 Hello, hi everyone. I am Sanjay Gupta. I welcome you on Sanjay Gupta Tech School so this is day eight of cyber security bootcamp and Few more topics, Sumit will be explaining today. So welcome Sumit on the channel and Over to you. So just explain few more topics to the folks. Hello Welcome again on the cyber security bootcamp day eight. My name is Sumit Jain and Today I will discuss about how to gather information about a web application. So Let me introduce myself. My name is Sumit Jain and I'm an ethical hacker and cyber security expert Currently I am working as a Sineq red team and Pentabug red team Apart from that, I'm senior security specialist at GTO networks. The company is located in Jaipur I have 10 plus years experience in a web secure web application security Previously I am working as a guest Instructor at CDTS center detective training school and right now I'm helping students freshers and professionals to build their career in cyber security stream So you can follow me on the YouTube channel. My YouTube channel name is cyber security zone where I'm regularly creating content related to our various fields in application security like web application mobile application API application and Network testing you can follow Sanjay Gupta Tech School as well where I'm conducting this cyber security bootcamp. You can share and Feedback Review about this bootcamp. So we will get some insight insightful thoughts of you You can follow me on these below platforms where I will be regularly posting stuffs related to security some Some instructions about how to Install tools how to operate some tools how to some tips and tricks related to cyber security I'm available at I'm available in LinkedIn Twitter and telegram as well You can join the telegram channel for the further discussion if you have any problem the links are available in the video description So previously we talked about how to capture a request which is generating from your browser and Modify and see the response of your request So today we will be discuss about how to gather or collect information about a web application So in a web application the foot printing part is also important foot printing means information collection The collection of information is known as foot printing in our cyber security So basically when we are pen testing a target when we Approach a target to pen test or to find out some security vulnerabilities or some security flows in that application We need to collect some more information some insightful information, which help us to Create a mind map about the application. How how how technologies are Related tech technologies are used how access and certificate work. What are the sub domains? What are the links? What are the email address they use what? JavaScript libraries they have So basically collection of all information is known as foot printing We have multiple Methods to collect that information. It depends on the application. It depends on the The application you are performing a pen test. So first we need we use Google to collect some information For using Google you need a some Google keywords to get the information to get some advanced Results using Google. So basically we use some keywords. The keywords are known as dogs So we use Google box in Google and As well as we use these dogs in senses and get up as well So basically Google senses and get up which will give us some insightful information some collective information about a application how application are proceed their Files how application stores their files if we find some sensitive files in the Whether application directory or if you can see some sensitive information, we can see some client information We can see some undisclosed document. We can see some database files So all these files will be collected using Google senses and get up these three web web application used to gather or Play an important part in our foot printing or information gathering process So I'm switching to my browser where I will be show you how to Use Google first then we will read about the senses and get up so here is my Google and If I can if I search something like this you see every result is displayed in three format if you clearly if you see carefully you will see a Result is displayed in three format one result is this second result is this and The third one is this This is called as URL This will displayed in your URL section This is the title of application and the information or the search you want you conducted through Google so this is title and This is our body text the text displayed in the message body So when we search something on Google Google always display One result in three format one is URL second is title and the other one is body the URL is displayed here Here is the URL and the title is displayed here. You can see upper right You can the URL the title is displayed here and this part is known as body So when you search a result is it will be showing these all information in your Google search so if I want to collect some information about a target or information about a application we need some Google Docs to do that and These are some Google Docs I'm using to gather information in the URL section to gather information in the Title section or to gather information in the text session So here are some Google Docs. I'm using so as you can see for the URL section, I'm using a specific doc called in URL in URLs means Whatever we are searching using this doc will be displayed in the URL section like if I'm if I'm searching like in URL colon and File dot PHP Then this file will be displayed in the URL all the results will displayed that have File dot PHP in the URL section. So all the filtration applied Using Google and you don't you don't have Google will don't Google will not show the garbage users and For the title section. I'm using in title colon if you want to us find something in title you will you will Write in title colon and your word what you want to find like hacker and if you want to find something in text body you need in text and you can or write your keyword or your Search what what what do you want to search in the Google section? So you write in text colon like some mobile number So the mobile number will search in text body the hacker word in search in Title body or the file dot PHP will search in in URL. So let's see how this will work So I'm using in URL colon file dot PHP Hit enter and you can see