https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/ Recent content in Fingerprinting on d3vilsec Hugo en https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/builtwith/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/builtwith/ <h1 id="builtwith-cheatsheet">BuiltWith Cheatsheet</h1> <p><strong>Purpose:</strong> Passive technology profiling of a domain — current stack plus historical changes, hosting, analytics, ad networks, ecommerce, CDN, certificates, and more. Useful for OSINT recon without touching the target.</p> <p><strong>Format:</strong> Web service (free tier + paid API). No local install required for basic lookups.</p> <hr> <h2 id="access-points">Access Points</h2> <table> <thead> <tr> <th>Surface</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>Profile lookup (single domain)</td> <td><a href="https://builtwith.com/">https://builtwith.com/</a><!-- raw HTML omitted --></td> </tr> <tr> <td>Free quick lookup</td> <td><a href="https://builtwith.com/">https://builtwith.com/</a>?<!-- raw HTML omitted --></td> </tr> <tr> <td>Trends / market share</td> <td><a href="https://trends.builtwith.com/">https://trends.builtwith.com/</a></td> </tr> <tr> <td>Relationships (same owner / IDs)</td> <td><a href="https://builtwith.com/relationships/">https://builtwith.com/relationships/</a><!-- raw HTML omitted --></td> </tr> <tr> <td>Redirect graph</td> <td><a href="https://builtwith.com/redirect/">https://builtwith.com/redirect/</a><!-- raw HTML omitted --></td> </tr> <tr> <td>API docs (paid)</td> <td><a href="https://api.builtwith.com/">https://api.builtwith.com/</a></td> </tr> <tr> <td>Browser extension (Chrome/Firefox)</td> <td>search &ldquo;BuiltWith Technology Profiler&rdquo; in store</td> </tr> </tbody> </table> <hr> <h2 id="quick-cli-lookups-no-api-key-required">Quick CLI Lookups (no API key required)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Open profile in default browser</span> </span></span><span style="display:flex;"><span>xdg-open <span style="color:#e6db74">&#34;https://builtwith.com/target.tld&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scrape the public profile page (limited; HTML changes)</span> </span></span><span style="display:flex;"><span>curl -s -A <span style="color:#e6db74">&#34;Mozilla/5.0&#34;</span> <span style="color:#e6db74">&#34;https://builtwith.com/target.tld&#34;</span> -o builtwith.html </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Extract technology names (rough)</span> </span></span><span style="display:flex;"><span>curl -s -A <span style="color:#e6db74">&#34;Mozilla/5.0&#34;</span> <span style="color:#e6db74">&#34;https://builtwith.com/target.tld&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> | grep -oE <span style="color:#e6db74">&#39;href=&#34;/[a-z0-9-]+&#34;[^&gt;]*&gt;[^&lt;]+&#39;</span> | sort -u </span></span></code></pre></div><p>For reliable structured data, use the <strong>paid API</strong> below.</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/curl/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/curl/ <h1 id="curl-cheatsheet-web-fingerprinting">curl Cheatsheet (Web Fingerprinting)</h1> <p><strong>Purpose:</strong> Manual HTTP(S) requests for header inspection, banner grabbing, fingerprinting and quick endpoint testing.</p> <hr> <h2 id="core-flags">Core Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-I</code></td> <td>HEAD request (headers only)</td> </tr> <tr> <td><code>-i</code></td> <td>Include response headers in output</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose (request + response, TLS info)</td> </tr> <tr> <td><code>-vv</code> / <code>--trace-ascii -</code></td> <td>Full wire trace</td> </tr> <tr> <td><code>-s</code></td> <td>Silent (no progress meter)</td> </tr> <tr> <td><code>-S</code></td> <td>Show errors even with <code>-s</code></td> </tr> <tr> <td><code>-L</code></td> <td>Follow redirects</td> </tr> <tr> <td><code>-k</code> / <code>--insecure</code></td> <td>Ignore TLS cert errors</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Write body to file</td> </tr> <tr> <td><code>-O</code></td> <td>Save with remote filename</td> </tr> <tr> <td><code>-A &lt;ua&gt;</code></td> <td>Set User-Agent</td> </tr> <tr> <td><code>-e &lt;ref&gt;</code></td> <td>Set Referer</td> </tr> <tr> <td><code>-H &quot;&lt;hdr&gt;: &lt;val&gt;&quot;</code></td> <td>Custom header (repeatable)</td> </tr> <tr> <td><code>-X &lt;METHOD&gt;</code></td> <td>HTTP method (GET, POST, PUT, DELETE, etc.)