, network devices, etc.
  • System information: operating system version, middleware information, server configuration, etc.
  • Contact phone number/email: Contact information can be used for social engineering attacks or phishing tests.

4.2 Methods of information collection

4.2.1 Passive information collection

Passive information collection is the acquisition of relevant information about a target system through open channels without direct interaction with the target system.

  • Commonly used methods include: search engines: use Google, Bing and other search engines to find information related to the target company.
  • Cyberspace search engines: use tools such as FOFA, Shodan, ZoomEye, etc. to search for devices and services on the Internet.
  • Whois query: Get domain name registration information through Whois query.
  • Record information query: Get the record information of the target website through the ICP record query website.
  • Social media and professional networks: search for employees of target companies on platforms such as LinkedIn, Weibo, etc.
  • Enterprise Search, Tianyecha, Qixinbao: these platforms provide comprehensive enterprise information search services
  • National enterprise credit information publicity system: query related information
  • Local Industry and Commerce Bureau websites: Some regional industry and commerce bureau websites provide more detailed business information.
  • Stock Exchange Website: Listed companies will publish annual reports, announcements and other information on the stock exchange website.
  • Internal group: name, position, contact information, address, e-mail address, cooperative enterprises (including social workers)

4.3 Organization of collected information

4.3.1 Organization of basic information

  • Basic business information: name, address, contact information, etc.
  • Network infrastructure: IP addresses, subnet masks, domain names, open ports, services, etc.
  • Technical information: software used, hardware, frameworks, version numbers, etc.
  • Employee information: names, positions, contact information, etc. of key personnel.
  • Social engineering information: employee habits, social accounts, possible social engineering entry points, etc.
  • Financial and legal information: financial status, legal disputes, etc.
  • Public documents: reports, manuals, white papers, etc.

4.3.2 Detailed labeling

  • Tags: tag each message.
  • Annotation: Label the source of the information, when it was collected, and its credibility.

0x05 Collecting web information from software

5.1 app information collection

5.1.2 Decompilation

Decompile first to see the source code or other information

5.1.3 AppInfoScanner Usage

  1. run
  • Scanning APK files of Android applications, DEX files, download addresses of APK files to be downloaded, directories to save files to be scanned
    python android -i file address (including network address)
  • Scanning IPA files for iOS apps, Mach-o files, download addresses of IPA files that need to be downloaded, saving the directory of files that need to be scanned
    python ios -i file address (including network address)
  • Scanning Web sites for files, directories, site URl's that need to be cached
    python web -i file address (including network address)

Parameter Description:

python android -i :

Scan for local apk
Scan for apk files contained in url.
Scan for local url sites, including local web and url-containing sites.
-r
Add temporary rules (keywords)
-s
Disable network sniffing
-n
Ignore all resource files
-t
Set the number of concurrency
-o
Specify the result set or file output directory
-p
Scan the contents of files under the specified package name only Android

5.2 exe collection of web information

5.2.1 Collection of basic application information

  • Software official website: Visit the official website of the software to get the version information, update log, user manual, etc. of the software.
  • Developer Information: Find information about the developer or publisher and find out if they have other software products or web services.
  • License and registration information: If the software requires a license key, try to get the relevant information.

5.2.1 Reverse Engineering and Code Analysis

  • Decompile: Use tools such as IDA Pro, Ghidra or OllyDbg to decompile .exe files and analyze their internal logic.
  • String Extraction: Use or a similar tool to extract strings from .exe files, looking for URLs or IP addresses that may point to Web services.
  • Dependent Libraries: Examine the library files, such as DLLs, on which the .exe file depends and analyze their functionality.

5.2.3 Network communication analysis

  • Packet-catching tools: Use tools such as Wireshark, Fiddler, Burp Suite, or Charles Proxy to intercept and analyze communications between applications and Web services.
  • HTTPS traffic: Verify that the application uses the HTTPS protocol, as well as the SSL/TLS version and encryption suite.
  • API endpoints: Identify API endpoints invoked by the application, analyze request methods, parameters, response formats, etc.

0x06 Tool Information Collection

6.1 finger

python -arguments

FINGER seeks to minimize the command parameters to only the following.

  • -u Fingerprinting individual URLs
  • -f Batch fingerprinting of url's in specified files
  • -i Perform a fofa data query on an ip to capture its web assets.
  • -if batch call fofa for data query to collect web assets for ip in specified files
  • -fofa Call fofa api for asset collection
  • -quake call 360 quake for asset collection
  • -o Specify the output method is xlsx format by default if not selected, json, xls are supported.

6.2 Shuize (water)

grammatical functionality
python3 -d Collecting single root domain assets
python3 --domainFile Batch Run Root Domain List
python3 -c 192.168.1.0,192.168.2.0,192.168.3.0 Collection of segment C assets
python3 -f Detection of website vulnerabilities in the url
python3 --fofaTitle XXX University Collect assets from fofa titled XXX University, then vulnerability detection
python3 -d --justInfoGather 1 Information collection only, no vulnerability detection
python3 -d --ksubdomain 0 Blasting subdomains without calling ksubdomain

6.3 kunyu

command

-info Query user information
-searchhost <IP address> Search host assets
-searchweb <url> search web assets
-seerchlcon <local file/remote file address>
-Seebug Thinkphp View vulnerability history of thinkphp

6.4 Lighthouses (ARL)

  • Domain Name Asset Discovery and Organization
  • IP/IP segment asset organization
  • Port scanning and service identification
  • WEB site fingerprinting
  • Asset grouping management and search
  • Task Policy Configuration
  • Planned and cyclical mandates
  • Github Keyword Monitoring
  • Domain/IP Asset Monitoring
  • Site change monitoring
  • Risk detection such as document leakage
  • nuclei PoC calls
  • WebInfoHunter Calling and Monitoring

