mirror of
https://github.com/xalgord/My-Methodologies.git
synced 2024-11-10 06:04:20 +00:00
GITBOOK-17: change request with no subject merged in GitBook
This commit is contained in:
parent
edbbe2acab
commit
cb19279fd7
6 changed files with 255 additions and 1 deletions
BIN
.gitbook/assets/image (1) (1).png
Normal file
BIN
.gitbook/assets/image (1) (1).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 382 KiB |
Binary file not shown.
Before Width: | Height: | Size: 382 KiB After Width: | Height: | Size: 93 KiB |
Binary file not shown.
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 235 KiB |
|
@ -5,3 +5,4 @@
|
|||
* [🔼 Subdomain Takeover](subdomain-takeover.md)
|
||||
* [Other](other.md)
|
||||
* [🔎 Recon With Me](recon-with-me.md)
|
||||
* [🔎 Extensive Recon Guide For Bug Hunting](extensive-recon-guide-for-bug-hunting.md)
|
||||
|
|
253
extensive-recon-guide-for-bug-hunting.md
Normal file
253
extensive-recon-guide-for-bug-hunting.md
Normal file
|
@ -0,0 +1,253 @@
|
|||
# 🔎 Extensive Recon Guide For Bug Hunting
|
||||
|
||||
<figure><img src=".gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### WHAT IS RECONNAISSANCE?
|
||||
|
||||
Reconnaissance is one of the most important aspects of penetration testing. It’s also known as Recon.\
|
||||
Recon will help you to increase attack surface area and may allow you to get more vulnerabilities but the ultimate goal is to dig deep in the target.
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line"> Recon = Increase in Attack surface = More vulnerabilities\
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line"> Recon = Finding untouched endpoints = Fewer duplicates\
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line"> Recon = Sharpening your axe before attack
|
||||
|
||||
***
|
||||
|
||||
### 1. SUBDOMAIN ENUMERATION
|
||||
|
||||
Subdomain enumeration is the process of finding subdomains for one or more domains.
|
||||
|
||||
**Tools used ⇒**
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">Visual Recon⇒
|
||||
|
||||
* [https://Virustotal.com](https://virustotal.com/)
|
||||
* [https://Subdomainfinder.c99.nl](https://subdomainfinder.c99.nl/)
|
||||
* [https://crt.sh/?q=%25.target.com](https://crt.sh/?q=%25.target.com)
|
||||
* [https://securitytrails.com/list/apex\_domain/target.com](https://securitytrails.com/list/apex\_domain/target.com)
|
||||
* [https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22target.com%22](https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22target.com%22)
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">Command Line⇒
|
||||
|
||||
* [Amass](https://github.com/owasp-amass/amass)
|
||||
* [Sunfinder](https://github.com/projectdiscovery/subfinder)
|
||||
* [dnsx](https://github.com/projectdiscovery/dnsx)
|
||||
* [Chaos](https://chaos.projectdiscovery.io/#/)
|
||||
* [Assetfinder](https://github.com/tomnomnom/assetfinder)
|
||||
|
||||
**Oneliners for Subdomain Enumeration ⇒**
|
||||
|
||||
```shell
|
||||
$ amass enum -passive -norecursive -noalts -df domians.txt -o subs-list.txt
|
||||
$ dnsx -silent -d $domain -w ~/wordlist.txt -o ~/dnsbrute.txt
|
||||
$ cat domain.txt | dnsgen - | massdns -r ~/resolvers.txt -o S -w alive.txt
|
||||
```
|
||||
|
||||
***
|
||||
|
||||
### 2. FILTERING THE SUBDOMAINS WITH HTTPX
|
||||
|
||||
```shell
|
||||
$ httpx -l domain.txt -timeout 13 -o domain-probe.txt
|
||||
```
|
||||
|
||||
**PORT SCANNING ⇒**
|
||||
|
||||
```shell
|
||||
$ naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
|
||||
$ naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt
|
||||
$ cat domain-subs.txt | aquatone -ports xlarge -scan-timeout 300 -out aquatone.txt
|
||||
```
|
||||
|
||||
**SUBDOMAIN OF SUBDOMAIN ENUMERATION ⇒**\
|
||||
“This is one of the rare things people search for.”\
|
||||
**Tools used:**
|
||||
|
||||
* **Subbrute**: [https://github.com/TheRook/subbrute](https://github.com/TheRook/subbrute)
|
||||
* **Altdns**: [https://github.com/infosec-au/altdns](https://github.com/infosec-au/altdns)
|
||||
* Usage: `./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt`
|
||||
|
||||
***
|
||||
|
||||
### 3. SCREENSHOT TOOLS
|
||||
|
||||
These tools are capable of taking screenshots of websites to view offline anytime.
