Public Discovery Report

(PDR)
This document is created to mention the tools used for PDR. Each tool’s
usage/working is also mentioned.

Sr. Name of the Tool Description

No.
1 Security Headers https://securityheaders.com/

This Website is used to scan headers of

the target website.

2 Centralops https://centralops.net/co/

This website is used to investigate

domains and IP addresses.

3 Whatruns https://www.whatruns.com/

This extension is used to detect the

technology being used for the target
website. E.g. Wordpress, language,
Framework, etc.

4 Wappalyzer https://www.wappalyzer.com/

This extension is used to detect the

technology being used for the target
website. E.g. Wordpress, language,
Framework, etc.

5 Email Extractor Pro This extension is used to extract email

addresses on the target website.

6 Hunter https://hunter.io/chrome
 This extension/website is used for
extracting the email addresses
available for the target website.

7 Email Finder Extension https://snov.io/extension

This chrome proprietary extension is

used to extract email addresses on the
target website.

8 Snovio web technology checker This chrome proprietary extension is

used to extract technology being used
on the target website.

9 Websitepulse https://www.websitepulse.com/tools/

This is used for multiple tools. Including

MXlook up. By email addresses we can
check the servers being used for email
delivery.

10 Matlego Domain mapping results – including

publicly available detail.

11 NMAP scan Ports information can be found by this

software as well.

12 Abuseipd https://www.abuseipdb.com/

13 Xforce https://exchange.xforce.ibmcloud.com/

14 Theharvester https://tools.kali.org/information-
gathering/theharvester

15 Ipinfo https://ipinfo.info/index.php

16 Gobuster https://tools.kali.org/web-applications/
gobuster
Below is the sample of PDR and the tools used for
each section.

Public Discovery
Report
Help AG
 Objective
Public discovery testing was performed to collect personal
and sensitive data related to the company that is publicly
available. This information, accessible to every internet
user, was tested with the possibility of data theft in mind.
In a simple, quick way, this activity exposes basic security
risks that the organization may be open to from the outside
world.
The objective is to identify and understand “obvious”
security risks, deliver basic recommendations to protect
against an adverse impact on the organization, or reduce
the possibility of cyber-attack. Specific, comprehensive
risk can be identified through assessments leveraging
security-specific tools and practices.
Assumptions
The public discovery testing was performed through
passive collection of data and was entirely non-intrusive.
Scans of any kind were not performed and there was no
active probing to collect the information. This activity was
completed with nothing more than the name of
organization. All of the depicted information was gained
through Google searches only and passive reconnaissance
tools.
Executive Summary
Basic Findings:
Network Information was learned, including
net block owner, operating systems, and the
technologies used on the server and those that
are outward-facing. This information is the
starting point for identifying vulnerabilities.
Open ports and services were identified.
Once open (or “available”) ports and services
are learned, potential security vulnerabilities can
be identified.
Technology stack and Login pages were
mentioned
Operating system details of hosts were
collected passively.
Name server (NS) records were found,
potentially exposing other IPs with different
Reputation is everything to
IP Addresses, open ports, and running services
We identified the following IP addresses, ports and services relevant to your organization:

IP Port Protocol Status Service

Running

80 tcp open http

https://www.helpag.com/ 443 tcp open https
(91.73.222.178) 2000 tcp open cisco-sccp

5060 tcp open sip

● Run Zenmap/Nmap scan using URL/IP for all the Ports

Technology Stack
We identified the following technologies running on your website:

Item Description
CMS WordPress 4.9.10, Mousewheel JS

Analytics Google Analytics UA

Web Framework Bootstrap

Programming Language PHP

Sales and Marketing Yoast SEO

Tag Managers Google Tag Manager

JavaScript Frameworks jQuery 1.8.2, Page JS, HoverIntent JS, jQuery

Waypoints

Widgets AddToAny, Facebook, OWL Carousel, Twitter

Font Script Font Awesome

Javascript Graphics Twitter Emoji, WOW

CDN CloudFlare, CDN JS

Advertising Twitter Ads, Facebook Pixel

Dev Tools Rollbar

● Install below mentioned extensions for technology stack in Chrome

and Firefox
● Whatruns

● Wappalyzer

● Snovio web technology checker

Vulnerable services/Missing Header

Service Name Vulnerability/Issue

jQuery 1.8.2 Latest available version is 3.4.1

WordPress 4.9.10 Latest available version is 5.2.4

Strict-Transport- HTTP Strict Transport Security is an excellent feature to support

Security on your site and strengthens your implementation of TLS by
getting the User Agent to enforce the use of HTTPS.
Recommended value "Strict-Transport-Security: max-
 age=31536000; includeSubDomains".