</td> </tr> <tr> <td><code>-d &lt;data&gt;</code></td> <td>POST body (<code>application/x-www-form-urlencoded</code>)</td> </tr> <tr> <td><code>--data-raw</code></td> <td>POST body without <code>@</code>/<code>&amp;</code> interpretation</td> </tr> <tr> <td><code>--data-binary</code></td> <td>POST body as-is (preserve newlines)</td> </tr> <tr> <td><code>-F &lt;field&gt;=&lt;val&gt;</code></td> <td>Multipart form upload</td> </tr> <tr> <td><code>-b &lt;cookie&gt;</code> / <code>-c &lt;file&gt;</code></td> <td>Send cookie / save cookies</td> </tr> <tr> <td><code>-u user:pass</code></td> <td>HTTP Basic auth</td> </tr> <tr> <td><code>-x &lt;proxy&gt;</code></td> <td>Use proxy (e.g. <code>http://127.0.0.1:8080</code>)</td> </tr> <tr> <td><code>--resolve host:port:ip</code></td> <td>Force DNS resolution (Host-header testing)</td> </tr> <tr> <td><code>--max-time &lt;s&gt;</code></td> <td>Hard timeout</td> </tr> <tr> <td><code>--connect-timeout &lt;s&gt;</code></td> <td>Connect timeout</td> </tr> <tr> <td><code>-w &quot;&lt;format&gt;&quot;</code></td> <td>Write-out format (timings, codes)</td> </tr> </tbody> </table> <hr> <h2 id="banner-grabbing--header-inspection">Banner Grabbing / Header Inspection</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -I https://target.tld <span style="color:#75715e"># HEAD: server, framework, cookies</span> </span></span><span style="display:flex;"><span>curl -sI https://target.tld | grep -iE <span style="color:#e6db74">&#39;server|x-powered-by|x-aspnet|via|set-cookie&#39;</span> </span></span><span style="display:flex;"><span>curl -sIL https://target.tld <span style="color:#75715e"># Follow redirects, show every hop</span> </span></span><span style="display:flex;"><span>curl -v https://target.tld 2&gt;&amp;<span style="color:#ae81ff">1</span> | grep -iE <span style="color:#e6db74">&#39;^&lt; &#39;</span> <span style="color:#75715e"># All response headers</span> </span></span></code></pre></div><hr> <h2 id="verbose--tls-inspection">Verbose / TLS Inspection</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -v https://target.tld <span style="color:#75715e"># Cert chain, ALPN, ciphers</span> </span></span><span style="display:flex;"><span>curl -vk https://target.tld <span style="color:#75715e"># Ignore cert errors</span> </span></span><span style="display:flex;"><span>curl --trace-ascii trace.log https://target.tld <span style="color:#75715e"># Full request/response dump</span> </span></span><span style="display:flex;"><span>curl -v --tls-max 1.2 https://target.tld <span style="color:#75715e"># Pin max TLS version</span> </span></span></code></pre></div><hr> <h2 id="method--verb-tampering">Method / Verb Tampering</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -X OPTIONS -i https://target.tld/ <span style="color:#75715e"># Allowed methods</span> </span></span><span style="display:flex;"><span>curl -X PUT -d <span style="color:#e6db74">&#34;test&#34;</span> -i https://target.tld/file.txt </span></span><span style="display:flex;"><span>curl -X DELETE -i https://target.tld/resource/1 </span></span><span style="display:flex;"><span>curl -X TRACE -i https://target.tld/ <span style="color:#75715e"># Cross-Site Tracing check</span> </span></span></code></pre></div><hr> <h2 id="virtual-host--host-header-testing">Virtual Host / Host Header Testing</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -s -H <span style="color:#e6db74">&#34;Host: dev.target.tld&#34;</span> http://&lt;ip&gt;/ -o dev.html </span></span><span style="display:flex;"><span>curl -sI --resolve target.tld:443:&lt;ip&gt; https://target.tld/ </span></span><span style="display:flex;"><span>curl -s -H <span style="color:#e6db74">&#34;Host: admin.internal&#34;</span> http://&lt;ip&gt;/ <span style="color:#75715e"># Find