|
||||
|
||||
**Tools used ⇒**
|
||||
|
||||
* **Eyewitness**: [https://github.com/FortyNorthSecurity/EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness)
|
||||
* **httpscreenshot**: [https://github.com/breenmachine/httpscreenshot](https://github.com/breenmachine/httpscreenshot)
|
||||
|
||||
***
|
||||
|
||||
### 4. BROADENING YOUR SCOPE
|
||||
|
||||
More targets lead to more option which ultimately lead to more opportunities.
|
||||
|
||||
* Crunchbase
|
||||
* bgp.he.net
|
||||
* tools.whoisxmlapi.com
|
||||
* [https://whois.arin.net/](https://whois.arin.net/)
|
||||
|
||||
***
|
||||
|
||||
### 5. WHAT TO DO AFTER ENUMERATION? | Collecting URLs
|
||||
|
||||
* **Waybackurls**: [https://github.com/tomnomnom/waybackurls](https://github.com/tomnomnom/waybackurls)
|
||||
* **Gau**: [https://github.com/lc/gau](https://github.com/lc/gau)
|
||||
* **web archieve**: [https://web.archive.org/cdx/search/cdx?url=\*.target.com\&fl=original\&collapse=](https://web.archive.org/cdx/search/cdx?url=\*.target.com\&fl=original\&collapse=) urlkey
|
||||
|
||||
***
|
||||
|
||||
### 6. TIPS AND TRICKS
|
||||
|
||||
1\. After collecting URLs, curl out the responses of the URLs and grep for the following URLs:
|
||||
|
||||
* drive.google
|
||||
* docs.google
|
||||
* /spreadsheets/d/
|
||||
* /document/d/
|
||||
|
||||
```shell
|
||||
$ cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google | docs. google | spreadsheet\/d | document.\/d\/)' ;echo -e " ==> $url" "\n"" $cu" ; done
|
||||
```
|
||||
|
||||
2\. Using paramspider, gxss to detect Cross-site Scripting (XSS)
|
||||
|
||||
* Commands:-
|
||||
|
||||
```shell
|
||||
$ cat params | qsreplace yogi | dalfox pipe --mining-dom --deep-domxss --mining-dict --remotepayloads=portswigger,payloadbox --remote wordlists=burp,assetnote -o xssoutput.txt
|
||||
```
|
||||
|
||||
```shell
|
||||
$ cat alive.txt | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)" | tee xssBug3.txt
|
||||
```
|
||||
|
||||
3\. Using **SQLidetector** to search for sqli
|
||||
|
||||
* **Tool Link**: [https://github.com/eslam3kl/SQLiDetector](https://github.com/eslam3kl/SQLiDetector)
|
||||
|
||||
***
|
||||
|
||||
### 7. SHODAN FOR RECON
|
||||
|
||||
**Shodan**: [https://www.shodan.io/](https://www.shodan.io/)
|
||||
|
||||
**Shodan Dorks ⇒**
|
||||
|
||||
> ssl: “target\[.]com” 200 http.title: “dashboard” –unauthenticated dashboard\
|
||||
> org:“target.com” x-jenkins 200 — unauthenticated jenkins server\
|
||||
> ssl:“target.com” 200 proftpd port:21 — proftpd port:21 org:“target.com”\
|
||||
> http.html:zabbix — CVE-2022-24255 Main & Admin Portals: Authentication\
|
||||
> Bypass org:“target.com” http.title:“phpmyadmin” —-php my admin\
|
||||
> ssl:“target.com” http.title:"BIG-IP —F5 BIG-IP using CVE-2020-5902
|
||||
|
||||
**Example Writeup**:- [How I found XSS by searching in Shodan - Writeup](https://infosecwriteups.com/6943b799e648)
|
||||
|
||||
***
|
||||
|
||||
### 8. CENSYS FOR RECON
|
||||
|
||||
**Censys**: [https://www.censys.io/](https://www.censys.io/)\
|
||||
**Example Writeup**:- [Let’s fuck waf using Origin IP: My approach on censys By Deepak Dhiman](https://virdoexhunter.com/lets-fuck-waf-using-origin-ip-my-approach-on-censys/)
|
||||
|
||||
***
|
||||
|
||||
### 9. FUZZING FOR SENSITIVE FILES & DIRECTORIES
|
||||
|
||||
* **Ffuf**: [https://github.com/ffuf/ffuf](https://github.com/ffuf/ffuf)
|
||||
* **Example Writeup**:-[Ffuf-ing Recon Writeup on FFuf](https://infosecwriteups.com/1ee4e79b3256)
|
||||
|
||||
```shell
|
||||
$ for i in cat host.txt; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done
|
||||
```
|
||||
|
||||
* **Tip**: Fuzz for “/wp-content/debug.log” || Sometimes they contain SQL error, which can be chained.
