0.1 Recon
DNS lookup
dig <domain>
whois <ip>
dnscan https://github.com/rbsec/dnscan
Fierce: `fierce -dns targetdomain.com`
[ ] https://whois.domaintools.com/
[ ] `nslookup <domain>`
`nslookup -query=A <domain>`
`nslookup -query=PTR <domain>`
`nslookup -query=ANY <domain>`
`nslookup -query=TXT <domain>`
`nslookup -query=MX <domain>`
[ ] `dig <domain> @1.1.1.1`
`dig a <domain> @1.1.1.1`
`dig -x <domain> @1.1.1.1`
`dig any <domain> @8.8.8.8`
`dig txt <domain> @8.8.8.8`
`dig mx <domain> @8.8.8.8`
`dig axfr example.com @ns1.example.com`
Certificate
[ ] Certificates
https://censys.io
https://crt.sh
[ ] curl -s # Issue the request with minimal output.
[ ] `https://crt.sh/?q=<DOMAIN>&output=json # Ask for the json output.`
[ ] ` jq -r '.[]' "\(.name_value)\n\(.common_name)"'
Google Dorking
filetype:pdf
intext:
site:
intitle:
inurl:
https://www.exploit-db.com/google-hacking-database
Social Media - Linkedin
https://github.com/vysecurity/LinkedInt
Subdomain enum
[ ] TheHarvest # Add source
cat sources.txt
baidu
bufferoverun
crtsh
hackertarget
otx
projecdiscovery
rapiddns
sublist3r
threatcrowd
threatminer
trello
urlscan
vhost
virustotal
zoomeye
$ export TARGET="facebook.com"
$ cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}_${TARGET}";done
$ cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "${TARGET}_theHarvester.txt"
$ cat facebook.com_*.txt | sort -u > facebook.com_subdomains_passive.txt
$ cat facebook.com_subdomains_passive.txt | wc -l
[ ] https://sitereport.netcraft.com
[ ] http://web.archive.org/
[ ] Waybackurls
$ go install github.com/tomnomnom/waybackurls@latest
waybackurls -dates https://facebook.com > waybackurls.txt
cat waybackurls.txt
[ ] curl -I "http://${TARGET}"
[ ] whatweb -a3 <domain> -v
[ ] Check Wappalyzer
[ ] Check firewall with WafW00f
sudo apt install wafw00f -y
wafw00f -v https://www.tesla.com
[ ] Aquatone
$ sudo apt install golang chromium-driver
$ go get github.com/michenriksen/aquatone
$ export PATH="$PATH":"$HOME/go/bin"
$ cat facebook_aquatone.txt | aquatone -out ./aquatone -screenshot-timeout 1000
Active Subdomain Enumeration
[ ] Zone Transfer
https://hackertarget.com/zone-transfer/
nslookup -type=NS <DNS>
nslookup -type=any -query=AXFR <DNS> <Nameserver>
[ ]gobuster
Identify Pattern --> Create a pattern.txt
xxx-xxx-xxx-{GOBUSTER}-xxx
$ export TARGET="facebook.com"
$ export NS="d.ns.facebook.com"
$ export WORDLIST="numbers.txt"
$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"
[ ] sublist3r -d
[ ] amass enum -d
[ ] subfinder -d
[ ] curl -s https://crt.sh/?q=%25.example.com | grep "<TD>" | sed -e 's/<TD>//g' -e 's/<\/TD>//g'
[ ] dirsearch
[ ] dirb
[ ] ffuf
Virtual Hosts
IP-based virtual hosting
Name-based virtual hosting
cat ./vhosts | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://192.168.10.10 -H "HOST: ${vhost}.randomtarget.com" | grep "Content-Length: ";done
OR
ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612
edit /etc/hosts
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://test.test:PORT/ -H 'Host: FUZZ.test.test'
Crawling Recursion
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10
$ ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS
Sub-Domain Fuzzing
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/
Get Fuzzing
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://test:33184 -H "Host: test.test.test:33184/admin/admin.php?FUZZ=key"
Post Fuzzing
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://test.test.htb:test/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
curl http://test.test.test:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'
Value Fuzzing
$ for i in $(seq 1 1000); do echo $i >> ids.txt; done
ffuf -w ids.txt:FUZZ -u http://test.test.test:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Other Tools
| Steps | Notes |
|---|---|
| https://bgp.he.net/ | DNS info, Nameservers, Mail Exchangers, etc |
| whois arin | https://whois.arin.net/ui/ |
| https://whois.domaintools.com/ | ASN, Company info |
| https://viewdns.info/ | DNS |
| Shodan.io | Publicly available info |
| Public data | https://github.com/trufflesecurity/truffleHog or https://buckets.grayhatwarfare.com/ |
| Get IP Address using | nslookup ns1.inlanefreight.com |
| Haverst Username | https://github.com/initstring/linkedin2username |
| Get Creds | https://dehashed.com/ https://github.com/sm00v/Dehashed |
| Reverse Email | https://epieos.com/ |
| Collecting emails | https://hunter.io/ |
| Spiderfoot | https://github.com/smicallef/spiderfoot |