Public Discovery Report (PDR)

This document is created to mention the tools used for PDR. Each tool’s usage/working is also
mentioned.

Sr. Name of the Tool Description

No.
1 Security Headers https://securityheaders.com/

This Website is used to scan headers of the

target website.

2 Centralops https://centralops.net/co/

This website is used to investigate domains and

IP addresses.

3 Whatruns https://www.whatruns.com/

This extension is used to detect the technology

being used for the target website. E.g.
Wordpress, language, Framework, etc.

4 Wappalyzer https://www.wappalyzer.com/

This extension is used to detect the technology

being used for the target website. E.g.
Wordpress, language, Framework, etc.

5 Email Extractor Pro This extension is used to extract email addresses

on the target website.

6 Hunter https://hunter.io/chrome

This extension/website is used for extracting the

email addresses available for the target website.

7 Email Finder Extension https://snov.io/extension

 This chrome proprietary extension is used to
extract email addresses on the target website.

8 Snovio web technology checker This chrome proprietary extension is used to

extract technology being used on the target
website.

9 Websitepulse https://www.websitepulse.com/tools/

This is used for multiple tools. Including MXlook

up. By email addresses we can check the servers
being used for email delivery.

10 Matlego Domain mapping results – including publicly

available detail.

11 NMAP scan Ports information can be found by this software

as well.

12 Abuseipd https://www.abuseipdb.com/

13 Xforce https://exchange.xforce.ibmcloud.com/

14 Theharvester https://tools.kali.org/information-gathering/
theharvester

15 Ipinfo https://ipinfo.info/index.php

16 Gobuster https://tools.kali.org/web-applications/gobuster

Below is the sample of PDR and the tools used for each section.
Public Discovery Report
Help AG

Report Date: 11th November 2019

 Objective
Public discovery testing was performed to collect personal and sensitive
RECENT CYBER ATTACKS
data related to the company that is publicly available. This information,
accessible to every internet user, was tested with the possibility of data
theft in mind. In a simple, quick way, this activity exposes basic security Hackers Found Using A New Code
risks that the organization may be open to from the outside world. Injection Technique to Evade
Detection
The objective is to identify and understand “obvious” security risks, Early Bird is a "simple yet powerful"
deliver basic recommendations to protect against an adverse impact on technique that allows attackers to
the organization, or reduce the possibility of cyber-attack. Specific, inject malicious code into a
comprehensive risk can be identified through assessments leveraging legitimate process before its main
security-specific tools and practices. thread starts, and thereby avoids
Assumptions detection. The Early Bird code
The public discovery testing was performed through passive collection injection technique "loads the
of data and was entirely non-intrusive. Scans of any kind were not malicious code in a very early stage
performed and there was no active probing to collect the information. of thread initialization, before many
This activity was completed with nothing more than the name of security products place their hooks
organization. All of the depicted information was gained through Google which allows the malware to
searches only and passive reconnaissance tools. perform its malicious actions without
Executive Summary being detected.
Basic Findings: Finland's 3rd Largest Data Breach
Network Information was learned, including Exposes 130,000 Users' Plaintext
net block owner, operating systems, and the Passwords
technologies used on the server and those that Finnish Communications Regulatory
are outward-facing. This information is the Authority (FICORA) is warning users
starting point for identifying vulnerabilities. of a large-scale data breach in a
Open ports and services were identified. website maintained by the New
Once open (or “available”) ports and services Business Center in Helsinki
are learned, potential security vulnerabilities can ("Helsingin Uusyrityskeskus"), a
be identified. company that provides business
Technology stack and Login pages were advice to entrepreneurs and help
mentioned them create right business plans.
Operating system details of hosts were
collected passively. Unknown attackers hacked website
Name server (NS) records were found, (liiketoimintasuunnitelma.com) and
potentially exposing other IPs with different stole over 130,000 users’ login
services are running. usernames and passwords, which
were stored on the site in plain-text
Advanced Results:
without using any hashing.
Brute Force can be performed for web login page.

Reputation is everything to an
organization and a single data breach
can destroy a reputation in a fell
swoop. So, you need to be secure
from Cyber threats.
IP Addresses, open ports, and running services
We identified the following IP addresses, ports and services relevant to your organization:

IP Port Protocol Status Service Running

80 tcp open http

https://www.helpag.com/ 443 tcp open https

(91.73.222.178) 2000 tcp open cisco-sccp

5060 tcp open sip

● Run Zenmap/Nmap scan using URL/IP for all the Ports

Technology Stack
We identified the following technologies running on your website:

