(OSINT) Active Enumeration

(OSINT) Active Enumeration

We can infer the Windows OS version in use by mapping the IIS version back to the Windows version that it comes installed on by default. Some default installations are:

• IIS 6.0: Windows Server 2003

• IIS 7.0-8.5: Windows Server 2008 / Windows Server 2008R2

• IIS 10.0 (v1607-v1709): Windows Server 2016

• IIS 10.0 (v1809-): Windows Server 2019

X-Powered-By header: This header can tell us what the web app is using. We can see values like PHP, ASP.NET, JSP, etc. X-Powered-By: PHP/7.4.21

Cookies: Cookies are another attractive value to look at as each technology by default has its cookies. Some of the default cookie values are:

• .NET: ASPSESSIONID<RANDOM>=<COOKIE_VALUE>

• PHP: PHPSESSID=<COOKIE_VALUE>

• JAVA: JSESSION=<COOKIE_VALUE>

https://github.com/leonjza/awesome-nmap-grep

#HTTP Headers
Intrusionz3r0X@htb[/htb]$ curl -I "http://${TARGET}"

# Recognizes web technologies. 
Intrusionz3r0X@htb[/htb]$ whatweb -a3 https://www.facebook.com -v

# Determine security solutions (WAF's)
Intrusionz3r0X@htb[/htb]$ pip3 install git+https://github.com/EnableSecurity/wafw00f
Intrusionz3r0X@htb[/htb]$ wafw00f -v https://www.tesla.com

#Nikto
Intrusionz3r0X@htb[/htb]$ sudo apt update && sudo apt install -y perl
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/sullo/nikto
Intrusionz3r0X@htb[/htb]$ cd nikto/program
Intrusionz3r0X@htb[/htb]$ python3 -m venv env
Intrusionz3r0X@htb[/htb]$ source env/bin/activate
Intrusionz3r0X@htb[/htb]$ chmod +x ./nikto.pl

Intrusionz3r0X@htb[/htb]$ nikto -h inlanefreight.com -Tuning b

#Eyewitness
Intrusionz3r0@htb[/htb]$ eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness

#aquatone
Intrusionz3r0@htb[/htb]$ cat web_discovery.xml | ./aquatone -nmap

#Scrapping Web sites
Intrusionz3r0X@htb[/htb]$ wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
Intrusionz3r0X@htb[/htb]$ unzip ReconSpider.zip 
Intrusionz3r0X@htb[/htb]$ python3 -m venv env
Intrusionz3r0X@htb[/htb]$ source env/bin/activate
Intrusionz3r0X@htb[/htb]$ pip3 install scrapy
Intrusionz3r0X@htb[/htb]$ python3 ReconSpider.py http://inlanefreight.com

#FinalRecon (Best Tool recommended by HTB Academy)
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/thewhiteh4t/FinalRecon.git
Intrusionz3r0X@htb[/htb]$ cd FinalRecon
Intrusionz3r0X@htb[/htb]$ python3 -m venv env
Intrusionz3r0X@htb[/htb]$ source env/bin/activate
Intrusionz3r0X@htb[/htb]$ pip3 install -r requirements.txt
Intrusionz3r0X@htb[/htb]$ chmod +x ./finalrecon.py
Intrusionz3r0X@htb[/htb]$ ./finalrecon.py --help
Intrusionz3r0X@htb[/htb]$ python3 finalrecon.py --full --url http://inlanefreight.htb:54093
Intrusionz3r0X@htb[/htb]$ deactivate

Search Engine Discovery (Google Dorking)

Operator	Operator Description	Example	Example Description
site:	Limits results to a specific website or domain.	site:example.com	Find all publicly accessible pages on example.com.
inurl:	Finds pages with a specific term in the URL.	inurl:login	Search for login pages on any website.
filetype:	Searches for files of a particular type.	filetype:pdf	Find downloadable PDF documents.
intitle:	Finds pages with a specific term in the title.	intitle:"confidential report"	Look for documents titled "confidential report" or similar variations.
intext: or inbody:	Searches for a term within the body text of pages.	intext:"password reset"	Identify webpages containing the term “password reset”.
cache:	Displays the cached version of a webpage (if available).	cache:example.com	View the cached version of example.com to see its previous content.
link:	Finds pages that link to a specific webpage.	link:example.com	Identify websites linking to example.com.
related:	Finds websites related to a specific webpage.	related:example.com	Discover websites similar to example.com.
info:	Provides a summary of information about a webpage.	info:example.com	Get basic details about example.com, such as its title and description.
define:	Provides definitions of a word or phrase.	define:phishing	Get a definition of "phishing" from various sources.
numrange:	Searches for numbers within a specific range.	site:example.com numrange:1000-2000	Find pages on example.com containing numbers between 1000 and 2000.
allintext:	Finds pages containing all specified words in the body text.	allintext:admin password reset	Search for pages containing both "admin" and "password reset" in the body text.
allinurl:	Finds pages containing all specified words in the URL.	allinurl:admin panel	Look for pages with "admin" and "panel" in the URL.
allintitle:	Finds pages containing all specified words in the title.	allintitle:confidential report 2023	Search for pages with "confidential," "report," and "2023" in the title.
AND	Narrows results by requiring all terms to be present.	site:example.com AND (inurl:admin OR inurl:login)	Find admin or login pages specifically on example.com.
OR	Broadens results by including pages with any of the terms.	"linux" OR "ubuntu" OR "debian"	Search for webpages mentioning Linux, Ubuntu, or Debian.
NOT	Excludes results containing the specified term.	site:bank.com NOT inurl:login	Find pages on bank.com excluding login pages.
* (wildcard)	Represents any character or word.	site:socialnetwork.com filetype:pdf user* manual	Search for user manuals (user guide, user handbook) in PDF format on socialnetwork.com.
.. (range search)	Finds results within a specified numerical range.	site:ecommerce.com "price" 100..500	Look for products priced between 100 and 500 on an e-commerce website.
" " (quotation marks)	Searches for exact phrases.	"information security policy"	Find documents mentioning the exact phrase "information security policy".
- (minus sign)	Excludes terms from the search results.	site:news.com -inurl:sports	Search for news articles on news.com excluding sports-related content.

Examples of Google Dorks

OffSec’s Exploit Database Archive

Wayback Machine

Wayback Machine