|
||||
|
||||
***
|
||||
|
||||
### 10. FINDING SOURCE/BACKUP FILES
|
||||
|
||||
**Subdomain Name**: `y0gi.hacklido.com`
|
||||
|
||||
> y0gi.hacklido.com /y0gi.zip - hacklido.zip – admin.zip – backup.zip\
|
||||
> y0gi.hacklido.com/y0gi/y0gi.zip - hacklido.zip – admin.zip – backup.zip\
|
||||
> y0gi. hacklido.com/hacklido/y0gi.zip - hacklido.zip – admin.zip – backup.zip\
|
||||
> y0gi. hacklido.com/admin/y0gi.zip - hacklido.zip – admin.zip – backup.zip
|
||||
|
||||
**Tool Link**: [https://github.com/musana/fuzzuli](https://github.com/musana/fuzzuli)
|
||||
|
||||
***
|
||||
|
||||
### 11. GOOGLE & GITHUB DORKING
|
||||
|
||||
**Trivial Tricks:**
|
||||
|
||||
* Find Sensitive Data in Cloud storage through Google Dork:
|
||||
|
||||
> site:[http://s3.amazonaws.com](http://s3.amazonaws.com/) “target\[.]com”\
|
||||
> site:[http://blob.core.windows.net](http://blob.core.windows.net/) “target\[.]com”\
|
||||
> site:[http://googleapis.com](http://googleapis.com/) “target\[.]com”\
|
||||
> site:[http://drive.google.com](http://drive.google.com/) “target\[.]com”
|
||||
|
||||
* Github Leaks for AWS, Jira, Okta, etc:
|
||||
|
||||
> Org:“target” pwd/pass/passwd/password\
|
||||
> “target.atlassian” pwd/pass/passwd/password\
|
||||
> “target.okta” pwd/pass/passwd/password\
|
||||
> “Jira.target” pwd/pass/passwd/password
|
||||
|
||||
* Also search in Google groups, Gitlabs.
|
||||
|
||||
***
|
||||
|
||||
### 12. JAVASCRIPT\[JS] FILES RECON
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line"> Grep all urls from wayback or gau.
|
||||
|
||||
* Collect all js file “.js”
|
||||
* Filter js file:
|
||||
|
||||
```go
|
||||
$ httpx -content-type | grep 'application/javascript'
|
||||
```
|
||||
* Perform Nuclei scan
|
||||
|
||||
```shell
|
||||
$ nuclei -t /root/nuclei-templates/exposures/
|
||||
```
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line"> Js Recon Tip:
|
||||
|
||||
* Collect all endpoints from Js files & Create a wordlist from those.
|
||||
* Craft a POST request with any parameter.
|
||||
* Use that request to fuzz for sensitive directory.
|
||||
* **Tools**:- [JSFScan.sh](https://github.com/KathanP19/JSFScan.sh) , Jsminer {Burp Extension} , [Trufflehog](https://github.com/trufflesecurity/trufflehog)
|
||||
|
||||
***
|
||||
|
||||
### 13. SOME AUTOMATION FRAMEWORKS
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">**Sudomy**: [https://github.com/Screetsec/Sudomy](https://github.com/Screetsec/Sudomy)\
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">**Reconftw**: [https://github.com/six2dez/reconftw](https://github.com/six2dez/reconftw)
|
||||
|
||||
***
|
||||
|
||||
### Final Thoughts
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">**Verify Data**
|
||||
|
||||
* Some data are intended, No bug here.
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">**Reported > Invalid**
|
||||
|
||||
* Don’t get angry, You may lose bonds with good program
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">**Yes, They do accept Third Party**
|
||||
|
||||
* Your crafting and exploits are gold. Make it high as you can
|
||||
|
||||
<img src="https://cdn.jsdelivr.net/gh/twitter/twemoji@14/assets/72x72/1f539.png" alt="🔹" data-size="line">**Be humble with Program**
|
||||
|
||||
* Money going no where. Don’t message constant to team
|
|
@ -1,6 +1,6 @@
|
|||
# 🔼 Subdomain Takeover
|
||||
|
||||
<figure><img src=".gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src=".gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
```
|
||||
#!/bin/sh
|
||||
|
|
Loading…
Reference in a new issue