좀 볼만한건 whois, netcraft, recon-ng 정도...집에가서 exercise 풀장...
Google Search
site:"microsoft.com"
서브도메인 www를 제외한 도메인 검색
site:"microsoft.com" -site:"www.microsoft.com"
파일 검색
site:"microsoft.com" filtype:ppt "penetration testing"
취약점이 존재하는 내용을 통해 취약한 서버 찾기
intitle:"VNC viewer for JAVA"
inurl:"/control/userimage.html"
inrul:php? intext:CHARACTER_SETS,COLLATIONS intitles:phpmyadmin
백도어 깔려있는 사이트 검색
intitle:"-N3t" filtype:php undetectable
참고:GHDB(Google Hacking Database Categories)
wwww.exploit-db.com/google-dorks/
3.1.3 - Exercises
1. Choose an organization and use Google to gather as much information as possible about it
2. Use the Google filetype search operator and look for interesting documents from the target organization
3. Re-do the exercise on your company’s domain. Can you find any data leakage you were not aware of?
3.2 - Email Harvesting
root@kali:~# theharvester -d cisco.com -b google >google.txt
root@kali:~# theharvester -d cisco.com -l 10 -b bing >bing.txt
3.2.1 - Exercise
1. Use theharvester to enumerate email addresses belonging to the organization
you chose in the previous exercises
2. Experiment with different data sources (-b). Which work best for you?
3.3 Additional Resources
3.3.1 - Netcraft
Netcraft is an Internet monitoring company based in Bradford-on-Avon, England.
Netcraft can be used to indirectly find out information about web servers on the Internet
The following screenshot shows the results for all the domain names containing
the string *.cisco.com, performed through the DNS search page offered by Netcraft.
3.3.2 - Whois Enumeration
Whois is a name for a TCP service, a tool, and a type of database. Whois databases
contain name server, registrar, and, in some cases, full contact information about a domain name
root@kali:~# whois megacorpone.com
root@kali:~# whois 50.7.67.186
3.3.3 - Exercise
1. Use the whois tool in Kali to identify the name servers of your target organization
3.4 - Recon-ng
As described by its authors, “Recon-ng is a full-featured web reconnaissance framework written in Python.
Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly
root@kali:~# recon-ng
[recon-ng][default] > use recon/domains-contacts/whois_pocs
[recon-ng][default][whois_pocs] > show options
[recon-ng][default][whois_pocs] > set SOURCE cisco.com
[recon-ng][default][whois_pocs] > run
[recon-ng][default] > use recon/domains-vulnerabilities/xssed
[recon-ng][default][xssed] > set SOURCE cisco.com
[recon-ng][default][xssed] > run
[recon-ng][default] > use recon/domains-hosts/google_site_web
[recon-ng][default][google_site_web] > set SOURCE cisco.com
[recon-ng][default][google_site_web] > run
Many of the modules in recon-ng require API keys with their respective service providers.
Take some time to check out recon-ng and its various modules
- No Exercise
'OSCP > OSCP Course PDF' 카테고리의 다른 글
| 4. Active Information Scanning - 2 (0) | 2020.02.21 |
|---|---|
| 4. Active Information Scanning - 1 (0) | 2020.02.19 |
| 2. Essential tool - Ncat, Wireshark ,Tcpdump (0) | 2020.02.17 |
| 2. Essential tool - Netcat, rdesktop (0) | 2020.02.17 |
| 1.Bash (0) | 2020.02.16 |