Content-Security- Content Security Policy is an effective measure to protect your

Policy site from XSS attacks. By whitelisting sources of approved
content, you can prevent the browser from loading malicious
assets.

X-Content-Type- X-Content-Type-Options stops a browser from trying to MIME-

Options sniff the content type and forces it to stick with the declared
content-type. The only valid value for this header is "X-Content-
Type-Options: nosniff".

Referrer-Policy Referrer Policy is a header that allows a site to control how much
information the browser includes with navigations away from a
document.

X-Content-Type- There was a duplicate X-Content-Type-Options header.

Options

Feature-Policy Feature Policy is a new header that allows a site to control which
features and APIs can be used in the browser.

Expect-CT Expect-CT allows a site to determine if they are ready for the
upcoming Chrome requirements and/or enforce their CT policy.

● Security Headers can be found using https://securityheaders.com/

● The vulnerabilities of the technology stack can be found using

google by searching CVE details

Login pages
N/A

● Manual searching for example, end or website URL use /login, /admin, etc.

Sensitive document or files found

The following table list down the documents/files that were found publicly accessible and
may provide useful information to attackers.

Document Document Name

Type

Pdf N/A
documents

Word N/A
documents

Excel N/A
documents

Power point N/A

presentation

● Using google Dorks examples can be found on

https://securitytrails.com/blog/google-hacking-techniques

Email Accounts & Security Status

Email Dark Web Status

soumya.prajna@helpag.com Unsafe/ Compromised

stephan.berner@helpag.com Unsafe/ Compromised
info@helpag.com Unsafe/ Compromised
ben.abraham@helpag.com Unsafe/ Compromised
mohamed.idris@helpag.com Unsafe/ Compromised
angelika.plate@helpag.com Unsafe/ Compromised
majid.khan@helpag.com Unsafe/ Compromised
nadia.zamouri@helpag.com Unsafe/ Compromised
csoc@helpag.com Unsafe/ Compromised
mohammed.abuasbeh@helpag.com Unsafe/ Compromised

Install the below mentioned extensions for chrome and Firefox and extract
emails
● Email Extractor Pro
 ● Hunter

● Email Finder Extension

To verify whether the email is safe or not

● https://haveibeenpwned.com/

Remediation Actions
● Close the ports unnecessary TCP/UDP Ports on which no services are running.

● Test all the web applications and web servers to check whether default
configurations are changed to avoid brute forcing and server-side attacks.
● Web-applications could be prone to SQL injection, XSS & other web-based
vulnerabilities. Web applications which are used internally should not be
exposed to outside world.
● User accounts can be brute forced or locked if user mail IDs are found. Do not
expose sensitive data
● User accounts can be brute forced or locked if user mail ids’ are found. Do not
expose sensitive data to the outside world in order to maintain data
confidentiality.
● Change all the passwords of breached accounts and do not use common
passwords for different applications.
● Emails of admins and admin accounts for web management consoles
(DirectAdmin, WordPress) should be changed regularly.
● Web Application Firewall should be installed to defeat automated scanners.

● DNS should not allow any sub-domains listing and automatic zone transfers to
un-authorized clients.
● List of disallowed directories from robots.txt should be removed and access to
web-management (Word Press & Direct Admin) should be allowed to specific IPs.
● Test all the servers that are using older versions of operating system whether
prone to security misconfigurations.
● Upgrade the website technologies used to the latest version.

● Implement the web application missing security headers.

Appendix
Target Customer: Help Ag
Target Domain: https://www.helpag.com/
Target Source: Google Information Base
Domain Record: 91.73.222.178
Net Name: Helpinformation-Net

Host records: These records point your domain to the IP address of your website or
hosting.

Host IP

https://www.helpag.com/ 91.73.222.178

Name server records: These records specify an authoritative name server for given
host.

Host IP

ns1.gratisdns.dk 217.61.111.93
ns2.gratisdns.dk 185.10.10.53
ns3.gratisdns.dk 185.43.209.139
ns4.gratisdns.dk 62.61.159.230
ns5.gratisdns.dk 45.76.144.57

MX records: These records specify a mail exchange server for a DNS domain name.

Host IP

eu-smtp-inbound-2.mimecast.com 91.220.42.136
eu-smtp-inbound-1.mimecast.com 195.130.217.201

The above mentioned information can be found using the following websites

● Centralops
 ● Websitepulse

● Maltego

Domain Mapping Results:

Maltego

● Maltego

● Machines -> Run a machine -> URL to Network option