Passive Information Gathering

Public exploits

The most common public exploits databases:

Online

Questions to ask before executing exploits from the internet:

  • Does it initiate an HTTP or HTTPS connection?

  • Does it access a specific web application path or route?

  • Does the exploit leverage a pre-authentication vulnerability?

  • If not, how does the exploit authenticate to the web application?

  • How are the GET or POST requests crafted to trigger and exploit the vulnerability? Is there any HTTP method involved?

  • Does it rely on default application settings (such as the web path of the application) that may have been changed after installation?

  • Will oddities such as self-signed certificates disrupt the exploit?

Offline

  • Metasploit

In order to use metasploit you have to download exploitdb.

sudo apt update && sudo apt install exploitdb

Exploit database is stored here: /usr/share/exploitdb/

Example usage:

searchsploit remote smb microsoft windows

You can copy the exploit using -m switch

searchsploit -m windows/remote/48537.py

  • Core Impact

  • Canvas

  • BeEF

  • Nmap NSE scripts

Complete list of NSE scripts /usr/share/nmap/scripts.

Grep the exploits:

grep Exploits /usr/share/nmap/scripts/*.nse

Information about the specific exploit:

nmap --script-help=<SCRIPT>.nse

Google Dorking

You can find interesting files using DorkSearch. https://dorksearch.com

If you are more experienced you can create payloads by yourself:

site: megacorpone.com -filetype: html

Google hacking databse https://www.exploit-db.com/google-hacking-database

Netcraft

For example, we can use Netcraft’s DNS search page to gather information about any domain. https://searchdns.netcraft.com

Open-Source Code

GitHub, GitHub, Gist, GitLab and SourceForge.

Code stored online can provide a glimpse into the programming languages and frameworks used by an organization. You can also find interesting stuff in the code like credentials or private keys.

Useful tool in order to automate this kind of research is gitleaks. https://github.com/gitleaks/gitleaks

./gitleaks-linux-amd64 -v -r=https://github.com/project

Shodan

Shodan searches for internet-connected devices, interacts with them, and displays information about them. https://www.shodan.io

Security Headers and SSL/TLS scan

You can check if given web page or web application has wrongly configured security headers, what is security posture of used SSL/TLS implementation.

In order to do that you can use SSL Server Test from Qualys SSL Labs. https://www.ssllabs.com/ssltest/

NextActive Information Gathering

Last updated