INTRO
I don’t know if I have ever talked about Infomation Gathering here. But today, we are going to do such a thing. we are going to see how bounty hunters gather information for a specific host. we will use a well-known tool “Red-Hawk” to automate the stuff. but I would not recommend this to new learners. you won’t be able to know anything new with this tool. You can do this all manually and then use the tool. after that, see the difference in output.
One more good thing, Red-Hawk is created by an Indian. check him out on Twitter. He has created some other great tools too that I will mention in the next articles. for now, we will stick with the Bug hunting tool Red-Hawk.
But before reading more on this tool, watch this video to clear your concept on Bug Bounty Hunting:
It is not necessary though. but you should know the purpose of this tool and what is the use of this tool in real life?
ATTACK
Let’s just clone it via git. Type this command:
git clone https://github.com/Tuhinshubhra/RED_HAWK.git
Screenshot:
Go into the directory and run the tool with PHP. you should also take a look into the PHP scripts. you will see that it is very well written. Type this command:
php rhawk.php
Screenshot:
You may see this error. it is very common. basically, it’s saying that you haven’t installed these PHP modules that are necessary to run this PHP script.
you can solve this error by installing these modules. Type this command:
apt install php-curl php-xml
but this never fixed the error for me. so, I used the fix command. all you need to do is type fix when it asks for domain/hostname.
For demonstration purposes, I am using our website “technicalnavigator.in”. let’s type it when it asks for a domain name. it will also ask you to choose if the website uses HTTPS or HTTP.
Screenshot:
As you can see in the screenshot, these are all the options that we can use to gather information for a domain. let’s just use the first one by submitting 0.
Screenshot:
Look at this beautiful result, we got. we can see that our website has Cloudflare, the content management system(CMS) is WordPress. we also have the IP and site title.
Screenshot:
So, now we know that our website runs on WordPress. we can use the option 11 to enumerate more with the Red-Hawk tool. while doing that it will ask for the directory on the webserver where we have found the WordPress installed. I will submit / because you know, our whole website is managed by WordPress.
Screenshot:
we can see the WordPress version that the website is using. The tool has also found some files (readme.html, license.txt) which is related to WordPress.
There is a function “Bloggers view scan” that can only be used with the API keys of moz.com. but it is not a necessary part. so, you can skip this. but if you are curious to know more, Click Here.
By the way, did you noticed the option to scan ports on the host? submit 6 to scan ports.
Screenshot:
You can run an SQL injection scanner on the domain/Host. but I think it will only penetrate GET requests. so, it won’t be that powerful. I would rather prefer Sqlmap.
if you want to run all kind of enumeration, submit option A.
Screenshot:
Thanks For Visiting.