vhosts on shared IP</span> </span></span></code></pre></div><hr> <h2 id="cookies--sessions">Cookies &amp; Sessions</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -c cookies.txt -b cookies.txt https://target.tld/login </span></span><span style="display:flex;"><span>curl -b <span style="color:#e6db74">&#34;session=abcd1234&#34;</span> https://target.tld/dashboard </span></span><span style="display:flex;"><span>curl -c - https://target.tld/ <span style="color:#75715e"># Print Set-Cookie to stdout</span> </span></span></code></pre></div><hr> <h2 id="authentication">Authentication</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -u admin:password https://target.tld/admin <span style="color:#75715e"># Basic</span> </span></span><span style="display:flex;"><span>curl -H <span style="color:#e6db74">&#34;Authorization: Bearer &lt;jwt&gt;&#34;</span> https://api.target.tld/ </span></span><span style="display:flex;"><span>curl --ntlm -u <span style="color:#e6db74">&#39;DOMAIN\user:pass&#39;</span> https://target.tld/ </span></span><span style="display:flex;"><span>curl --digest -u user:pass https://target.tld/ </span></span></code></pre></div><hr> <h2 id="post--api-testing">POST / API Testing</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Form data</span> </span></span><span style="display:flex;"><span>curl -X POST -d <span style="color:#e6db74">&#34;user=admin&amp;pass=admin&#34;</span> https://target.tld/login </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Raw JSON</span> </span></span><span style="display:flex;"><span>curl -X POST -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;user&#34;:&#34;admin&#34;,&#34;pass&#34;:&#34;admin&#34;}&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> https://target.tld/api/login </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># File from disk</span> </span></span><span style="display:flex;"><span>curl -X POST -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --data-binary @payload.json https://target.tld/api </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multipart upload</span> </span></span><span style="display:flex;"><span>curl -F <span style="color:#e6db74">&#34;file=@shell.php&#34;</span> -F <span style="color:#e6db74">&#34;submit=upload&#34;</span> https://target.tld/upload.php </span></span></code></pre></div><hr> <h2 id="proxy-burp--zap">Proxy (Burp / ZAP)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -x http://127.0.0.1:8080 -k https://target.tld/ </span></span><span style="display:flex;"><span>export https_proxy<span style="color:#f92672">=</span>http://127.0.0.1:8080 <span style="color:#75715e"># Per-shell proxy</span> </span></span></code></pre></div><hr> <h2 id="useful-write-out-format">Useful Write-Out Format</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -s -o /dev/null -w <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;code:%{http_code} size:%{size_download} time:%{time_total}s redir:%{redirect_url} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> https://target.tld/ </span></span></code></pre></div><hr> <h2 id="fingerprinting-recipes">Fingerprinting Recipes</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Quick stack identification</span> </span></span><span style="display:flex;"><span>curl -sIL https://target.tld | grep -iE <span style="color:#e6db74">&#39;server|x-powered-by|x-generator|x-drupal|x-aspnet&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Pull robots.txt + sitemap</span> </span></span><span style="display:flex;"><span>curl -s https://target.tld/robots.txt </span></span><span style="display:flex;"><span>curl -s https://target.tld/sitemap.xml | head </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Search response body for tech tells</span> </span></span><span style="display:flex;"><span>curl -s https://target.tld/ | grep -iE <span style="color:#e6db74">&#39;wp-content|drupal|joomla|laravel|generator=&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check common admin / framework paths</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> p in admin login wp-admin administrator phpmyadmin