search

[Day 3] OSINT

December 3, 2022

Today I am reviewing OSINT techniques used for enumerating a website. Here is a recap of the day:

  • What is OSINT, and what techniques can extract useful information against a website or target?

  • Using dorks to find specific information on the Google search engine

  • Extracting hidden directories through the Robots.txt file

  • Domain owner information through WHOIS lookup

  • Searching data from hacked databases

  • Acquiring sensitive information from publicly available GitHub repositories

One powerful tool I have been learning about is Google Dorking and how much insecure data can be found just from a web crawler. Here is a great example of Google Dorking to find files in open directories.

intext:"chernobyl" intitle:"index.of" (wmv|mpg|avi|mp4|mkv|mov) -inurl:(jsp|pl|php|html|aspx|htm|cf|shtml)

I want to break this down a bit.

  • intext: In the text of a page the word is present

  • intitle: In the title of the page the word is present, included are the acceptable formats.

  • inurl: The url uses these formats when returning results.

hashtag
Flags

Here is the website used to enumerate further and find flags: https://github.com/muhammadthm/SantaGiftShoparrow-up-right

hashtag
What is the name of the Registrar for the domain santagift.shop?

namecheap inc

hashtag
Find the website's source code (repository) on github.comarrow-up-right and open the file containing sensitive credentials. Can you find the flag?

{THM_OSINT_WORKS}

hashtag
What is the name of the file containing passwords?

config.php

hashtag
What is the name of the QA server associated with the website?

qa.santagift.shop

hashtag
What is the DB_PASSWORD that is being reused between the QA and PROD environments?

S@nta2022

Previous[Day 2] Log AnalysisNext[Day 4] Scanning

Last updated