(OSINT) Active Enumeration

We can infer the Windows OS version in use by mapping the IIS version back to the Windows version that it comes installed on by default. Some default installations are:

IIS 6.0: Windows Server 2003
IIS 7.0-8.5: Windows Server 2008 / Windows Server 2008R2
IIS 10.0 (v1607-v1709): Windows Server 2016
IIS 10.0 (v1809-): Windows Server 2019

X-Powered-By header: This header can tell us what the web app is using. We can see values like PHP, ASP.NET, JSP, etc. X-Powered-By: PHP/7.4.21

Cookies: Cookies are another attractive value to look at as each technology by default has its cookies. Some of the default cookie values are:

.NET: ASPSESSIONID<RANDOM>=<COOKIE_VALUE>
PHP: PHPSESSID=<COOKIE_VALUE>
JAVA: JSESSION=<COOKIE_VALUE>

https://github.com/leonjza/awesome-nmap-grep


#HTTP Headers
Intrusionz3r0X@htb[/htb]$ curl -I "http://${TARGET}"

# Recognizes web technologies. 
Intrusionz3r0X@htb[/htb]$ whatweb -a3 https://www.facebook.com -v

# Determine security solutions (WAF's)
Intrusionz3r0X@htb[/htb]$ pip3 install git+https://github.com/EnableSecurity/wafw00f
Intrusionz3r0X@htb[/htb]$ wafw00f -v https://www.tesla.com

#Nikto
Intrusionz3r0X@htb[/htb]$ sudo apt update && sudo apt install -y perl
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/sullo/nikto
Intrusionz3r0X@htb[/htb]$ cd nikto/program
Intrusionz3r0X@htb[/htb]$ python3 -m venv env
Intrusionz3r0X@htb[/htb]$ source env/bin/activate
Intrusionz3r0X@htb[/htb]$ chmod +x ./nikto.pl

Intrusionz3r0X@htb[/htb]$ nikto -h inlanefreight.com -Tuning b

#Eyewitness
Intrusionz3r0@htb[/htb]$ eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness

#aquatone
Intrusionz3r0@htb[/htb]$ cat web_discovery.xml | ./aquatone -nmap

#Scrapping Web sites
Intrusionz3r0X@htb[/htb]$ wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
Intrusionz3r0X@htb[/htb]$ unzip ReconSpider.zip 
Intrusionz3r0X@htb[/htb]$ python3 -m venv env
Intrusionz3r0X@htb[/htb]$ source env/bin/activate
Intrusionz3r0X@htb[/htb]$ pip3 install scrapy
Intrusionz3r0X@htb[/htb]$ python3 ReconSpider.py http://inlanefreight.com

#FinalRecon (Best Tool recommended by HTB Academy)
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/thewhiteh4t/FinalRecon.git
Intrusionz3r0X@htb[/htb]$ cd FinalRecon
Intrusionz3r0X@htb[/htb]$ python3 -m venv env
Intrusionz3r0X@htb[/htb]$ source env/bin/activate
Intrusionz3r0X@htb[/htb]$ pip3 install -r requirements.txt
Intrusionz3r0X@htb[/htb]$ chmod +x ./finalrecon.py
Intrusionz3r0X@htb[/htb]$ ./finalrecon.py --help
Intrusionz3r0X@htb[/htb]$ python3 finalrecon.py --full --url http://inlanefreight.htb:54093
Intrusionz3r0X@htb[/htb]$ deactivate

Search Engine Discovery (Google Dorking)

Operator

Operator Description

Example

Example Description

site:

Limits results to a specific website or domain.

site:example.com

Find all publicly accessible pages on example.com.

inurl:

Finds pages with a specific term in the URL.

inurl:login

Search for login pages on any website.

filetype:

Searches for files of a particular type.

filetype:pdf

Find downloadable PDF documents.

intitle:

Finds pages with a specific term in the title.

intitle:"confidential report"

Look for documents titled "confidential report" or similar variations.

intext: or inbody:

Searches for a term within the body text of pages.

intext:"password reset"

Identify webpages containing the term “password reset”.

cache:

Displays the cached version of a webpage (if available).

cache:example.com

View the cached version of example.com to see its previous content.

link:

Finds pages that link to a specific webpage.

link:example.com

Identify websites linking to example.com.

related:

Finds websites related to a specific webpage.

related:example.com

Discover websites similar to example.com.

info:

Provides a summary of information about a webpage.

info:example.com

Get basic details about example.com, such as its title and description.

define:

Provides definitions of a word or phrase.

define:phishing

Get a definition of "phishing" from various sources.

numrange:

Searches for numbers within a specific range.

site:example.com numrange:1000-2000

Find pages on example.com containing numbers between 1000 and 2000.

allintext:

Finds pages containing all specified words in the body text.

allintext:admin password reset

Search for pages containing both "admin" and "password reset" in the body text.

allinurl:

Finds pages containing all specified words in the URL.

allinurl:admin panel

Look for pages with "admin" and "panel" in the URL.

allintitle:

Finds pages containing all specified words in the title.

allintitle:confidential report 2023

Search for pages with "confidential," "report," and "2023" in the title.

AND

Narrows results by requiring all terms to be present.

site:example.com AND (inurl:admin OR inurl:login)

Find admin or login pages specifically on example.com.

OR

Broadens results by including pages with any of the terms.

"linux" OR "ubuntu" OR "debian"

Search for webpages mentioning Linux, Ubuntu, or Debian.

NOT

Excludes results containing the specified term.

site:bank.com NOT inurl:login

Find pages on bank.com excluding login pages.

* (wildcard)

Represents any character or word.

site:socialnetwork.com filetype:pdf user* manual

Search for user manuals (user guide, user handbook) in PDF format on socialnetwork.com.

.. (range search)

Finds results within a specified numerical range.

site:ecommerce.com "price" 100..500

Look for products priced between 100 and 500 on an e-commerce website.

" " (quotation marks)

Searches for exact phrases.

"information security policy"

Find documents mentioning the exact phrase "information security policy".

- (minus sign)

Excludes terms from the search results.

site:news.com -inurl:sports

Search for news articles on news.com excluding sports-related content.

Examples of Google Dorks

OffSec’s Exploit Database Archive

Wayback Machine

PreviousNetwork Enumeration Next(OSINT) Passive Enumeration