in the URL section all the websites will displayed that have file dot PHP in their URL section If I'm marking you can see the file dot PHP in URL section you can see file dot PHP in URL section and This URL also have file dot PHP this URL also have five file dot PHP So all the URLs Google is displayed to you have files dot PHP in its URL So basically using these keywords we Filtration that Google results Google didn't show our some garbage or those results. We don't want to know so and If you want to start something in the title you write in title colon and some word if you want to like in title and password all the All the password word in the title field will displayed as you can see These searches have password word in the title section. You can see here this is the title word and This is displayed here and I think if I scroll down you can see all the password word in the title section will be displayed all these URLs have a Word password in the title section. So basically when we use these keywords in Google Google will display some advanced results or some files what we put into using Google dog. So Now if you are using In-text it will display in text like some mobile number So I'm giving some dummy mobile number like this and if this mobile number present in anywhere of A website in message body the website Website name is displayed and you can see this section will display will be displayed and And all of the websites have this number in the text body You can see here. This number is displayed. This number is displayed. This is a dummy number All these websites have this number in their text section So using Google we can find something like if you want to specifically find some file of a domain in the URL section You will use these dogs So dogs are many Google have many dogs. So To minimize these things we use this website for finding some information related to a website The website name is dogs dot phasel emmer dot me Dogs dot phasel emmer dot me using this website we Put all the dogs together and find some information related to the target. We are choosing or we are fantastic so Here you can put your title you can put your website name or your target name. I'm putting here like ATT.com right then hit enter and Then click on all these links and you will be redirected to Google And the results will be displayed. So if I click here like directory listing vulnerabilities So basically what this website do this will create some Google dogs and redirect you to Google and This application this target will be selected. So you can see in the Google section The website name is displayed. So the results are showing only and only for ATT.com and one dog is also Selected using this website So if you if you click on all these links, you will find some insightful information Like this exposed database files. So if you are lucky, you will find some database files as well So what this website do this will put your target in a dog and then the information you want to find in this website So I want to find some extension based files written in SQL DBF and MDB if something is present It will be displayed here like this in this search. I want to find some XML files some cornfix CNF files Reg INF RDP CFG and so on so you can see I find a text file And if you open this file, this file will be opened in the ATT.com So ATT.com have this files in the directory Normally if you search this website, you are not able to find the robot of TXT because robot of TXT is a hidden file There's some websites will are displayed this file, but some kept this file hidden So if you are if you want to search this file in ATT.com You won't able to find like if you scroll down if you find Nothing is displayed here, but using Google Doc. We found sensitive or some informational files very easy Got it. So for that collection of dogs. We use another website named is Google Docs Docs.fazelammer.me This website have several Google Docs Return collected and return and it will redirect it to into the Google section So you need to put a target at target name, which you are pen testing and then click on all these links and you the information will be displayed You can see all these files will be displayed and the search result is also sorted using this query. I only got only six result, six results And in this query, I only got nine results and some of the hidden files, some of the informational files will be displayed So we have one another website that will use this kind of work. The website name is pentesttools.com and the path is information gathering and Google hacking Here you will put your target. I'm putting the same target and Here you can scroll down and select one of these like publicly exposed documents and click on search You will also redirect it to Google. So for that for this query for using Google Docs We have two websites. One is docs.fazelammer.me and the other one is pentest-tools.com Using these two websites, we Easily find some sensitive files in a domain some sensitive informational files in a domain some URLs Some errors like if you see We find exposed configuration files. We can find database files. We can find out The WordPress themes and plugins the websites using log files, backup and old files Some login pages, some SQL error, publicly exposed documents, PHP info Backdoors, setup files, open redirects, apache struct RC, paste bin entries, LinkedIn entries, sensitive files, sub domains and All these other things So for Google Docs, we have two websites. One is phazelammer.me and the second one is pentest-tools.com. If you want a collection of Google Docs, you need to switch You need to open this website. Website name is exploit-db.com This website have some collections of various Google Docs or the Google Docs Our fellow researchers or hackers use to find some sensitive informations regarding your target and the target you are pen testing For your auditing purpose or if you are doing bug bounty, the sensitive files always contain some data for finding the sensitive files We are using Google Docs. So in this website, there is a collection. There is a name, Google hacking database You need to click on that and it will redirect you to on the Google hacking database which have a collection of Google Docs Copy the Google Docs, search for your target and if you are lucky, you will have sensitive files in your hand After the result is displayed, you simply click on the result and see if the open file