server-status; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> printf <span style="color:#e6db74">&#34;%-20s &#34;</span> <span style="color:#e6db74">&#34;</span>$p<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> curl -sk -o /dev/null -w <span style="color:#e6db74">&#34;%{http_code} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> <span style="color:#e6db74">&#34;https://target.tld/</span>$p<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span></code></pre></div><hr> <h2 id="tips">Tips</h2> <ul> <li>HEAD (<code>-I</code>) can lie or be blocked — fall back to <code>-sI -X GET</code> and inspect headers from a real GET.</li> <li>Combine <code>-v</code> with <code>-o /dev/null</code> to inspect headers without dumping a big body.</li> <li><code>--resolve</code> beats editing <code>/etc/hosts</code> for one-off vhost checks.</li> <li><code>-k</code> is for testing only; never disable cert checks in production tooling.</li> </ul> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/netcraft/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/netcraft/ <h1 id="netcraft-cheatsheet">Netcraft Cheatsheet</h1> <p><strong>Purpose:</strong> Passive reconnaissance — hosting history, OS / web server history, SSL certificate history, site report, and subdomain discovery for a target domain. Uses Netcraft&rsquo;s long-running internet survey, so no traffic touches the target.</p> <p><strong>Format:</strong> Web service. Free site-report lookups; subdomain search; commercial APIs for bulk.</p> <hr> <h2 id="access-points">Access Points</h2> <table> <thead> <tr> <th>Surface</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>Site Report (single site)</td> <td><a href="https://sitereport.netcraft.com/?url=">https://sitereport.netcraft.com/?url=</a><!-- raw HTML omitted --></td> </tr> <tr> <td>Subdomain / Domain search</td> <td><a href="https://searchdns.netcraft.com/">https://searchdns.netcraft.com/</a></td> </tr> <tr> <td>What&rsquo;s that site running? (legacy)</td> <td><a href="https://toolbar.netcraft.com/site_report?url=">https://toolbar.netcraft.com/site_report?url=</a><!-- raw HTML omitted --></td> </tr> <tr> <td>Phishing / takedown reporting</td> <td><a href="https://report.netcraft.com/">https://report.netcraft.com/</a></td> </tr> <tr> <td>Anti-phishing browser extension</td> <td><a href="https://www.netcraft.com/apps/">https://www.netcraft.com/apps/</a></td> </tr> </tbody> </table> <hr> <h2 id="quick-lookups-url-style">Quick Lookups (URL-style)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Site Report</span> </span></span><span style="display:flex;"><span>xdg-open <span style="color:#e6db74">&#34;https://sitereport.netcraft.com/?url=https://target.tld&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Subdomain search (DNS knowledge, not zone transfer)</span> </span></span><span style="display:flex;"><span>xdg-open <span style="color:#e6db74">&#34;https://searchdns.netcraft.com/?host=*.target.tld&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scrape subdomain list (HTML — fragile, format may change)</span> </span></span><span style="display:flex;"><span>curl -s -A <span style="color:#e6db74">&#34;Mozilla/5.0&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;https://searchdns.netcraft.com/?restriction=site+ends+with&amp;host=target.tld&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> | grep -oE <span style="color:#e6db74">&#39;[a-zA-Z0-9.-]+\.target\.tld&#39;</span> | sort -u </span></span></code></pre></div><hr> <h2 id="what-the-site-report-reveals">What the Site Report Reveals</h2> <ul> <li><strong>Background:</strong> site title, description, language, first-seen date</li> <li><strong>Network:</strong> IPv4/IPv6, ASN, netblock owner, hosting country, nameservers, reverse DNS</li> <li><strong>Hosting history:</strong> OS, web server, hosting provider, IP changes over time (often years)</li> <li><strong>SSL/TLS:</strong> certificate issuer, valid-from / valid-to, signature alg, key size, full chain</li> <li><strong>Web trackers:</strong> analytics, ad networks, tag managers</li> <li><strong>Site technologies:</strong> server-side language, CMS, JS frameworks (similar surface to Wappalyzer/WhatWeb but historical)</li> <li><strong>Risk rating:</strong> Netcraft&rsquo;s own risk scoring (popularity, reputation, phishing flags)</li> </ul> <hr> <h2 id="osint-pivots">OSINT Pivots</h2> <ul> <li><strong>Hosting history</strong> → identify legacy IPs that may still serve content (origin behind CDN, forgotten staging).