Test Objectives:
What you can ‘learn’ about your target by harvesting public accessible information.
Tests to perform:
- Locate the Target Web Presence
- Find Out Domain Registration Info and IP Block Owned
- Check for Authoritative Name Servers
- Check for DNS zone transfer
- Check for Reverse DNS lookup presence
- Brute forcing DNS Records
- Check for DNS software version
- BING IP Search
- Shodan Search
- Fingerprint Web Server (Passive)
- Discover Wireless Network via Wiglenet
to be continued…
Web Server HTTP Header Internal IP Disclosure
Nikto Output OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://<ipaddress>/images/".Read More »Link-Local Multicast Name Resolution (LLMNR) Detection
Nessus Output Synopsis : The remote device supports LLMNR. Description : The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions. Reported Risk factor by Nessus: None In my option the severity should […]Read More »Discover Wireless Network via Wiglenet
Test Objectives: Determine which wireless networks are available on the targets physical location(s).Read More »Brute forcing DNS Records
Test Objectives Perform name lookups with a wordlist (dictionary attack) to identify services/hosts/websites in the target domain. Only applicable if Check for DNS zone transfer failed.Read More »Check for Reverse DNS lookup presence
Test Objective: Obtain valid server names and aliases for the IP addresses in the defined scope of the test. Only applicable if Check for DNS zone transfer failed.Read More »Check for DNS zone transfer
Test Objective Test if the authoritative nameservers are allowing zone transfers for the domains in scope.Read More »BING IP Search
Test Objectives To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website). (from the OWASP Testing Guide v4.0 Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)Read More »Fingerprint Web Server (Active)
Test Objectives Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing. (OWASP Testing Guide v4.0 – OTG-INFO-002)Read More »Fingerprint Web Server (Passive)
Test Objectives Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits to use during testing. (OWASP Testing Guide v4.0 – Fingerprint Web Server OTG-INFO-002)Read More »Shodan Search
Test Objectives To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website). (from the OWASP Testing Guide v4.0 Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)Read More »Check for DNS software version
Test Objective: Check if the DNS servers are vulnerable to version queries. Analyze the reported version for vulnerabilities and available exploits.Read More »