has some sensitive information or not There is some Google Docs and you can see this website have approximately 7000 entries and all these have Google Docs If I am selecting some Doc and try to find some files, this Doc will find some backup files related to Wordpress Because WordWP content is using in Wordpress. So I need to put this in Google and you can see all these websites have some backup files enabled This file will be hidden for sure and you are pen testing your main aim or goal to find some sensitive files, backup files, some SQL credentials, credentials, employee credentials And then report back to the company so that company can fix the error or company can hidden the files you are finding For finding the file, we are using Google Docs and in the Google Doc, we copied one Google Doc and pasting it into the Google search And we can see all these websites have this backup file enabled If you open some target, you will find your file Now, if you want to use these Docs on a particular target, you need to add the target name in first like this site colon your target name Whatever your target name, you need to put it here target.com in URL and then hit enter So basically target.com is not an actual website so nothing will be displayed But if you are using some dummy websites like for demonstration purpose, I am using att.com which have a public bug bounty program So we can use the target for our recon process or for our footprinting process And you can see in the att site, att web application, there will be no files related to backup will be public All the files are hidden so you don't have any match or you didn't have any match document So whatever target you are testing, whatever the application you have, you need to put it here using site Sorry and then use the Google Doc For the Google Doc, you need to go to the Explorer DB and then Google hacking database and you select all these Google Docs one by one Putting in your Google search engine and can file and can find some sensitive information So these Docs also, categories are also defined like what this Google Doc will do So this Google Doc, the file will displayed contains some juicy info, paste containing login portals So you can read and the author is also displayed, the author name who created this Doc or who submitted this Doc in the expert DB database So using Google, we can find many sensitive files or informational files, some backup data, some credentials, some user credentials, employee credentials So if you are testing a target, you need to use these Google Docs for better result If you are getting this, tell me in the comments if you are properly getting this If you have any question regarding this Google Doc query, Google Doc searching, advanced Google Doc search, you can ask me in the comment So I will help you out, I will tell you how to search in the Google Yeah guys, if you have any questions, so you can just type in the chat I think, Sumit, we can move further, there is no question I will show you the website's name again, one website is docs.fazal.me The second one is at pentas-tools.com and the third one we have is exploit-db.com Now, we are about to find some information using senses So senses is a computer search engine which will display some IP address and the information regarding your target Or some port numbers, some additional sub-domains we have, some additional ports the websites are using So in senses section, there is also a search box, you need to type the domain name, you are pentesting and click on enter And after some time, you have your information So the ATT.com have all 10,000 plus results and these are the IP address this domain contains So you will find additional IP address, some backend IP addresses, some backend sub-domains the ATT is using As you can see, there is one more domain, clcontent-al.att.com, clcontent.atttest.com And the IP of this sub-domain is also displayed and the port number and the running HTTP technology is also displayed The server location is also displayed, so using senses we can collect all the information, all the IPs and all the port numbers All other sub-domains and if you want to filter out, you can filter out with this Here is some port numbers, you can filter out with technologies like some of the domains are using, some of the domains are using Microsoft ASS block You can filter from the location as well, these 10,000 IPs or the domains are located, some of them are located in US, some of them are located in India Then Japan, Germany, United Kingdom, you can filter with the service names as well, like some of the targets are running HTTP, some of the targets are running on SMTP protocol Some of the targets are running on NTP protocol and you can filter with the port number as well This search engine, using this computer search engine, you can collect many information related to your target The IPs your target is using, your sub-domains your target is using, your port number your target is using So if I want to give another target like a public target facebook.com You can see all the IPs and all the sub-domains Facebook is using Like currently Facebook is using around 60,000 IPs or sub-domains or various port numbers All the results will display, this is a free service but you need to create an account for this and you can collect your information We have one more website that will do this kind of thing and the website name is hunter.how I already told you about this that you need to create an account, the service is free but you need to create an account for using the services You can use the services without creating an account but the search restrictions are in place So we need to bypass that and for that you need to create a free account And if I give our target name in this section and click on enter You can see the results, the senses are displaying here and this website the result is displayed here And you see IP name, the IP number, the port number and the sub-domain name We have around 3500 results and all these sub-domains, different IPs, different locations All request headers, response headers, port number, all this information So this information is very useful when we attack a target because attacking a target we need some information What technologies, websites is using, what are the functions they have so we need to collect all these information We have one more website that do this kind of thing and the website name is shodan You