</li> <li><strong>SSL history</strong> → past CN / SAN entries leak retired subdomains and internal hostnames.</li> <li><strong>Same nameservers + hosting</strong> across multiple sites → infrastructure attribution.</li> <li><strong>First-seen date</strong> → useful for triaging suspicious / typosquat domains.</li> </ul> <hr> <h2 id="subdomain-discovery">Subdomain Discovery</h2> <pre tabindex="0"><code>https://searchdns.netcraft.com/?host=*.target.tld </code></pre><ul> <li>Returns publicly known hosts under a domain.</li> <li>Complement, do not replace, [[crt.sh]] / <code>amass</code> / <code>subfinder</code> — Netcraft sees long-tail hosts those miss, and vice versa.</li> <li>Free tier paginates and rate-limits aggressively; expect a CAPTCHA on bulk.</li> </ul> <hr> <h2 id="workflow-example">Workflow Example</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>DOMAIN<span style="color:#f92672">=</span>target.tld </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Open Site Report</span> </span></span><span style="display:flex;"><span>xdg-open <span style="color:#e6db74">&#34;https://sitereport.netcraft.com/?url=https://</span>$DOMAIN<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Pull subdomain list (best-effort scrape)</span> </span></span><span style="display:flex;"><span>curl -s -A <span style="color:#e6db74">&#34;Mozilla/5.0&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;https://searchdns.netcraft.com/?restriction=site+ends+with&amp;host=</span>$DOMAIN<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> | grep -oE <span style="color:#e6db74">&#34;[a-zA-Z0-9.-]+\.</span>$DOMAIN<span style="color:#e6db74">&#34;</span> | sort -u &gt; netcraft-subs.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Cross-check with crt.sh</span> </span></span><span style="display:flex;"><span>curl -s <span style="color:#e6db74">&#34;https://crt.sh/?q=%25.</span>$DOMAIN<span style="color:#e6db74">&amp;output=json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> | jq -r <span style="color:#e6db74">&#39;.[].name_value&#39;</span> | tr <span style="color:#e6db74">&#39;,&#39;</span> <span style="color:#e6db74">&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> | sort -u &gt; crtsh-subs.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. Merge</span> </span></span><span style="display:flex;"><span>sort -u netcraft-subs.txt crtsh-subs.txt &gt; all-subs.txt </span></span></code></pre></div><hr> <h2 id="browser-extension">Browser Extension</h2> <p>Netcraft&rsquo;s anti-phishing extension shows live Site Report data inline:</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/nikto/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/nikto/ <h1 id="nikto-cheatsheet">Nikto Cheatsheet</h1> <p><strong>Purpose:</strong> Web server scanner — checks for dangerous files, outdated server software, misconfigurations, and known vulnerabilities.</p> <hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nikto -h &lt;target&gt; <span style="color:#75715e"># Scan a target (default port 80)</span> </span></span><span style="display:flex;"><span>nikto -h https://target.tld <span style="color:#75715e"># HTTPS target</span> </span></span><span style="display:flex;"><span>nikto -h &lt;ip&gt; -p <span style="color:#ae81ff">443</span> -ssl <span style="color:#75715e"># Force SSL on custom port</span> </span></span><span style="display:flex;"><span>nikto -h &lt;ip&gt; -p 80,443,8080,8443 <span style="color:#75715e"># Multiple ports</span> </span></span><span style="display:flex;"><span>nikto -h hosts.txt <span style="color:#75715e"># Scan a list of targets</span> </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-h &lt;host&gt;</code></td> <td>Target host, URL, or