Nikto Output
OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://<ipaddress>/images/".
Category Archives: Information Gathering
Link-Local Multicast Name Resolution (LLMNR) Detection
Nessus Output
Synopsis : The remote device supports LLMNR. Description : The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.
Reported Risk factor by Nessus: None
In my option the severity should be much higher.
SMB Enumeration
Discover Wireless Network via Wiglenet
Test Objectives:
Determine which wireless networks are available on the targets physical location(s).
Brute forcing DNS Records
Test Objectives
Perform name lookups with a wordlist (dictionary attack) to identify services/hosts/websites in the target domain. Only applicable if Check for DNS zone transfer failed.
Check for Reverse DNS lookup presence
Test Objective:
Obtain valid server names and aliases for the IP addresses in the defined scope of the test.
Only applicable if Check for DNS zone transfer failed.
Check for DNS zone transfer
Test Objective
Test if the authoritative nameservers are allowing zone transfers for the domains in scope.
BING IP Search
Test Objectives
To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
(from the OWASP Testing Guide v4.0 Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
Fingerprint Web Server (Active)
Test Objectives
Find the version and type of a running web server to determine known
vulnerabilities and the appropriate exploits to use during testing.
(OWASP Testing Guide v4.0 – OTG-INFO-002)
Fingerprint Web Server (Passive)
Test Objectives
Find the version and type of a running web server to determine known
vulnerabilities and the appropriate exploits to use during testing.
(OWASP Testing Guide v4.0 – Fingerprint Web Server OTG-INFO-002)
Shodan Search
Test Objectives
To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
(from the OWASP Testing Guide v4.0 Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
Locate the Target Web Presence
Check for DNS software version
Test Objective:
Check if the DNS servers are vulnerable to version queries.
Analyze the reported version for vulnerabilities and available exploits.
Check For Authoritative Name Servers
Find Out Domain Registration Info and IP Block Owned
Objectives:
- Determine iprange of target(s)
- Determine nameservers of target(s)
- Determine ASnumber or target(s)
- Determine registrar of target (provider)
- Determine address information of Registrar
- Identify administrative contacts
- Collect telephone numbers
- Gather Emailaddresses