Discovery

Discovering ports and services on target system.

In a lot of scenarios network scanners like Nmap discovers open web service ports like 80 or 443.

In a large scale assessment we are not able to manually check all hosts to see if an active web site is hosted or not.

The best way is to use automated tools to take screenshots of discovered web servers.

Find Active Sites (Screenshots)

Http-screenshot

GitHub - breenmachine/httpscreenshotGitHub

httpscreenshot -l domains-https.txt -tG -sF -vH

Eyewitness

GitHub - RedSiege/EyeWitness: EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.GitHub

apt install eyewitness

# examples:
EyeWitness.exe --help
EyeWitness.exe --bookmarks
EyeWitness.exe -f C:\Path\to\urls.txt
EyeWitness.exe --file C:\Path\to\urls.txt --delay [timeout in seconds] --compress

./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml --timeout 8 
./EyeWitness.py -f urls.txt --web --proxy-ip 127.0.0.1 --proxy-port 8080 --proxy-type socks5 --timeout 120

Web Server Info

whatweb example.com -v

Test HTTP Strict Transport Security (HSTS)

curl -s -D- https://domain.com/ | grep Strict

Result expected:
Strict-Transport-Security: max-age=...

PreviousWeb Applications NextSubdomains & Directories