---------------------------------------------------------------------------------------------------------------------
Google Hacking Database :-
In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords.
https://www.exploit-db.com/google-hacking-database
inurl: "index.php?id="
----------------------------------------------------------------------------------------------------------------
Nikto :- This will give information about server on which web application is running
This will give
nikto -e 1 -h 172.31.93.23
nikto -h 172.31.93.23 -p 80
root@kali:~# nikto -e 1 -h 52.23.205.52
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 52.23.205.52
+ Target Hostname: 52.23.205.52
+ Target Port: 80
+ Using Encoding: Random URI encoding (non-UTF8)
+ Start Time: 2019-11-11 08:47:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.34 (Amazon)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 394812, size: 38, mtime: Mon Nov 11 07:57:20 2019
+ Apache/2.2.34 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ 7888 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2019-11-11 08:47:15 (GMT0) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
------------------------------------------------------------------------------------------------------------------
whois :-
whois cnn.com --- This give information about the domain
Domain Name: CNN.COM
Registry Domain ID: 3269879_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2018-04-10T16:43:38Z
Creation Date: 1993-09-22T04:00:00Z
Registry Expiry Date: 2026-09-21T04:00:00Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS-1086.AWSDNS-07.ORG
Name Server: NS-1630.AWSDNS-11.CO.UK
Name Server: NS-47.AWSDNS-05.COM
Name Server: NS-576.AWSDNS-08.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: h
and many more
----------------------------------------------------------------------------------------------------------------
Harvester :-
root@kali:/usr/share/theharvester# ./theHarvester.py -d microsoft.com -l 500 -b google ----This will give all the list of URL address with ip of application server
Like below
cloudblogs.microsoft.com:107.154.103.97
compass-ssl.microsoft.com:104.106.190.130
devblogs.microsoft.com:104.81.164.97
ds.microsoft.com:204.79.197.219
msdn.microsoft.com:104.108.116.12
msrc-blog.microsoft.com:40.122.65.162
news.microsoft.com:192.237.225.141
schemas.microsoft.com:104.108.119.185
support.microsoft.com:184.28.88.173
techcommunity.microsoft.com:208.74.205.202
www.microsoft.com:23.66.102.27
--------------------------------------------------------------------------------------------------------------
Shodan :- Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
To get router IP address
root@kali:~# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.31.80.1 0.0.0.0 UG 0 0 0 eth0
172.31.80.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
root@kali:~#
-------------------------------------------------------------------------------------------------------------------------
DNS Zone transfers with Dig :-
root@kali:~# dig axfr facebook.com @A.NS.FACEBOOK.COM
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> axfr facebook.com @A.NS.FACEBOOK.COM
;; global options: +cmd
facebook.com. 3600 IN SOA a.ns.facebook.com. dns.facebook.com. 1573464454 14400 1800 604800 300
; Transfer failed.
root@kali:~#
root@kali:~# dig google.com
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34527
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 60 IN A 172.217.15.78
;; Query time: 2 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Mon Nov 11 09:25:09 UTC 2019
;; MSG SIZE rcvd: 55
----------------------------------------------------------------------------------------------------------------------
dnsenum :- is same kind of dig tool but it will give more information
root@kali:~# dnsenum google.com
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
----- google.com -----
Host's addresses:
__________________
google.com. 60 IN A 172.217.12.238
Name Servers:
______________
ns4.google.com. 60 IN A 216.239.38.10
ns1.google.com. 60 IN A 216.239.32.10
ns2.google.com. 60 IN A 216.239.34.10
ns3.google.com. 60 IN A 216.239.36.10
Mail (MX) Servers:
___________________
alt2.aspmx.l.google.com. 60 IN A 209.85.202.26
alt3.aspmx.l.google.com. 45 IN A 172.253.120.26
alt4.aspmx.l.google.com. 60 IN A 172.217.218.27
aspmx.l.google.com. 60 IN A 172.217.197.26
alt1.aspmx.l.google.com. 60 IN A 64.233.186.27
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for google.com on ns4.google.com ...
AXFR record query failed: corrupt packet
Trying Zone Transfer for google.com on ns1.google.com ...
AXFR record query failed: corrupt packet
Trying Zone Transfer for google.com on ns2.google.com ...
AXFR record query failed: corrupt packet
Trying Zone Transfer for google.com on ns3.google.com ...
AXFR record query failed: corrupt packet
brute force file not specified, bay.
root@kali:~#