Many organizations are uploading files on their websites like pdf, word and excel without being aware that they are exposing sensitive information. This information is hidden in the metadata of these files. We will look into a tool called Goblyn which is freely available and you canenumerate and capture website files metadata with it.
Whats is Goblyn?
Goblyn is a tool focused to enumeration and capture of website files metadata.
How does it work?
Goblyn will search for active directories in the website and so enumerate the files, if it find some file it will get the metadata of file.
- Download the repository and run:
sudo python3 setup.py install
- Download the exiftool
sudo apt install exiftool
- Run it!
sudo goblyn [OPTIONS]
Example of Use
sudo goblyn -t http://fma.if.usp.br/~amsilva/Livros/ -wl C:\Users\Lsy\Desktop\common.txt --file-types=pdf,docx,png
Why are metadata important?
Files contain metadata which are basically information about other data e.g. information about the document itself such as names, emails, creation/modification dates, software, location information etc.
This kind of information could be useful in a penetration testing assignment, where during the reconnaissance phase you can easily collect valuable information about your client/company.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.