This tool can be used in addition to your usual approach for Penetration testing . The idea is to quickly check and gather information about your target organisation without investing time and remembering these syntaxes. In addition, it can help you define an approach towards finding some quick wins on the target.

Techniques

1:)

Directory Listing: Finding open directories using Google Dork on your target organisation helps one to understand the directory structure on the webserver. It may reveal sensitive information or it may lead to information disclosure.

2:)

Configuration Files: Often times configuration files contains sensitive information such as hardcoded passwords, sensitive drive locations or API tokens which can help you gain privilege access to the internal resources.

3:)

Database Files: Database Files are data files that are used to store the contents of the database in a structured format into a file in separate tables and fields. Depending on the nature of the web application these files could provide access to sensitive information.

4:)

WordPress: WordPress is an open-source CMS written in PHP. WordPress has thousands of plugins to build, customise and enhance the websites. There are numerous vulnerabilities in these plugins. Finding WordPress related.

5:)

Log Files: Log files sometimes provide detailed information of the users’ activities in a particular application. These files are good to look at session cookies or other types of tokens.

6:)

Backup and Old Files: Backup files are original copies of the critical systems. These provide access to PII or access to sensitive records.

7:)

Login Pages: It is extremely important to identify login pages of your target organisation to perform bruteforce attempts or trying default credentials to gain further access to organisation resources.

8:)

SQL Errors: SQL errors leaks sensitive information about the backend systems. This can help one to perform enumeration on the database types and see if the application is vulnerable to input validation related attacks such as SQL Injection.

9:)

Apache Config Files: Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Depending on the entries in these config files it may reveal database connection strings, username and passwords, the internal workings, used and referenced libraries and business logic of application.

10:)

Robots.txt File: Robots.txt file instructs web robots how to crawl pages on their website. Depending on the content of the file, an attacker might discover hidden directories and files.

11:)

DomainEye: DomainEye is a domain/host investigation tool that has the largest domain databases. They provide services such as reverse Whois, reverse IP lookup, as well as reverse NS and MX.

12:)

Publicly Exposed Documents: Such documents can be used to extract metadata information.

13:)

phpinfo(): Exposing phpinfo() on its own isn’t necessarily a risk, but in combination with other vulnerabilities could lead to your site becoming compromised. Additionally, module versions could make attackers life easier when targeting application using newly discovered exploits.

14:)

Finding Backdoors: This can help one to identify website defacements or server hijacking related issues. By exploiting the open redirect vulnerability on the trusted web application, the attacker can redirect victims to a phishing page.

15:)

Install/Setup Files: Such files allows an attacker to perform enumeration on the target organisation. Information gathered using these files can help discover version details which can then be used to perform the targeted exploit.

16:)

Open Redirects: With these, we look at various known parameters vulnerable to open redirect related issues.

17:)

Apache Struts RCE: Successfully exploiting an RCE vulnerability could allow the attacker to run arbitrary programs. Here, we are looking for files with extensions of “.action” or “.do”.

18:)

3rd Party Exposure: Here we are looking for exposure of information on third party sites such as Codebeautify, Codeshare and Codepen.

19:)

Check Security Headers: Identify quickly if the target site is using security related headers in the server response.

20:)

GitLab: Quickly look for sensitive information on the GitLab.

21:)

Find Pastebin Entries: Shows you the results related to the target organisation on the Pastebin site. This could be passwords or any other sensitive information related to the target organisation.

22:)

Employees on LINKEDIN: Identifying employee names on LinkedIn can help you build a username list when it comes to password spraying attack.

23:)

.HTACCESS / Sensitive Files: Look for sensitive file exposure. This may indicate a server misconfiguration.

24:)

Find Subdomains: Subdomain helps you expand the attack surface on the target organisation. There are numerous tools available to automate the process of subdomain enumeration.

25:)

Find Sub-Subdomains: Identify sub-sub domains on the target organisation using Google Dork

26:)

Find WordPress related exposure: WordPress related exposure helps you gain access to sensitive files and folders.

27:)

BitBucket & Atlassian: Source code leakage, hardcoded credentials and access to cloud infrastructure.