file of hosts</td> </tr> <tr> <td><code>-p &lt;ports&gt;</code></td> <td>Port(s) — single, list, or range</td> </tr> <tr> <td><code>-ssl</code></td> <td>Force SSL/TLS</td> </tr> <tr> <td><code>-nossl</code></td> <td>Disable SSL</td> </tr> <tr> <td><code>-root &lt;path&gt;</code></td> <td>Prepend root path to all requests</td> </tr> <tr> <td><code>-vhost &lt;host&gt;</code></td> <td>Set virtual host (Host header)</td> </tr> <tr> <td><code>-id &lt;user:pass&gt;</code></td> <td>HTTP Basic auth</td> </tr> <tr> <td><code>-useragent &lt;ua&gt;</code></td> <td>Custom User-Agent</td> </tr> <tr> <td><code>-useproxy &lt;url&gt;</code></td> <td>Route through proxy</td> </tr> <tr> <td><code>-Display &lt;opts&gt;</code></td> <td>Output verbosity flags (see below)</td> </tr> <tr> <td><code>-Format &lt;fmt&gt;</code></td> <td>Output format: <code>csv</code>, <code>htm</code>, <code>txt</code>, <code>xml</code>, <code>json</code>, <code>sql</code></td> </tr> <tr> <td><code>-output &lt;file&gt;</code></td> <td>Write report to file</td> </tr> <tr> <td><code>-Tuning &lt;ids&gt;</code></td> <td>Limit checks to specific categories</td> </tr> <tr> <td><code>-Plugins &lt;list&gt;</code></td> <td>Run specific plugins only</td> </tr> <tr> <td><code>-evasion &lt;ids&gt;</code></td> <td>IDS evasion techniques</td> </tr> <tr> <td><code>-timeout &lt;s&gt;</code></td> <td>Per-request timeout</td> </tr> <tr> <td><code>-maxtime &lt;s/m/h&gt;</code></td> <td>Hard scan time limit (e.g. <code>30m</code>)</td> </tr> <tr> <td><code>-Pause &lt;s&gt;</code></td> <td>Pause between requests</td> </tr> <tr> <td><code>-ask no</code></td> <td>Don&rsquo;t prompt to submit findings</td> </tr> <tr> <td><code>-update</code></td> <td>Update plugins / databases</td> </tr> <tr> <td><code>-list-plugins</code></td> <td>List installed plugins</td> </tr> </tbody> </table> <hr> <h2 id="output">Output</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nikto -h https://target.tld -o report.html -Format htm </span></span><span style="display:flex;"><span>nikto -h &lt;ip&gt; -o nikto.json -Format json </span></span><span style="display:flex;"><span>nikto -h &lt;ip&gt; -o nikto.xml -Format xml </span></span><span style="display:flex;"><span>nikto -h &lt;ip&gt; -o nikto.csv -Format csv </span></span></code></pre></div><p><code>-Display</code> flags (combine, e.g. <code>-Display 1V</code>):</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/wafw00f/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/wafw00f/ <h1 id="wafw00f-cheatsheet">wafw00f Cheatsheet</h1> <p><strong>Purpose:</strong> Identify and fingerprint Web Application Firewalls (WAFs) protecting a target web app.</p> <hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wafw00f &lt;url&gt; <span style="color:#75715e"># Scan a single target</span> </span></span><span style="display:flex;"><span>wafw00f https://example.com <span style="color:#75715e"># HTTPS target</span> </span></span><span style="display:flex;"><span>wafw00f example.com -v <span style="color:#75715e"># Verbose output</span> </span></span><span style="display:flex;"><span>wafw00f example.com -vv <span style="color:#75715e"># Extra verbose (debug)</span> </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-v</code> / <code>-vv</code></td> <td>Verbose / very verbose output</td> </tr> <tr> <td><code>-a</code></td> <td>Find ALL WAFs (don&rsquo;t stop at first match)</td> </tr> <tr> <td><code>-r</code></td> <td>Disable HTTP redirect following</td> </tr> <tr> <td><code>-t &lt;waf&gt;</code></td> <td>Test only for a specific WAF</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Write results to file</td> </tr> <tr> <td><code>-f &lt;format&gt;</code></td> <td>Output format: <code>csv</code>, <code>json</code>, <code>text</code></td> </tr> <tr> <td><code>-i &lt;file&gt;</code></td> <td>Read targets from input file</td> </tr> <tr> <td><code>-p &lt;proxy&gt;</code></td> <td>Use proxy (e.g. <code>http://127.0.0.1:8080</code>)</td> </tr> <tr> <td><code>-T &lt;n&gt;</code></td> <td>Set request timeout (seconds)</td> </tr> <tr> <td><code>-H &lt;file&gt;</code></td> <td>Use custom headers from file</td> </tr> <tr> <td><code>-l</code></td> <td>List all WAFs it can detect</td> </tr> <tr> <td><code>--no-colors</code></td> <td>Disable ANSI colored output</td> </tr> </tbody> </table> <hr> <h2 id="listing--targeted-detection">Listing &amp; Targeted Detection</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wafw00f -l <span style="color:#75715e"># List supported WAFs</span> </span></span><span style="display:flex;"><span>wafw00f example.com -t <span style="color:#e6db74">&#34;Cloudflare (Cloudflare Inc.)