A website reconnaissance is actually knowing the particular website before attacking it.Reconnaissance is gathering as much as information about the anything before attacking it.It would actually make attacking way more easy when you have a lot of information about the particular website or system.A website reconnaissance is a information gathering about the website that you want to hack or do some security checks.
Basically,The making of a website contains some of the equipment given below:
1. Domain name/sub domain
2. web hosting provider or self hosted
4. CMS -(Content management system)
5. And hard work by the owner and his/her talented imagination(which is why you should do these stuff with a purpose and with “these stuff ” I meant HACKING. If you want a play ground then play with website but inform the owner about the security holes after check. Don’t just keep on defacing the websites like a Stray Dog with no purpose because there are people who are probably making a living out there and you are no one to ruin that and this is coming from a person who had been indulge in these things and always had a PURPOSE! )
OKAY…! So a domain name is actually your site name which could be “anything.com”. A sub-domain is actually a domain name which is provided for free by some major hosting and they end up with their name like wordpress provide subdomains like “anything.wordpress.com” thats a subdomain probably being hosted on their own server.
Domain name Foot-printing:
1. Whois – You can get total information about the owner and the admin of the domain, the technician and stuff so that’s a must.You would also get information about name server which would be a great help in DNS reconnaissance.
2.Search engines can give you a lot of information about the website sometimes you can find hidden URLS that will be great help, they could also provide internet directories which could help.Use the cache systems by google cache for searches.Check the archives if you get something nasty which might have been there before.
After finding information about the domain name lets dive deeper.
You should know the CMS information.Having knowledge about content management system is one the most important thing.Content management system is basically the system which manages the content on a site.Such as WordPress provide content management system which we can download on the hosting provider and run it by our self. You can read about CMS on wiki if you still don’t get it. So finding information about CMS is one of the important thing.
Robots.txt –You must have heard about this.It is just a text file for search engines telling them what to index and what to not.If you can’t find admin page of a website through google that might probably because of this little text file.But its not the matter now because many malicious reputed crawler don’t even see the “Disallow:”. So robots.txt can give you a lot of information sometimes it even gives you information about the CMS. Here is an example:
So now you know about robots.txt. Don’t use crawlers manually visit the website through proxy or any other anonymous way as described in the first article and see it yourself(you can visit without proxy too!).
Netcraft — The best tool ever known,you can download the netcraft addon for firefox or chrome and see the charms. Netcraft is basically an internet service company which monitors the security holes, checks for anti-phishing and many more stuff. It gives you information about the servers, the versions, the netblock, the Operating system etc. Go through it yourself and you can get a lot of information. You can check site reports and find out information.
Builtwith.com — Gives you CMS information,server and clears out a lot of information which you need.
hackertarget.com — Actually it gives you security holes and tells you risk rating about the CMS.
Tamper data — addon for mozilla which is used to tamper on going requests.One of the best for tampering sometimes it sends hidden information in forums so must watch it.Since I gotta wrap up because this article would be so big and you probably get bored, I’m just giving sneak peaks.
Headers — Gives you way more information.Headers gives you server names,version of the server, php (X-powered by)versions,ASP .NET version etc. The more you know headers that more it would be easier for you to gather information.
PHP version recon — Sometimes the owner of the website hides information about php version from headers they do so by turning off expose_php in php.ini. So Easter eggs will be a great help.It just comes with php versions they are different for each php version so google about them and find how they actually do so. Look Here.
Find out the admin pages, you can either guess it or through the website to a tool called dirb or dirbuster. It got a wordlist of directories already generated and it checks for each word and if available then !there you got the list! of directories.Try SQL injection part of scanning actually sorry I mentioned it here.
Check forums and group discussions of a website, be a part of community, know about it if you got a deeper purpose.
Go through the list of OWASP TOP Ten vulnerabilities and see through the entire website if you could find any of those. XSS,SQL,CSRF etc. They are quite different from our current topic because our main motto in this article is just to know the how the website is made so we can later use this information to scan and exploit our target.
Now You might be wondering why we check for the versions of a server, the php, ASP .net or CMS. Now the versions are actually the updates. These updates are provided on a daily basis by the corresponding companies and these updates are made due to security holes or little hot fixes. If the website have an older version and if there are any possible attacks which could be available for that version (which always does) then you can eventually just use that vulnerability to exploit the target that would be easier. There are number of add-ons for Chrome and Mozilla that you can find online based on finding there version.So use what you got.