Practical Web Application Penetration Testing Series – Chapter 2

September 29, 2016 | Views: 6340

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In the first chapter we saw how to detect and recon the technology of a website. Now, in chapter 2 we are going to use http://viewdns.info/ website or google.com for detecting the sub-domains of a website and information gathering.

In Google, we use the query site:*.targetsite.com or site:*targetsite.com

For instance if we want to find sub-domains of microsoft.com with google, we would use the query site:*.microsoft.com, see the picture below:

google search.png

As you can see, there are many sub-domains like: mva.microsoft.com, imagine.microsoft.com and others.

A good penetration tester always checks all sub-domains for vulnerabilities. Even if they are not on the same network, they could contain useful information.

Another way for finding sub-domains and other useful information online, is to use these sites:  http://viewdns.info/http://www.wolframalpha.com and https://www.netcraft.com

I used http://www.wolframalpha.com for the following demonstration: 

subdomain1.png

On the third table we hit sub-domains to see all sub-domains of the site:

subdomain2.png

Just as easy as that.

Another thing we should consider is the Reverse ip lookup. What is reverse ip lookup? It is used to find all sites hosted on a given server. For example on one server, we  could have 2 or more web applications hosted on the same IP (see the demonstration for p30download.com site for example).

reverse ip.png

The hint is if we find any vulnerability in other web applications hosted on that IP, we may be able to pawn the others. For example, we find SQL Injection on one of the domains and when we hack in to database, we also find other domains’ database information in that.

If we want to find sub-domains in Kali Linux we can use the command: fierce -dns <domain name>

I personally prefer using online tools because my IP remains safe from IDS and firewalls and it does not get blacklisted 😉 In my experience the sub-domains have a greater possibility to have vulnerabilities as the programmers usually don’t pay much attention on the security terms of the sub-domains because the sub-domains are usually less interactive with users.

Anyway, in our case we are not going to test all sub-domains but instead just test this sub-domain:  http://testphp.acunetix.com/

In the next chapter we will start using Burpsuite ….

Thanks

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
13 Comments
  1. very easy ,very useful

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel