PenTest+ Study Notes 4 Flashcards
??? allows you to search for older versions of websites which is a snapshot of the raw HTML and some of the page contents. While most of the text is generally present, the images are not always archived. However, most of the time this will be enough to scrape data and research older activity. This is for webpage on the Internet that has been removed or deleted. ex: cache:https/comptia.org
Reverse Image Search : TinEye, Google, Yandex, Bing …
web cache viewer :
??? On a public webpage, there is a chance that web crawlers will search the source code to learn about the structure of the page, and possibly find interesting information. One way to control where they search is by using a file, called robots.txt, that directs the bots to the extensible markup language (XML) sitemap file. The robots.txt file is a simple yet essential file that tells the bots where to search, and more importantly, where NOT to search. ex : https : // /robots.txt
Robots.txt :
??? is done during the footprinting and reconnaissance stage to discover potential attack vectors and vulnerabilities on a web server. The team will need to determine how the target hosts the site, which can be either self-hosted, or cloud-based. How you go about testing will be outlined in the project scope. If the site is cloud-based, for example, Amazon Web Services (AWS), the team will need to adhere to the PenTesting guidelines dictated by the hosting company.
Website enumeration :
Typically, the team will look for vulnerabilities so they can use the following attacks: cross site scripting (XSS), SQL Injection (SQLi), and caching server attacks. However, if the site is an ecommerce site, the team will need to test other elements within the site. Elements include coupon and reward redemption, content management system, and integration with the payment gateway.
info
Investigating a Website : can use tools like -> browsers, Nmap, Metasploit, and DirBuster. forced browsing = which is used to identify unlinked URLs or IPs from a website to gain access to unprotected resources. Forced browsing can be automated but is often a manual process due to the variance in naming conventions of application index directories and pages.
In addition, OSINT tools such as Maltego, along with standard or Google hacking searches, can reveal the technologies that a public website or other resource is using.
info
Vulnerability scanners can gather and validate certificate information to see if there are any issues. Knowing what certificates are in use, and if they are expired or otherwise problematic, can be useful to a penetration tester. Discovering out-of-date certificates often point to other administrative or support issues that can be exploited.
info
One of the more useful fields in a digital certificate from a reconnaissance perspective is the subject alternative name (SAN) . SANs can identify specific subdomains that can be covered by the certificate.
Organizations use SANs so that they don’t have to purchase and use different certificates for each individual resource.
Certificates can be revoked for a number of different reasons, such as the issuing company is no longer in business, the certificate has expired, or if the CA’s private key was somehow compromised.
When a client goes to a web server to initiate a transaction, the following process occurs: (1)The web server sends the client the certificate. (2) The client then goes to the OCSP server to check the validity of the certificate.
info
In the standard approach to determine the validity of a certificate, the burden rests on the client, who must check with the OCSP server to confirm the validity of the certificate. Stapling the certificate reverses this burden, so the web server must validate the certificate. Stapling Process : (1) The web server goes to the OCSP server to check the validity of the certificate. (2) The web server then sends the validated certificate to the client.
info
??? is information stored or recorded as a property of an object, state of a system, or transaction. ??? includes information such as the author, company, title, and subject. However, there is additional ???, that has minimal relevance, such as time spent editing the document and word count.
Metadata :
??? (1) : Metagoofil = is a Linux-based tool that can search for metadata from public documents located on the target website(s). It uses Python scripting to locate metadata within different document types such as df, doc, xls, ppt, odp, ods, docx, xlsx, and pptx. Metadata entries includes information such as the author, company, title, and subject. However, there is additional metadata that has minimal relevance such as time spent editing the document and word count. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape the metadata, and then displays the information using Hypertext Markup Language (HTML). The output can then be viewed in a standard browser.
Tools for searching Metadata :
