Information Gathering
I would say this is one of my weakest areas, so I will try to focus more on this topic.
Web Reconnaissance is the foundation of a thorough security assessment. This process involves systematically and meticulously collecting information about a target website or web application. Think of it as the preparatory phase before delving into deeper analysis and potential exploitation. It forms a critical part of the “Information Gathering” phase of the Penetration Testing Process.
The primary goals of web reconnaissance include:
- Identifying Assets
- Discovering Hidden Information
- Analysing the Attack Surface
- Gathering Intelligence
Attackers leverage this information to tailor their attacks, allowing them to target specific weaknesses and bypass security measures.
Type of Reconnaissance
Web reconnaissance encompasses two fundamental methodologies: active and passive reconnaissance.
Active Reconnaissance
| Technique | Description | Example | Tools | Risk of Detection |
|---|---|---|---|---|
| Port Scanning | Identifying open ports and services running on the target. | Using Nmap to scan a web server for open ports like 80 (HTTP) and 443 (HTTPS). | Nmap, Masscan, Unicornscan | High: Direct interaction with the target can trigger intrusion detection systems (IDS) and firewalls. |
| Vulnerability Scanning | Probing the target for known vulnerabilities, such as outdated software or misconfigurations. | Running Nessus against a web application to check for SQL injection flaws or cross-site scripting (XSS) vulnerabilities. | Nessus, OpenVAS, Nikto | High: Vulnerability scanners send exploit payloads that security solutions can detect. |
| Network Mapping | Mapping the target’s network topology, including connected devices and their relationships. | Using traceroute to determine the path packets take to reach the target server, revealing potential network hops and infrastructure. | Traceroute, Nmap | Medium to High: Excessive or unusual network traffic can raise suspicion. |
| Banner Grabbing | Retrieving information from banners displayed by services running on the target. | Connecting to a web server on port 80 and examining the HTTP banner to identify the web server software and version. | Netcat, curl | Low: Banner grabbing typically involves minimal interaction but can still be logged. |
| OS Fingerprinting | Identifying the operating system running on the target. | Using Nmap’s OS detection capabilities (-O) to determine if the target is running Windows, Linux, or another OS. | Nmap, Xprobe2 | Low: OS fingerprinting is usually passive, but some advanced techniques can be detected. |
| Service Enumeration | Determining the specific versions of services running on open ports. | Using Nmap’s service version detection (-sV) to determine if a web server is running Apache 2.4.50 or Nginx 1.18.0. | Nmap | Low: Similar to banner grabbing, service enumeration can be logged but is less likely to trigger alerts. |
| Web Spidering | Crawling the target website to identify web pages, directories, and files. | Running a web crawler like Burp Suite Spider or OWASP ZAP Spider to map out the structure of a website and discover hidden resources. | Burp Suite Spider, OWASP ZAP Spider, Scrapy (customisable) | Low to Medium: Can be detected if the crawler’s behaviour is not carefully configured to mimic legitimate traffic. |
This is a really informative table
Passive Reconnaissance
| Technique | Description | Example | Tools | Risk of Detection |
|---|---|---|---|---|
| Search Engine Queries | Utilising search engines to uncover information about the target, including websites, social media profiles, and news articles. | Searching Google for “[Target Name] employees” to find employee information or social media profiles. | Google, DuckDuckGo, Bing, specialised search engines (e.g., Shodan) | Very Low: Search engine queries are normal internet activity and unlikely to trigger alerts. |
| WHOIS Lookups | Querying WHOIS databases to retrieve domain registration details. | Performing a WHOIS lookup on a target domain to find the registrant’s name, contact information, and name servers. | whois command-line tool, online WHOIS lookup services | Very Low: WHOIS queries are legitimate and do not raise suspicion. |
| DNS | Analysing DNS records to identify subdomains, mail servers, and other infrastructure. | Using dig to enumerate subdomains of a target domain. | dig, nslookup, host, dnsenum, fierce, dnsrecon | Very Low: DNS queries are essential for internet browsing and are not typically flagged as suspicious. |
| Web Archive Analysis | Examining historical snapshots of the target’s website to identify changes, vulnerabilities, or hidden information. | Using the Wayback Machine to view past versions of a target website to see how it has changed over time. | Wayback Machine | Very Low: Accessing archived versions of websites is a normal activity. |
| Social Media Analysis | Gathering information from social media platforms like LinkedIn, Twitter, or Facebook. | Searching LinkedIn for employees of a target organisation to learn about their roles, responsibilities, and potential social engineering targets. | LinkedIn, Twitter, Facebook, specialised OSINT tools | Very Low: Accessing public social media profiles is not considered intrusive. |
| Code Repositories | Analysing publicly accessible code repositories like GitHub for exposed credentials or vulnerabilities. | Searching GitHub for code snippets or repositories related to the target that might contain sensitive information or code vulnerabilities. | GitHub, GitLab | Very Low: Code repositories are meant for public access, and searching them is not suspicious. |
Aka OSINT, I love OSINT
WHOIS
WHOIS is a widely used query and response protocol designed to access databases that store information about registered internet resources.
ayy spaceship is protecting my info!
Each WHOIS record typically contains the following information:
- Domain Name: The domain name itself (e.g., example.com)
- Registrar: The company where the domain was registered (e.g., GoDaddy, Namecheap)
- Registrant Contact: The person or organization that registered the domain.
- Administrative Contact: The person responsible for managing the domain.
- Technical Contact: The person handling technical issues related to the domain.
- Creation and Expiration Dates: When the domain was registered and when it’s set to expire.
- Name Servers: Servers that translate the domain name into an IP address.
Why WHOIS Matters for Web Recon
- Identifying Key Personnel
- Discovering Network Infrastructure
- Historical Data Analysis
Whoisfreaks can reveal changes in ownership, contact information, or technical details over time.
Interesting website
Utilising WHOIS
The tasks: Perform a WHOIS lookup against the paypal.com domain. What is the registrar Internet Assigned Numbers Authority (IANA) ID number?
What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)?
I’ll update with the rest of the module very soon, I promise!
Enjoy Reading This Article?
Here are some more articles you might like to read next: