You want to extract the technologies used by a target website. Explain how to do this using Wappalyzer and WhatWeb.
Correct Answer: A, B, C, D
Explanation:
To extract the technologies used by a target website, you can use tools like WhatWeb and Wappalyzer. First, install WhatWeb on a Linux system using the command sudo apt install whatweb, then run a scan on the target website using whatweb -v targetdomain.com, which will reveal details such as the web server, CMS, programming languages, and other technologies used. Next, you can use Wappalyzer either as a browser extension or via its CLI by running wappalyzer https://targetdomain.com, which helps identify backend frameworks, CMS platforms, analytics tools, and JavaScript libraries. After gathering the results from both tools, you can cross-check the detected technologies, including version numbers, to validate accuracy and potentially identify known vulnerabilities associated with those versions.
Question 2
You need to gather subdomains of a target domain without using brute force. Explain how to use crt.sh and Sublist3r to extract subdomains efficiently
Correct Answer: A, B, C, D, E
Explanation:
To efficiently gather subdomains of a target domain without brute-forcing, you can rely on passive reconnaissance tools like crt.sh and Sublist3r. First, crt.sh can be used to extract subdomains from public SSL certificate logs by querying https://crt.sh/?q=%.targetdomain.com&output=json using a command like curl -s "https://crt.sh/?q=%.targetdomain.com&output=json" | jq ., which returns all domain names found in certificate transparency records. This helps uncover hidden or forgotten subdomains that were issued SSL certificates. Next, Sublist3r can be used to gather subdomains from multiple public sources such as search engines and DNS databases by running sublist3r -d targetdomain.com -o subdomains.txt, which compiles a list of discovered subdomains into a file. These results can then be combined and validated using other passive tools like Amass or DNS resolution tools such as nslookup and dig to confirm active entries, and finally tested for responsiveness using tools like httprobe.
Question 3
You want to find sensitive PDFs or DOCX files belonging to a target company. Explain how Google Dorking can be used to locate these files.
Correct Answer: A, B, C, D
Explanation:
To find PDF, DOCX, XLSX, and other documents belonging to a target company using Google Dorking, you can use Google's advanced search operators to locate files that are publicly indexed by search engines. For example, the query site:targetdomain.com filetype:pdf OR filetype:docx searches for PDF and Word documents hosted on the target domain, while site:targetdomain.com intitle:confidential filetype:pdf helps identify documents containing specific keywords in their titles. The inurl operator can be used to discover documents stored in particular directories, such as site:targetdomain.com inurl:"/docs/" filetype:xlsx. After locating publicly accessible files, you can review them and use metadata analysis tools such as ExifTool to examine document properties, which may reveal information such as author names, software versions, creation dates, and other organizational details. This process helps security professionals understand what information is publicly exposed through search engine indexing and assess potential information disclosure risks.
Demo Practice Mode
You are viewing only the questions marked as Demo.