&#34;</span> </span></span><span style="display:flex;"><span>wafw00f example.com -a <span style="color:#75715e"># Detect every WAF in chain</span> </span></span></code></pre></div><hr> <h2 id="bulk-scanning">Bulk Scanning</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wafw00f -i targets.txt -o results.json -f json </span></span><span style="display:flex;"><span>wafw00f -i urls.txt -a -o waf-report.csv -f csv </span></span></code></pre></div><hr> <h2 id="routing-through-a-proxy-burp--zap">Routing Through a Proxy (Burp / ZAP)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wafw00f https://target.tld -p http://127.0.0.1:8080 </span></span></code></pre></div><hr> <h2 id="custom-headers-file-example">Custom Headers File Example</h2> <p><code>headers.txt</code>:</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/wappalyzer/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/wappalyzer/ <h1 id="wappalyzer-cheatsheet">Wappalyzer Cheatsheet</h1> <p><strong>Purpose:</strong> Identify web technologies — CMS, frameworks, JS libraries, analytics, ecommerce, CDNs — from response headers, HTML, cookies, scripts, and DOM.</p> <p><strong>Note:</strong> Wappalyzer is primarily a <strong>browser extension</strong> and <strong>web service</strong>. The original CLI/NPM package was deprecated; community forks still exist.</p> <hr> <h2 id="access-points">Access Points</h2> <table> <thead> <tr> <th>Surface</th> <th>URL / Source</th> </tr> </thead> <tbody> <tr> <td>Browser extension (Chrome / Firefox / Edge)</td> <td><a href="https://www.wappalyzer.com/apps/">https://www.wappalyzer.com/apps/</a></td> </tr> <tr> <td>Web lookup (single URL)</td> <td><a href="https://www.wappalyzer.com/lookup/">https://www.wappalyzer.com/lookup/</a></td> </tr> <tr> <td>API / bulk lookups (paid)</td> <td><a href="https://www.wappalyzer.com/api/">https://www.wappalyzer.com/api/</a></td> </tr> <tr> <td>Legacy NPM CLI (deprecated, archived)</td> <td><code>npm i -g wappalyzer</code></td> </tr> <tr> <td>Community fork (Webappalyzer)</td> <td><a href="https://github.com/enthec/webappanalyzer">https://github.com/enthec/webappanalyzer</a></td> </tr> </tbody> </table> <hr> <h2 id="browser-extension-workflow">Browser Extension Workflow</h2> <ol> <li>Install extension; pin to toolbar.</li> <li>Navigate to target.</li> <li>Click the icon — categories light up: <strong>CMS</strong>, <strong>Web frameworks</strong>, <strong>JS libs</strong>, <strong>Analytics</strong>, <strong>Web servers</strong>, <strong>Tag managers</strong>, <strong>CDN</strong>, <strong>Ecommerce</strong>, <strong>Payment processors</strong>, <strong>Font scripts</strong>, <strong>Issue trackers</strong>, etc.</li> <li>Click a detected tech for vendor links and version info (when available).</li> </ol> <p><strong>Stealth value:</strong> all detection runs in your browser against an already-loaded page → no extra requests to the target.</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/whatweb/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/whatweb/ <h1 id="whatweb-cheatsheet">WhatWeb Cheatsheet</h1> <p><strong>Purpose:</strong> Identify web technologies — CMS, frameworks, web servers, JS libraries, analytics, version numbers — via signature plugins.