Welcome to Recon - Part 2 where we will look at our target's website to gather information. We will also look for some information on subdomains since we can often find other targets or juicy information with those subdomains.
First, I log on the website and gather as much information as I can. Items of note are names, addresses, phone numbers, products or services offered, customer/project lists, or others. Looking in the source for the pages is also a good way to find some hidden jewels of information. Also of note would be any subdomains in use. Sometimes those can lead to finding other systems.
One way to find those subdomains, is to query Google. Using the "site:" search term you can find the subdomains.
Start with a search for:
"site:domain.ext"
Take the result and subtract the search for that subdomain:
"site:domain.ext -site:sub.domain.ext"
Take that result and add to the search and you can find a lot of sites that way. This is long and tedious though and there must be an easier way. Well, there is!
A great tool to do this is GXFR by Tim Tomes (@LaNMaSTeR53). The syntax is very simple and the tool can also query Bing (though you need an API key for Bing).
# python gxfr.pl --gxfr --dns-lookup
You will be prompted for a domain name and the tool will do it's job. If you want to save the output, just pass the -o option and you will be prompted for the output file name. You can then review the output to see if other systems or pages are available for you to attack (of course only if it is in scope). Often, this type of recon will uncover hidden administrative pages that were not designed to be available to access and at a minimum will give you a better picture of your target environment.
Well, that is it for now. Recon - Part 3 will focus on Whois lookups to determine our target's IP ranges.
No comments:
Post a Comment