mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
Network Discovery and Subdomains enumerations
This commit is contained in:
parent
b315252c89
commit
1c5f8889bd
4 changed files with 289 additions and 94 deletions
|
@ -2,14 +2,6 @@
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
|
|
||||||
* Subbrute
|
|
||||||
* KnockPy
|
|
||||||
* GoogleDorks
|
|
||||||
* EyeWitness
|
|
||||||
* Sublist3r
|
|
||||||
* Aquatone
|
|
||||||
|
|
||||||
* [Passive Recon](#passive-recon)
|
* [Passive Recon](#passive-recon)
|
||||||
* Shodan
|
* Shodan
|
||||||
* Wayback Machine
|
* Wayback Machine
|
||||||
|
@ -32,92 +24,6 @@
|
||||||
* Nikto
|
* Nikto
|
||||||
* Payment functionality
|
* Payment functionality
|
||||||
|
|
||||||
## Enumerate all subdomains (only if the scope is *.domain.ext)
|
|
||||||
|
|
||||||
### Using Subbrute
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git clone https://github.com/TheRook/subbrute
|
|
||||||
python subbrute.py domain.example.com
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git clone https://github.com/guelfoweb/knock
|
|
||||||
git clone https://github.com/danielmiessler/SecLists.git
|
|
||||||
knockpy domain.com -w subdomains-top1mil-110000.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using Google Dorks and Google Transparency Report
|
|
||||||
|
|
||||||
You need to include subdomains ;)
|
|
||||||
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
|
|
||||||
|
|
||||||
```bash
|
|
||||||
site:*.domain.com -www
|
|
||||||
site:domain.com filetype:pdf
|
|
||||||
site:domain.com inurl:'&'
|
|
||||||
site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
|
|
||||||
site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
|
|
||||||
site:*.*.domain.com
|
|
||||||
```
|
|
||||||
|
|
||||||
### Subdomain take over using HostileSubBruteForcer
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
|
||||||
chmox +x sub_brute.rb
|
|
||||||
./sub_brute.rb
|
|
||||||
```
|
|
||||||
|
|
||||||
### EyeWitness and Nmap scans from the KnockPy and enumall scans
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
|
||||||
./setup/setup.sh
|
|
||||||
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
|
||||||
./EyeWitness -f urls.txt --web
|
|
||||||
./EyeWitness -x urls.xml -t 8 --headless
|
|
||||||
./EyeWitness -f rdp.txt --rdp
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using Sublist3r
|
|
||||||
|
|
||||||
```bash
|
|
||||||
To enumerate subdomains of specific domain and show the results in realtime:
|
|
||||||
python sublist3r.py -v -d example.com
|
|
||||||
|
|
||||||
To enumerate subdomains and enable the bruteforce module:
|
|
||||||
python sublist3r.py -b -d example.com
|
|
||||||
|
|
||||||
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
|
|
||||||
python sublist3r.py -e google,yahoo,virustotal -d example.com
|
|
||||||
|
|
||||||
python sublist3r.py -b -d example.com
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using Aquatone
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
gem install aquatone
|
|
||||||
|
|
||||||
Discover subdomains : results in ~/aquatone/example.com/hosts.txt
|
|
||||||
aquatone-discover --domain example.com
|
|
||||||
aquatone-discover --domain example.com --threads 25
|
|
||||||
aquatone-discover --domain example.com --sleep 5 --jitter 30
|
|
||||||
aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
|
|
||||||
|
|
||||||
Active scans : results in ~/aquatone/example.com/urls.txt
|
|
||||||
aquatone-scan --domain example.com
|
|
||||||
aquatone-scan --domain example.com --ports 80,443,3000,8080
|
|
||||||
aquatone-scan --domain example.com --ports large
|
|
||||||
aquatone-scan --domain example.com --threads 25
|
|
||||||
|
|
||||||
Final results
|
|
||||||
aquatone-gather --domain example.com
|
|
||||||
```
|
|
||||||
|
|
||||||
## Passive recon
|
## Passive recon
|
||||||
|
|
||||||
* Using Shodan (https://www.shodan.io/) to detect similar app
|
* Using Shodan (https://www.shodan.io/) to detect similar app
|
||||||
|
|
138
Methodology and Resources/Network Discovery.md
Normal file
138
Methodology and Resources/Network Discovery.md
Normal file
|
@ -0,0 +1,138 @@
|
||||||
|
# Network Discovery
|
||||||
|
|
||||||
|