</p> <hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>whatweb &lt;target&gt; <span style="color:#75715e"># Default scan</span> </span></span><span style="display:flex;"><span>whatweb https://target.tld </span></span><span style="display:flex;"><span>whatweb -v https://target.tld <span style="color:#75715e"># Verbose (full plugin output)</span> </span></span><span style="display:flex;"><span>whatweb -a <span style="color:#ae81ff">3</span> https://target.tld <span style="color:#75715e"># Aggression level 3</span> </span></span><span style="display:flex;"><span>whatweb target.tld --colour<span style="color:#f92672">=</span>never <span style="color:#75715e"># No ANSI in output</span> </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-v</code></td> <td>Verbose — full plugin details, not just summary</td> </tr> <tr> <td><code>-a &lt;0-4&gt;</code></td> <td>Aggression level (see below)</td> </tr> <tr> <td><code>-i &lt;file&gt;</code></td> <td>Read targets from file</td> </tr> <tr> <td><code>--input-file &lt;file&gt;</code></td> <td>Same as <code>-i</code></td> </tr> <tr> <td><code>-U &lt;ua&gt;</code></td> <td>Custom User-Agent</td> </tr> <tr> <td><code>--header &quot;K: V&quot;</code></td> <td>Add custom header (repeatable)</td> </tr> <tr> <td><code>-c &quot;&lt;cookie&gt;&quot;</code></td> <td>Set Cookie header</td> </tr> <tr> <td><code>--user &quot;&lt;u:p&gt;&quot;</code></td> <td>HTTP Basic auth</td> </tr> <tr> <td><code>--proxy &lt;host:port&gt;</code></td> <td>Use proxy</td> </tr> <tr> <td><code>--proxy-user &lt;u:p&gt;</code></td> <td>Proxy auth</td> </tr> <tr> <td><code>--follow-redirect &lt;mode&gt;</code></td> <td><code>never</code>, <code>http-only</code>, <code>meta-only</code>, <code>same-site</code>, <code>always</code></td> </tr> <tr> <td><code>-t &lt;n&gt;</code></td> <td>Threads (default 25)</td> </tr> <tr> <td><code>--open-timeout &lt;s&gt;</code></td> <td>Connect timeout</td> </tr> <tr> <td><code>--read-timeout &lt;s&gt;</code></td> <td>Read timeout</td> </tr> <tr> <td><code>--log-brief &lt;file&gt;</code></td> <td>One-line summary log</td> </tr> <tr> <td><code>--log-verbose &lt;file&gt;</code></td> <td>Verbose log</td> </tr> <tr> <td><code>--log-xml &lt;file&gt;</code></td> <td>XML output</td> </tr> <tr> <td><code>--log-json &lt;file&gt;</code></td> <td>JSON output</td> </tr> <tr> <td><code>--log-magictree &lt;file&gt;</code></td> <td>MagicTree XML</td> </tr> <tr> <td><code>--log-sql &lt;file&gt;</code></td> <td>SQL insert statements</td> </tr> <tr> <td><code>-l</code></td> <td>List plugins</td> </tr> <tr> <td><code>-I &lt;plugin&gt;</code></td> <td>Show plugin info</td> </tr> <tr> <td><code>--plugins &lt;list&gt;</code></td> <td>Only run listed plugins (comma-separated)</td> </tr> <tr> <td><code>--no-errors</code></td> <td>Suppress connection errors</td> </tr> </tbody> </table> <hr> <h2 id="aggression-levels--a">Aggression Levels (<code>-a</code>)</h2> <table> <thead> <tr> <th>Level</th> <th>Name</th> <th>Behavior</th> </tr> </thead> <tbody> <tr> <td><code>1</code></td> <td>Stealthy</td> <td>One GET per target, never follows redirects beyond that</td> </tr> <tr> <td><code>2</code></td> <td>(unused)</td> <td>Reserved</td> </tr> <tr> <td><code>3</code></td> <td>Aggressive</td> <td>Triggers extra requests when plugins want them (e.g. <code>/wp-login.php</code>)</td> </tr> <tr> <td><code>4</code></td> <td>Heavy</td> <td>Many requests per plugin; noisy, may set off WAF/IDS</td> </tr> </tbody> </table> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>whatweb -a <span style="color:#ae81ff">1</span> target.tld <span style="color:#75715e"># Single request, low noise</span> </span></span><span style="display:flex;"><span>whatweb -a <span style="color:#ae81ff">3</span> target.tld <span style="color:#75715e"># Recommended for thorough enum</span> </span></span><span style="display:flex;"><span>whatweb -a <span style="color:#ae81ff">4</span> -v target.tld <span style="color:#75715e"># Full noise, full detail</span> </span></span></code></pre></div><hr> <h2 id="bulk--list-scanning">Bulk / List Scanning</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>whatweb -i targets.txt --log-brief whatweb.txt </span></span><span style="display:flex;"><span>whatweb -i urls.txt -a <span style="color:#ae81ff">3</span> --log-json whatweb.json --no-errors </span></span><span style="display:flex;"><span>cat ips.txt | whatweb --log-verbose verbose.log </span></span></code></pre></div><p>CIDR / range scan:</p>