Professional Documents
Culture Documents
(PDR)
This document is created to mention the tools used for PDR. Each tool’s
usage/working is also mentioned.
2 Centralops https://centralops.net/co/
3 Whatruns https://www.whatruns.com/
4 Wappalyzer https://www.wappalyzer.com/
6 Hunter https://hunter.io/chrome
This extension/website is used for
extracting the email addresses
available for the target website.
9 Websitepulse https://www.websitepulse.com/tools/
12 Abuseipd https://www.abuseipdb.com/
13 Xforce https://exchange.xforce.ibmcloud.com/
14 Theharvester https://tools.kali.org/information-
gathering/theharvester
15 Ipinfo https://ipinfo.info/index.php
16 Gobuster https://tools.kali.org/web-applications/
gobuster
Below is the sample of PDR and the tools used for
each section.
Public Discovery
Report
Help AG
Objective
Public discovery testing was performed to collect personal
and sensitive data related to the company that is publicly
available. This information, accessible to every internet
user, was tested with the possibility of data theft in mind.
In a simple, quick way, this activity exposes basic security
risks that the organization may be open to from the outside
world.
The objective is to identify and understand “obvious”
security risks, deliver basic recommendations to protect
against an adverse impact on the organization, or reduce
the possibility of cyber-attack. Specific, comprehensive
risk can be identified through assessments leveraging
security-specific tools and practices.
Assumptions
The public discovery testing was performed through
passive collection of data and was entirely non-intrusive.
Scans of any kind were not performed and there was no
active probing to collect the information. This activity was
completed with nothing more than the name of
organization. All of the depicted information was gained
through Google searches only and passive reconnaissance
tools.
Executive Summary
Basic Findings:
Network Information was learned, including
net block owner, operating systems, and the
technologies used on the server and those that
are outward-facing. This information is the
starting point for identifying vulnerabilities.
Open ports and services were identified.
Once open (or “available”) ports and services
are learned, potential security vulnerabilities can
be identified.
Technology stack and Login pages were
mentioned
Operating system details of hosts were
collected passively.
Name server (NS) records were found,
potentially exposing other IPs with different
Reputation is everything to
IP Addresses, open ports, and running services
We identified the following IP addresses, ports and services relevant to your organization:
Technology Stack
We identified the following technologies running on your website:
Item Description
CMS WordPress 4.9.10, Mousewheel JS
● Wappalyzer
Referrer-Policy Referrer Policy is a header that allows a site to control how much
information the browser includes with navigations away from a
document.
Feature-Policy Feature Policy is a new header that allows a site to control which
features and APIs can be used in the browser.
Expect-CT Expect-CT allows a site to determine if they are ready for the
upcoming Chrome requirements and/or enforce their CT policy.
Login pages
N/A
● Manual searching for example, end or website URL use /login, /admin, etc.
Pdf N/A
documents
Word N/A
documents
Excel N/A
documents
Install the below mentioned extensions for chrome and Firefox and extract
emails
● Email Extractor Pro
● Hunter
● https://haveibeenpwned.com/
Remediation Actions
● Close the ports unnecessary TCP/UDP Ports on which no services are running.
● Test all the web applications and web servers to check whether default
configurations are changed to avoid brute forcing and server-side attacks.
● Web-applications could be prone to SQL injection, XSS & other web-based
vulnerabilities. Web applications which are used internally should not be
exposed to outside world.
● User accounts can be brute forced or locked if user mail IDs are found. Do not
expose sensitive data
● User accounts can be brute forced or locked if user mail ids’ are found. Do not
expose sensitive data to the outside world in order to maintain data
confidentiality.
● Change all the passwords of breached accounts and do not use common
passwords for different applications.
● Emails of admins and admin accounts for web management consoles
(DirectAdmin, WordPress) should be changed regularly.
● Web Application Firewall should be installed to defeat automated scanners.
● DNS should not allow any sub-domains listing and automatic zone transfers to
un-authorized clients.
● List of disallowed directories from robots.txt should be removed and access to
web-management (Word Press & Direct Admin) should be allowed to specific IPs.
● Test all the servers that are using older versions of operating system whether
prone to security misconfigurations.
● Upgrade the website technologies used to the latest version.
Host records: These records point your domain to the IP address of your website or
hosting.
Host IP
https://www.helpag.com/ 91.73.222.178
Name server records: These records specify an authoritative name server for given
host.
Host IP
ns1.gratisdns.dk 217.61.111.93
ns2.gratisdns.dk 185.10.10.53
ns3.gratisdns.dk 185.43.209.139
ns4.gratisdns.dk 62.61.159.230
ns5.gratisdns.dk 45.76.144.57
MX records: These records specify a mail exchange server for a DNS domain name.
Host IP
eu-smtp-inbound-2.mimecast.com 91.220.42.136
eu-smtp-inbound-1.mimecast.com 195.130.217.201
The above mentioned information can be found using the following websites
● Centralops
● Websitepulse
● Maltego
● Maltego