## Netdiscover
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
netdiscover -i eth0 -r 192.168.1.0/24
|
||||||
|
Currently scanning: Finished! | Screen View: Unique Hosts
|
||||||
|
|
||||||
|
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
|
||||||
|
_____________________________________________________________________________
|
||||||
|
IP At MAC Address Count Len MAC Vendor / Hostname
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
|
||||||
|
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
|
||||||
|
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
|
||||||
|
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
|
||||||
|
```
|
||||||
|
|
||||||
|
## Responder
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
|
||||||
|
responder.py -I eth0 -wrf
|
||||||
|
```
|
||||||
|
|
||||||
|
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
||||||
|
|
||||||
|
## Bettercap
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
bettercap -X --proxy --proxy-https -T <target IP>
|
||||||
|
# better cap in spoofing, discovery, sniffer
|
||||||
|
# intercepting http and https requests,
|
||||||
|
# targetting specific IP only
|
||||||
|
```
|
||||||
|
|
||||||
|
## Nmap
|
||||||
|
|
||||||
|
* Ping sweep (No port scan, No DNS resolution)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
|
||||||
|
```
|
||||||
|
|
||||||
|
* Basic NMAP
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
|
||||||
|
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
|
||||||
|
|
||||||
|
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
|
||||||
|
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
|
||||||
|
• 192.168.0.1 is the IP address to scan
|
||||||
|
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
|
||||||
|
• -iL INPUTFILE tells Nmap to use the provided file as inputs
|
||||||
|
```
|
||||||
|
|
||||||
|
* CTF NMAP
|
||||||
|
|
||||||
|
This configuration is enough to do a basic check for a CTF VM
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
|
||||||
|
|
||||||
|
-sV : Probe open ports to determine service/version info
|
||||||
|
-sC : to enable the script
|
||||||
|
-oA : to save the results
|
||||||
|
|
||||||
|
After this quick command you can add "-p-" to run a full scan while you work with the previous result
|
||||||
|
```
|
||||||
|
|
||||||
|
* Aggressive NMAP
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -A -T4 scanme.nmap.org
|
||||||
|
• -A: Enable OS detection, version detection, script scanning, and traceroute
|
||||||
|
• -T4: Defines the timing for the task (options are 0-5 and higher is faster)
|
||||||
|
```
|
||||||
|
|
||||||
|
* Using searchsploit to detect vulnerable services
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
|
||||||
|
```
|
||||||
|
|
||||||
|
* Generating nice scan report
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
|
||||||
|
```
|
||||||
|
|
||||||
|
* NMAP Scripts
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sC : equivalent to --script=default
|
||||||
|
|
||||||
|
nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
|
||||||
|
PORT STATE SERVICE
|
||||||
|
80/tcp open http
|
||||||
|
| http-enum:
|
||||||
|
| /phpmyadmin/: phpMyAdmin
|
||||||
|
| /.git/HEAD: Git folder
|
||||||
|
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|
||||||
|
|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|
||||||
|
|
||||||
|
nmap --script smb-enum-users.nse -p 445 [target host]
|
||||||
|
Host script results:
|
||||||
|
| smb-enum-users:
|
||||||
|
| METASPLOITABLE\backup (RID: 1068)
|
||||||
|
| Full name: backup
|
||||||
|
| Flags: Account disabled, Normal user account
|
||||||
|
| METASPLOITABLE\bin (RID: 1004)
|
||||||
|
| Full name: bin
|
||||||
|
| Flags: Account disabled, Normal user account
|
||||||
|
| METASPLOITABLE\msfadmin (RID: 3000)
|
||||||
|
| Full name: msfadmin,,,
|
||||||
|
| Flags: Normal user account
|
||||||
|
|
||||||
|
List Nmap scripts : ls /usr/share/nmap/scripts/
|
||||||
|
```
|
||||||
|
|
||||||
|
## Reconnoitre
|
||||||
|
|
||||||
|
Dependencies:
|
||||||
|
|
||||||
|
* nbtscan
|
||||||
|
* nmap
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick
|
||||||
|
```
|
||||||
|
|
||||||
|
If you have a segfault with nbtscan, read the following quote.