need to create a free account but this service is paid but you can search two pages per day If you are testing a target you can find the results, you can see the results of two pages per day But if you want to see more you need to purchase some premium subscription And this premium subscription will be lifelong because you need to buy only one time It is a lifetime subscription and in this website we also type the domain name and hit enter All these websites known as computer search engine and you can see all the information The IP address, the sub-domain name and the SSL certificate information as well and the website response to your browser as well In this website you can also filter something like organization filters, the service-based filters, the port-based filters, the country-based filters So for finding IPs, ports and sub-domains we can use these three websites One is census.io and you can find out search.census.io for your query The hunter.how and put your target in search section The shodan.io put your target in the also search section and your result will be displayed Moving on we can find out some information related to our domain in using GitHub as well For GitHub we need to find out first what our target is using on GitHub So like if I want to test on Facebook I need to find out first GitHub page of Facebook So in the Google section, Google website, Google browser, I type Facebook, GitHub page And the Facebook page will be displayed and you can see Facebook is managing this page on GitHub Open this and you can see all the projects Facebook will develop will be displayed So GitHub is basically a website that contains some code related to some plugins or small softwares The contracts application is developing so many developers can track or modify to upload their codes in real time So you can see this page belongs to Facebook Right now Facebook is known as meta so the name is meta but in the upper URL you can see Facebook So we need to find out first the GitHub page of the particular company we are testing And then you need to go to the repositories. These repositories have some plugins or code information The Facebook or meta is developing and you can see we have total 126 repositories and over 107 people will be managing all these repositories If you click on the people section you can find out what are these persons, what are they developed So in this section we need to find some information related to password, some open credentials or some tokens, some API keys So you need to go to the search section and you can see a query is already generated like organization in organization This means you are finding something in the Facebook organization Then you can type your keyword like I am typing here password So the password word will search in all these repo and if some repo contains the password word the result will be displayed Then you have to read all the results to find out if some of the repos, some of the links will displayed the password or not So you need to go through all the links that generated and you can see the password word will be highlighted But we don't have any information related to password, the password is not printed here So you need to go through each and every file But first you need to find out your target application's GitHub page for do that We have multiple keywords like what we are finding, the one keyword is password We can find the past WD, we can find some token We can find some PWD, we can find DB cred, DB credentials So DB credentials we don't have any files so nothing will be displayed So I will write all these docs here Basically we have more and more docs so I will write here very selective docs So you can copy down password, past WD, PWD, credentials, token, API key, secret key, DB, admin, login And some SSH keys, users, access token So all these queries you can use in the GitHub And if you find some data it will be helpful and your footprinting process It will be helpful in your footprinting process because you are collecting some information to test an application And after collecting the information you will test how the application behaves Some online resources as well for collecting the information And for this we have some websites that will help our pen testing process Help our footprinting process So for subdomain animation you can use all these three websites Using these websites you can find the subdomains related to a domain So let's see how this works So this is a virustotal.com, open the website, go to the search section, put your target Sumit and can you please zoom in like a command plus so that it will be visible Text is very small, now it is great So let's go back, in the search section you can type your target, go to relation And here you can see all the subdomains These websites have 2.6k, around 2600 subdomains and you can see all the subdomains list here This page will display only 10 domains so you can expand the list from the dropdown So virustotal will help you to collect the information about the subdomains of your target You can copy all these target at once and you can find the copy button here Using this copy button the target will be copied The second website name is dnsdumpster.com And also you will find a search section Using this search section put your target, it enter and the results is displayed So check the result In host record section you will find all the subdomains that ATT contains So att.com, dss.attt.com, purchasing fund, prime EIA, hosting EIA, stage one, horizon Different subdomains will be displayed And the IP is also displayed using this service But the IP is using this subdomain, the subdomain is using the IP The IP is also displayed using dnsdumpster So in host record you will find your subdomains The next service will be used is crt.sh This website will search using certificates fingerprint and show you the result So you can find various subdomains related to your target Put your target here, click on enter and you will see the result I am searching for facebook.com The website is not working So let's refresh this The website is not working yet but you put a target And it enter, you will find all the subdomains like this These types of subdomain will be displayed and you can collect from this The website will be not opening right now You can see all these subdomains will displayed Sourcing.att.com, sip.hcdemo, b2b, gwtest.at.com, b2bdev So we can get internal subdomains as well