Item Description
CMS WordPress 4.9.10, Mousewheel JS

Analytics Google Analytics UA

Web Framework Bootstrap

Programming Language PHP

Sales and Marketing Yoast SEO

Tag Managers Google Tag Manager

JavaScript Frameworks jQuery 1.8.2, Page JS, HoverIntent JS, jQuery Waypoints

Widgets AddToAny, Facebook, OWL Carousel, Twitter

Font Script Font Awesome

Javascript Graphics Twitter Emoji, WOW

CDN CloudFlare, CDN JS

Advertising Twitter Ads, Facebook Pixel

Dev Tools Rollbar

● Install below mentioned extensions for technology stack in Chrome and Firefox

● Whatruns

● Wappalyzer

● Snovio web technology checker

Vulnerable services/Missing Header

Service Name Vulnerability/Issue

jQuery 1.8.2 Latest available version is 3.4.1

WordPress 4.9.10 Latest available version is 5.2.4

Strict-Transport-Security HTTP Strict Transport Security is an excellent feature to support on your site and
strengthens your implementation of TLS by getting the User Agent to enforce the
use of HTTPS. Recommended value "Strict-Transport-Security: max-
age=31536000; includeSubDomains".
 Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS
attacks. By whitelisting sources of approved content, you can prevent the
browser from loading malicious assets.

X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content

type and forces it to stick with the declared content-type. The only valid value
for this header is "X-Content-Type-Options: nosniff".

Referrer-Policy Referrer Policy is a header that allows a site to control how much information
the browser includes with navigations away from a document.

X-Content-Type-Options There was a duplicate X-Content-Type-Options header.

Feature-Policy Feature Policy is a new header that allows a site to control which features and
APIs can be used in the browser.

Expect-CT Expect-CT allows a site to determine if they are ready for the upcoming Chrome
requirements and/or enforce their CT policy.

● Security Headers can be found using https://securityheaders.com/

● The vulnerabilities of the technology stack can be found using google by searching CVE details

Login pages
N/A

● Manual searching for example, end or website URL use /login, /admin, etc.

Sensitive document or files found

The following table list down the documents/files that were found publicly accessible and may provide useful
information to attackers.

Document Type Document Name

Pdf documents N/A

 Word N/A
documents

Excel N/A
documents

Power point N/A

presentation

● Using google Dorks examples can be found on https://securitytrails.com/blog/google-hacking-

techniques

Email Accounts & Security Status

Email Dark Web Status

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

[email protected] Unsafe/ Compromised

Install the below mentioned extensions for chrome and Firefox and extract emails
● Email Extractor Pro

● Hunter

● Email Finder Extension

To verify whether the email is safe or not

● https://haveibeenpwned.com/
Remediation Actions
● Close the ports unnecessary TCP/UDP Ports on which no services are running.

● Test all the web applications and web servers to check whether default configurations are changed
to avoid brute forcing and server-side attacks.
● Web-applications could be prone to SQL injection, XSS & other web-based vulnerabilities. Web
applications which are used internally should not be exposed to outside world.
● User accounts can be brute forced or locked if user mail IDs are found. Do not expose sensitive data

● User accounts can be brute forced or locked if user mail ids’ are found. Do not expose sensitive data
to the outside world in order to maintain data confidentiality.
● Change all the passwords of breached accounts and do not use common passwords for different
applications.
● Emails of admins and admin accounts for web management consoles (DirectAdmin, WordPress)
should be changed regularly.
● Web Application Firewall should be installed to defeat automated scanners.

● DNS should not allow any sub-domains listing and automatic zone transfers to un-authorized clients.

● List of disallowed directories from robots.txt should be removed and access to web-management
(Word Press & Direct Admin) should be allowed to specific IPs.
● Test all the servers that are using older versions of operating system whether prone to security
misconfigurations.
● Upgrade the website technologies used to the latest version.

● Implement the web application missing security headers.

Appendix
Target Customer: Help Ag
Target Domain: https://www.helpag.com/
Target Source: Google Information Base
Domain Record: 91.73.222.178
Net Name: Helpinformation-Net

Host records: These records point your domain to the IP address of your website or hosting.

Host IP

https://www.helpag.com/ 91.73.222.178

Name server records: These records specify an authoritative name server for given host.

Host IP

ns1.gratisdns.dk 217.61.111.93

ns2.gratisdns.dk 185.10.10.53

ns3.gratisdns.dk 185.43.209.139

ns4.gratisdns.dk 62.61.159.230

ns5.gratisdns.dk 45.76.144.57

MX records: These records specify a mail exchange server for a DNS domain name.

Host IP

eu-smtp-inbound-2.mimecast.com 91.220.42.136

eu-smtp-inbound-1.mimecast.com 195.130.217.201

The above mentioned information can be found using the following websites

● Centralops
 ● Websitepulse

● Maltego

Domain Mapping Results:

Maltego

● Maltego

● Machines -> Run a machine -> URL to Network option