Information Gathering Web Server Hacking | Hacking Guide 2024
This guide is for web server information gathering. Here you will learn step-by-step process to gather information for a web server by Chirag Artani.
What Is Information Gathering?
Information gathering is the main part of penetration testing. The simple meaning is to collect information which are sensitive and where we can find the vulnerability of a web server. This is the first and main thing which is required for every ethical hacker or pen tester to start. It includes many techniques, tools and tricks. Let’s start with basic.
Basic information gathering
The only requirement for using this all things are basic knowledge. Basic/simple Information gathering containing two things -
First is Robots.txt. Robots.txt are used to disallow path/directory for indexing them in search engines. This not only contain path but parameters too. Here is an example: https://www.microsoft.com/robots.txt
Sometime website disallowing important path/directory, which contains user data or as I said parameters, To prevent this they are not listing or indexing those things in the search engines or their own sites, So with putting robots.txt at the end of URL you can manually test & perform security tests, Also you can check sitemap.xml like: example.com/sitemap.xml.
The Second thing is whois information some companies are paying $50 or $100 for disclosing their personal identity which should be not available publicly for an example: https://who.is/whois/republicworld.com. This kind of bugs are considered mostly P5 — informational bugs.
I hope you got all this, Now let’s come at the advance level of information gathering where you can find vulnerabilities.
Advance information gathering
Don’t test this in small level websites or servers because it may cause DOS or buffer overflow for their servers. Simply mean out of memory because of heavy load with a thousand of requests at a time.
It’s possible that a very intellectual and experienced person are reading this post so yes you already know about these things but still you can revise here!
Finding ports
Ports are used for API’s, portals, platforms. API’s working with endpoints, portals giving option to register and update information etc, platforms such as WordPress, Drupal so older version are might be exploitable/vulnerable.
Use Nmap for Linux and Zenmap for windows both are same, but visibility/interface are different in look Nmap is CLI/command based used in terminal/cmd and Zenmap is GUI/graphics based. So let’s see how to scan for basic information gathering!
After finding ports with vulnerable versions you can perform security tests
Note: Sometime for the big websites Nmap throwing error or giving incorrect information so always open ports manually if it detects.
Inspect Network
This is very simple and easiest tool for information gathering, and you can find this in every desktop browser. In this tool you can check the website’s header, source code and methods to perform security test.
Finding Subdomains
Subdomains are the only place where you can find vulnerabilities easily of course in big websites too.
Here is my $300 bug bounty. I found this vulnerability in the subdomain, so I will definitely recommend you to gather information of subdomains and then go for deep testing!
The best tool for subdomains finding Sublist3r. This is free and very easy to use.
Download Here
git clone https://github.com/aboul3la/Sublist3r.git
c:\python27\python.exe -m pip install -r requirements.txt
py -m pip install -r requirements.txt
py sublist3r.py -d example.comFinding Directories
There is an amazing fact only 30% pentesters doing research on directories I am talking about directories which are not listed in website or also not available in robots.txt. In other words directories which are kept secret by developers, or only they know about it.
Personally I will recommend OpenDoor because this is very easy to use, You can use other too.
git clone https://github.com/stanislav-web/OpenDoor.git
cd OpenDoor/
pip install -r requirements.txt
chmod +x opendoor.py
python3 opendoor.py --host http://www.example.comFind parameters
Parameters are the best thing when it comes to find Cross Site Script or SQL Injection vulnerability and sometimes OS command injection, local file inclusion, so I will highly recommend you to follow all steps one by one to gather information.
If you don’t know what are the techniques here are some best parameters finding practices.
Use Dorks:
inurl:login.aspx site:microsoft.com
If you want to find a login page in any website simply use this query which are known as dork in the Google.
Here you can see all the login pages. This is not any vulnerability but after gathering information about register or login pages you can perform testing like: SQL Injection, XSS in login form, Bypassing or more.
Also, you can try more dorks to gather information or perform security tests:
inurl:.aspx?ID= site:target.com
inurl:.php?ID= site:target.com
inurl:.asp?ID= site:target.com
inurl:news.aspx?ID= site:target.com
And you can try different pages, parameters, extensions as you want. News, Content, Gallery, Index, Login, Page. IDS=, NO=, Number=, AID=, PID=, MID=, Info=. aspx, php, jsp, asp, shtml, html, etc.
Burp Suite
Zero to hero every hacker using this tool to understand the concept of methods and how data is going or coming. I will highly recommend you to learn about Burp Suite and how to use. It will help you to gather information from many ways such as POST method, Get method and through headers as well. I strongly believe burp suite is an incredible tool when it comes to information gathering for web server hacking. Basically there are two versions pro and free so first always start with free and then move to pro version.
It has so many tools, You won’t feel lack of tool.
You can run these all tools in Windows and Linux without any problem!
Edited (Added later): I forget to mention an amazing thing to use with BurpSuite, Without this you won’t get much data/information so I will highly recommend you to use this all the time with burpsuite’s intruder function.
HackBar
This is very nice extension for chrome and Mozilla to test cross site script andf SQL injection vulnerability. Also, it has functions like POST request, hash decode and encode, string decode and encode, path scanner (Great), LFI checker, flask RCE (fine) and so many more options.
Bonus
Above shared all the techniques and tools required manual actions mean your efforts are required to gather information with all that tools. But if you are looking for automated information gathering and web security tools sharing some here:
Automated Information Gathering Tools
There are many tools, but I am sharing here some main and amazing information gathering tools. For bug bounty I will not recommend you to use any automated scanner.
Vega Web Scanner
Vega is a website security scanner it will help you to gather all possible information for the target. This is an open source website scanner you can use in Linux, OS X, and Windows, Free of cost. Basically it will gather information like available vulnerabilities such as XSS, SQL Injection, SSL misconfiguration and more. Also, it will gather all the parameters, forms, admin page etc. So with this you can manually test security too.
Download Vega Scanner
I will recommend minimum 8 GB Ram and good internet connection to run Vega, By the way it’s nice!
ZAP
Zap is an open source web app scanner which is available for all mainly used operating systems Windows, Linux, Mac OS. Zap is developed by OWASP which is world’s biggest open source web security research organization.
It has the same functionality as proxy, intercepting requests, spider, scan a specific URL and the same functions as Burpsuite.
I hope these all methods and tools will help you to figuring out vulnerabilities.
You can also check paid automated web scanners as well, Like: Acunetix, Net sparker, BurpSuite Pro etc.
Thank You For Reading This Post!
Regards