0x07 Information Recognition

7.1 Obstacles

7.1.1 Common Impediments

  • Super ping
  • WAF: Look Ahead Recognition, wafw00f, waf online recognition
  • Load balancing: cdn
  • Firewall: the system comes with its own, and there are external physical firewalls, some nmap can be recognized

7.1.2 CDN

7.1.2.1 cdn judgment
  • Super ping to determine if there is a CDN
  • See network speed response: video, image files
  • You can also use the Windows command query: nslookup, if the target exists more than one IP, it is likely to have a CDN service
  • Use the tool query, the address of the tool is as follows
    CDN Planet:/tools/cdnfinder/
7.1.2.2 CDN Configuration
  • Tencent Cloud:Content Delivery Network CDN Configuring CDN from Scratch - Quick Start - Document Center - Tencent Cloud ()
  • Aliyun:Beginner's Guide_CDN(CDN)-AliCloud Help Center ()
7.1.2.3 CDN bypassing

  • subdomain

    Subdomain lookup:

    In some websites, it is possible that only the main site is accelerated, while some other sub-domains are in the same C-section or on the same server as the main site.

    Utilize the subdomain lookup tool:

    /subdomain/
/subdomain/    
/
/
/
/v5/mapping

  • foreign visits

    Some CDNs only accelerate part of the region, then the access in the region accelerated for the real host ip

    The ip can be viewed by doing a super ping using an online tool such as:

    ipip online tools
itdog online tool
/
/

  • Mail Access

    When sending emails, the source code of the email contains the real IP of the host.

  • Active Connection Vulnerability: xss ssrf

    When actively connecting through a loophole, the

  • Legacy documents

    Test sites at the time the site is built will have test files at many times, such as the file

  • Viewing DNS History

    Before the CDN service starts his real ip may be recorded by the DNS service, then at this time it may exist in the DNS history of the host real ip

    /dns/
/
https://site./

  • artifact

    Filtering: you can use the tool to filter when you find out similar ip

    Tool Find:

    Online Tools:

    /

  • Local Tools:

    zmap

    Download: /zmap/zmap
Tutorials:/

    fuckcdn

    w8Fuckcd

  • Follow-up operations:
    Changing the host file binding IP Specify access

7.1.3 waf

7.1.3.1 waf classification
  • Cloud waf
  • Hardware waf
  • Software waf
  • Other waf
7.1.3.2 namp recognizes WAFs
nmap -p 80,443 --script=http-waf-detect <target url or ip>;
nmap -p 80,443 --script=http-waf-fingerprint <Target URL or IP>
7.1.3.3 wafwoof identifies waf

nmap has 19 fingerprints by default, sqlmap has 94 fingerprints by default, wafw00f has 155 fingerprints by default

wafw00f [url]
-h, --help show this help message and exit
-v, --verbose Enable level of detail-multiple -v options increase the level of detail
-a, --findall Detects all wafs, does not stop when the first waf is detected.
-r, --disableredirect Don't follow redirects given in 3xx response
-t TEST, ---test=TEST Test a specific WAF
-l, --list List all WAFs we can detect
-p PROXY, --proxy=PROXY
Execute the request using an HTTP proxy, e.g. http://hostname:8080, socks5://hostname:1080
-V, --version Output version information
-H HEADERSFILE, --headersfile=HEADERSFILE
Pass customized headers, e.g. to override the default User-Agent string
7.1.4.4 Recognizing by looking at a map

Intercept page to recognize waf

7.2 Consolidated information

7.2.2 Basic information

Domain Information: Includes the main domain name and all related sub-domains.
IP Address: the public IP address of the target system.
Physical location: Knowing the geographic location of a target can help identify potential physical security risks.

7.2.2 Network infrastructure

Network Architecture: Understand the overall layout of the target network, including internal network structure, firewall configuration, etc.
Open Ports: Scans all ports open on the target system.
Service version: Identifies the services provided by the target system and their version numbers, which helps to discover known vulnerabilities.
Operating System: Determines the type and version of operating system used by the target system.
Middleware: Identifies middleware such as web servers, database servers, etc. in use.

7.2.3 Application information

Web applications: Gather information such as the URL of the target website, the programming language used, the framework, etc.
CMS Fingerprint: Identifies whether the target is using a CMS (e.g. WordPress, Drupal, etc.) and its version.
Web Framework: Identifies the web development framework used (e.g. Django, Ruby on Rails, etc.).
API Endpoints: Discover API endpoints and try to understand their functionality.

7.1.4 Sensitive information

Database Information: Attempts to discover the location of database files or configuration files, such as or .env files.
Backup Files: Finds backup files or directories that may exist.
Configuration files: look for potentially exposed configuration files that may contain sensitive information such as usernames, passwords, and so on.
Sensitive files: such as .gitignore files, which may reveal the structure of the project or other sensitive information.

7.2.5 Catalog and service information

Directory listing: attempts to list the directory structure of the site.
Sensitive directories: Look for directories that may contain sensitive information such as /admin, /login, etc.
Unauthorized Access: Finds URLs or files that may have unauthorized access.

7.2.6 Social engineering

Employee information: Learn about employee roles and responsibilities through social media (e.g., LinkedIn).
Organizational structure: Understand the company's organizational structure, including departmental setups, division of labor among employees, and so on.
Supply chain information: Identify partners, suppliers, etc. of the target company.

7.2.7 Other information

Historical vulnerabilities: Check the CVE database for known security vulnerabilities on the target system.
Certificate Information: Gather information about SSL/TLS certificates to know the validity period of the certificates, issuers and so on.
Email information: Get the IP address of the mail server, etc. through the email header information.
Social Media Accounts: Learn about the official social media accounts of the target organization.

<Previous Next>