as external subdomains The subdomains this website will use for various purposes You can find all the collection using this website Copy these subdomains into a text file and then we can move further We can analyze the target, we can collect some more information So when you gather information, when you are foot printing a target The first thing you need to do is collecting subdomains So we have more domains to attack or more domains to test So the subdomain collection is very important You can use various technologies, various scripts When we move into our Linux based operating system You can also use some Python based tools or Go based tools to find these subdomains So next week we are finding the subdomains using some tools as well But now we need to understand that we can find all these results Using some online resources, some online websites as well And the website name is virustotal.com, dnsdumpster.com and crt.sh All these three websites can help you to collect subdomains of a target Moving on, if you want to find out the web technologies Your subdomain or your domain is using, you need to go, you need to use this website The website name is buildwith.com This website will help you to analyze or to detect various technologies Your domain or subdomain is using So you need to put the target in the search section, click on enter And you can see all the technologies att.com is using will be displayed And you can see the four analytics and tracking purpose Att.com is using akamai, quantum, omnitio, four vigates is using smart app banner trust For language, att.com is using English and Spanish frameworks These are all the frameworks, this domain is using So we have akamai, botmanager, nax.js, asp.net, nax.js, organization schema, contact point.schema For mobile section, what are the CDN, this website is using So akamai CDN will be used, what are the CMS, this website is using So adobe, cq is used, what are the JavaScript libraries and functions So these all are the JS libraries att.com is using For advertisement, for verified links, for SSL certificate, document encoding, document standards You can find all the technologies a domain is using with the help of this buildwith.com And if you want a detailed profile, you can click on here But for that, you need a subscription, because this service is not free But you can get technology profile for free The similar service, for this purpose, we have a Firefox add-on as well I think I already told you about the add-on The add-on name is vaporizer, so you need to click on vaporizer And all the technologies will be displayed on a very fast rate Open the website, click on the vaporizer add-on And all the technologies will be displayed So we have CMS, CDN, advertisement, JavaScript framework, security, JavaScript libraries Web servers, customer data platform, programming language So we can easily find out what technologies the domains are using What CMS, it is on build-on, what type of CDN our target is using So we have some information, and according to this information Then we can launch our tech Because if we go to know that our domain is using some ACMI protection So we need to bypass or we need to use some technologies That will bypass the ACMI CDN or ACMI web protection We need to test on the Adobe experience manager We need to test on all these libraries As you can see, the version name is also displayed So the footprinting process is very important Now, moving on, if you want to find out the internal emails Or employee's emails about a target You will use this service, the service name is hunter.io You need to create a test account on this The service is free, you can use Put the domain name, click on enter And you see around 2000 results will be displayed And these all the emails this company is using Or you can say these all the employees this company have So we have some more information and you can see the post Or the designation as well of all these people Then we collect the email address and search on the internet That this email address have some exposed credentials Like in some data leakage If this email has some exposed credentials Then we can report back to the target That your employee's credential will be leaked And you need to secure them You need to tell your employee that he will need to change Or she will need to change her or his account password Or the service they are using or the password They have exposed rightly or wrongly So for that purpose you need to go to hunter.io And put your target and you will have all your emails You have internal emails And then we can find the exposed credentials So guys on that note I will take a leave today We have some more tricks or websites for gatherings Information or some information like exposed credentials Or SSL certificate, virtual sitemapper, reverse ip Lookup, port number checking So we have one more session Then thus this foot printing part will be done So you need to practice or you need to use all these websites So if you have any question write down in the comment And thank you for joining this session Over to you sir Okay guys so if you have any question you can ask in the chat And I hope you gain some knowledge through this session And you as you saw like this session was totally based on practical knowledge So from now onwards like in each session you will be getting practical information Right related to cyber security So all these information are very important And it is like not available on any channel So Sumit is sharing all this information here on this channel live And on his channel the cyber security zone You will find more videos related to cyber security So you can just follow search that the cyber security zone channel on YouTube And you can just subscribe so that you can receive timely notifications as well So you can see in every session how in depth he is explaining the topics So on his channel you will find more concise videos related to cyber security So just follow that And if you have any doubt so you can just join the telegram group as well I already pasted the link in the chat So just be part of that And next session will be on next week Monday So three to four sessions will be there And you will get to know lots of things next week Right So I think there is no question people are appreciating the efforts So thank you Sumit for delivering the session And thank you guys for joining the session See you on Monday Bye everyone Bye everyone