|
||||||
|
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
|
||||||
|
|
||||||
|
## Thanks
|
||||||
|
|
||||||
|
* [TODO](TODO)
|
149
Methodology and Resources/Subdomains Enumeration.md
Normal file
149
Methodology and Resources/Subdomains Enumeration.md
Normal file
|
@ -0,0 +1,149 @@
|
||||||
|
# Subdomains Enumeration
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
|
||||||
|
* Subbrute
|
||||||
|
* KnockPy
|
||||||
|
* GoogleDorks
|
||||||
|
* EyeWitness
|
||||||
|
* Sublist3r
|
||||||
|
* Aquatone
|
||||||
|
* Subfinder
|
||||||
|
* AltDNS
|
||||||
|
* MassDNS
|
||||||
|
* Subdomain take over
|
||||||
|
* HostileSubBruteForcer
|
||||||
|
* SubOver
|
||||||
|
|
||||||
|
## Enumerate all subdomains (only if the scope is *.domain.ext)
|
||||||
|
|
||||||
|
### Using Subbrute
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/TheRook/subbrute
|
||||||
|
python subbrute.py domain.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/guelfoweb/knock
|
||||||
|
git clone https://github.com/danielmiessler/SecLists.git
|
||||||
|
knockpy domain.com -w subdomains-top1mil-110000.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Google Dorks and Google Transparency Report
|
||||||
|
|
||||||
|
You need to include subdomains ;)
|
||||||
|
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
|
||||||
|
|
||||||
|
```bash
|
||||||
|
site:*.domain.com -www
|
||||||
|
site:domain.com filetype:pdf
|
||||||
|
site:domain.com inurl:'&'
|
||||||
|
site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
|
||||||
|
site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
|
||||||
|
site:*.*.domain.com
|
||||||
|
```
|
||||||
|
|
||||||
|
### EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||||
|
./setup/setup.sh
|
||||||
|
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
||||||
|
./EyeWitness -f urls.txt --web
|
||||||
|
./EyeWitness -x urls.xml -t 8 --headless
|
||||||
|
./EyeWitness -f rdp.txt --rdp
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Sublist3r
|
||||||
|
|
||||||
|
```bash
|
||||||
|
To enumerate subdomains of specific domain and show the results in realtime:
|
||||||
|
python sublist3r.py -v -d example.com
|
||||||
|
|
||||||
|
To enumerate subdomains and enable the bruteforce module:
|
||||||
|
python sublist3r.py -b -d example.com
|
||||||
|
|
||||||
|
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
|
||||||
|
python sublist3r.py -e google,yahoo,virustotal -d example.com
|
||||||
|
|
||||||
|
python sublist3r.py -b -d example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Aquatone
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
gem install aquatone
|
||||||
|
|
||||||
|
Discover subdomains : results in ~/aquatone/example.com/hosts.txt
|
||||||
|
aquatone-discover --domain example.com
|
||||||
|
aquatone-discover --domain example.com --threads 25
|
||||||
|
aquatone-discover --domain example.com --sleep 5 --jitter 30
|
||||||
|
aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
|
||||||
|
|
||||||
|
Active scans : results in ~/aquatone/example.com/urls.txt
|
||||||
|
aquatone-scan --domain example.com
|
||||||
|
aquatone-scan --domain example.com --ports 80,443,3000,8080
|
||||||
|
aquatone-scan --domain example.com --ports large
|
||||||
|
aquatone-scan --domain example.com --threads 25
|
||||||
|
|
||||||
|
Final results
|
||||||
|
aquatone-gather --domain example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Alternatively, you can use the [Docker image](https://hub.docker.com/r/txt3rob/aquatone-docker/) provided by txt3rob.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
https://hub.docker.com/r/txt3rob/aquatone-docker/
|
||||||
|
docker pull txt3rob/aquatone-docker
|
||||||
|
docker run -it txt3rob/aquatone-docker aq example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Subfinder
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
go get github.com/subfinder/subfinder
|
||||||
|
./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
|
||||||
|
./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
|
||||||
|
./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
|
||||||
|
./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
|
||||||
|
./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using AltDNS
|
||||||
|
|
||||||
|
It's recommended to use massdns in order to resolve the result of `AltDNS`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
WORDLIST_PERMUTATION="./Altdns/words.txt"
|
||||||
|
python2.7 ./Altdns/altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION
|
||||||
|
```
|
||||||
|
|
||||||
|
Alternatively you can use [goaltdns](https://github.com/subfinder/goaltdns)
|
||||||
|
|
||||||
|
### Using MassDNS
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
DNS_RESOLVERS="./resolvers.txt"
|
||||||
|
cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## Subdomain take over
|
||||||
|
|
||||||
|
### Using HostileSubBruteForcer
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
||||||
|
chmox +x sub_brute.rb
|
||||||
|
./sub_brute.rb
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using SubOver
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
go get github.com/Ice3man543/SubOver
|
||||||
|
./SubOver -l subdomains.txt
|
||||||
|
```
|
|
@ -20,7 +20,9 @@ You might also like :
|
||||||
- [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
|
- [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
|
||||||
- [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
|
- [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
|
||||||
- [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
|
- [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
|
||||||
|
- [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discover.md)
|
||||||
- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||||
|
- [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md)
|
||||||
- [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
|
- [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
|
||||||
- [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
|
- [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
|
||||||
- [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
|
- [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
|
||||||
|
|
Loading…
Reference in a new issue