Hey Learners, you might be knowing before going to kitchen for cooking food, you should be have knowledge about the cookware and ingredients. So you can prepare a perfect recipe. Like that, before going to hack a target you should gather as much as information you can for knowing the Web Technologies and finding the prefect flaws or vulnerability.
For that you should go through Recon or Information gathering, There are a various method of gathering information, Here we are providing 6 phases of finding hidden or sensitive information
1st Phase of Recon: Robots File
Here comes the very first and easy technique or way of finding Web Data. Gathering Information from Robots file (robots.txt) is the filename used for implementing the Robots Exclusion Protocol, a standard used by websites to indicate to visiting web crawlers and other web robots which portions of the website they are allowed to visit.
The "robots.txt" file can be used in conjunction with sitemaps, another robot inclusion standard for websites.
The robots.txt file is used to tell web spiders how to crawl a website. To avoid having confidential information indexed and searchable, webmasters often use this file to tell spiders to avoid specific pages. This is done using the keyword Disallow. You can find more about the robots.txt file by reading Robots exclusion standard
2nd Phase of Recon: Fuzzing Directories
So the 2nd Phase is very interesting and crucial i.e. Fuzzing Directories also known as Directory Brute force, which basically includes gathering information of directories within the websites. This will help you find hidden files within a directory. When accessing a new webserver, it often pays off to brute force directories. To do this, you can use many tools like patator, FFUF or WFuzz
Wfuzz provides a framework to automate web applications security assessments and could help you to secure your web applications by finding and exploiting web application vulnerabilities.
Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. Opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.
ffuf - Fuzz Faster U Fool - A fast web fuzzer written in Go
3rd Phase: Error Page 404
So the 3rd Phase is finding Error Page 404/ Not Found. Now main question why we needed it , we need it because Not Found/404 pages can leak information about the web stack used by a company or application. It also allows you to detect files that exists when you start bruteforcing directory. This is why it is important to check what the 404 page looks like.
4th Phase: Finding SECURITY.TXT File
The security.txt file contains a much more sensitive information known for the website, finding it will might help you gain access to any restricted content or page or server or database.
But how to find this is the main question here, so basically there is a directory in every hosted website file file named .well-known . Might be in some the directory will be hidden or in accessible. But no worry it is only a method of finding or reconnaissance. If not accessible or not there then you can switch other method. So basically the url to get the security.txt will be "http://example.com/.well-known/security.txt"
5th Phase : Directory Listing
So ya, here you might be thinking that directory listing and directory fuzzing are the same. Yes, they are but there is a difference here, and the difference is indexing or Index file. Getting confused no worry.
When accessing a directory on a web server, multiple things can happen:
- An "index" file is present and it will get returned (the file is not necessarily named
index, this can be configured, but most of the time, the file will be namedindex.html). - No "index" file is present and the web server will list the content of the directory. This can obviously leak information.
Indexing directories can be disabled on most web servers. For example, with Apache, you need to use the option: -Indexes.
To find directories, with indexing enabled. You need to browse the source of the HTML pages and look at the directories used to store files. Once you have a list of directories, you can access each of them individually.
6th Phase: Finding interesting Pages or Directory
Here , your goal is to find a directory that is commonly used to manage applications.
When accessing a new webserver, it often pays off to manually check for some directories before starting to brute force using a tool. For example, you can manually check for /admin/, dir, show flash, and/or nvram etc.
When accessing a new webserver, it often pays off to replace the hostname with the IP address or to provide a random Host header in the request. To do this, you can either modify the request in a web proxy or use:
curl -H "Host: ...."Conclusion
Here are 6 phase of Recon or information gathering. There are obviously many other to go for... will be updated soon.
Stay in connected or updated.
0 Comments