Hack That Shit
Information Gathering – Mapping the Web Attack Surface

Information Gathering – Mapping the Web Attack Surface

by

Introduction

Before launching any attack, every hacker — ethical or not — starts with reconnaissance.

This phase is all about understanding the target:

  • What technologies are used?

  • What inputs are available?

  • What subdomains, parameters, and endpoints exist?

In this part, you’ll learn how to map the entire attack surface using real-world tools and techniques.

🧠 What Is the Web Attack Surface?

Your target’s attack surface includes:

  • URLs

  • Login forms

  • APIs

  • Subdomains

  • Headers

  • Hidden parameters

  • Third-party integrations

The more you map, the better you understand where to probe for vulnerabilities.

🛠️ Tools You’ll Use

  • Nmap

  • WhatWeb / Wappalyzer

  • Sublist3r / Amass

  • Burp Suite (Spider, Proxy, Repeater)

  • Dirb / Gobuster

  • Firefox plugins: HackBar, Cookie Editor

🌐 Step 1: Passive Information Gathering

🔸 DNS and WHOIS Lookup

Use these commands to gather basic domain registration and DNS info:

whois target.com
nslookup target.com

🔸 Discover Subdomains

Enumerate subdomains using powerful recon tools:

sublist3r -d target.com
amass enum -passive -d target.com

Online alternatives:

🔎 Step 2: Technology Fingerprinting

🔸 WhatWeb (CLI)

Command-line tool to identify technologies used by a website:

whatweb target.com

It reveals details like:

  • Server type
  • CMS (e.g., WordPress, Joomla)
  • Scripting languages
  • Analytics and frameworks

🔸 Wappalyzer (Browser Extension)

Install the Wappalyzer extension for your browser to instantly detect:

  • CMS (WordPress, Drupal, Joomla, etc.)
  • Web servers (Apache, Nginx)
  • JavaScript libraries (e.g., jQuery, React)
  • Frameworks (Laravel, Ruby on Rails, etc.)

🔗 Extension:
https://www.wappalyzer.com

🚪 Step 3: Directory and File Discovery

🔍 Directory & File Enumeration

Use these tools to find hidden directories and files:

dirb http://target.com
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Common discoveries may include:

  • admin/
  • config.php
  • backup.zip
  • robots.txt

🧬 Step 4: Intercept & Analyze with Burp Suite

  1. Enable intercept and browse the site.

  2. Look for:

    • All parameters (?id=123, page=login)

    • Cookies & session tokens

    • Custom headers

    • JavaScript files

  3. Use Spider or Crawl feature for full endpoint discovery.

🧪 Tip: Replay requests in Burp Repeater to test parameter behavior.

🧩 Bonus: Search Engine Dorking

🔎 Google Dorking – Discover Indexed URLs

Use Google search operators to find exposed admin panels, scripts, and more:

site:target.com inurl:admin
site:target.com filetype:php

Tips:

  • inurl: – Filter URLs containing specific keywords (e.g., admin, login)
  • filetype: – Find files of specific types (e.g., php, pdf, zip)
  • site: – Limit results to the target domain only

📁 Check Internal Files Manually

Explore these files directly in the browser for additional paths:

  • robots.txt – Lists disallowed URLs (often sensitive)
  • sitemap.xml – Lists indexed internal pages
http://target.com/robots.txt
http://target.com/sitemap.xml

📋 Recon Checklist

TaskTool
WHOIS Lookupwhois
Subdomain EnumSublist3r, Amass
Tech FingerprintingWhatWeb, Wappalyzer
Hidden Pathsdirb, gobuster
Parameter DiscoveryBurp Suite, Google Dorking

🔚 Wrapping Up

Recon is half the battle in web hacking. Once you understand every door, knob, and keyhole, attacking becomes strategic — not random.

👉 Coming up next:
💥 Part 4 – SQL Injection: Extracting Data from Web Apps

In the next part, you’ll get hands-on with SQLi, one of the most dangerous — and common — web vulnerabilities out there.

1 thought on “Information Gathering – Mapping the Web Attack Surface”

  1. Pingback: Setting Up Your Web Hacking Lab

Leave a comment

Table of Contents

Index