Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

BBOT for bucket enumeration, subdomain takeover

Browse source
This commit is contained in:
TheTechromancer 2023-03-21 17:10:11 -04:00
parent 3caaafe0b0
commit 0db8cb0492
2 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
network-services-pentesting/pentesting-web/buckets/README.md
View file

@ -16,6 +16,26 @@
</details>
[BBOT](https://github.com/blacklanternsecurity/bbot) automates bucket enumeration. Supported cloud providers are: AWS, Google, Azure, DigitalOcean, and Firebase.
Buckets are discovered based on web content and derivatives of discovered DNS names. For example, if your target is `tesla.com` and BBOT discovers a subdomain `www.tesla.com`, it will visit the website and extract bucket names from its HTML content. Additionally, it will try each of the following bucket names:
- `www.tesla.com`
- `www.tesla`
- `www-tesla-com`
- `www-tesla`
- `wwwteslacom`
- `wwwtesla`
For each bucket found, BBOT will check whether it's open (world-readable) and also whether it's vulnerable to [subdomain hijacking](pentesting-web/domain-subdomain-takeover.md). Note that buckets discovered with the `bucket_*` modules are not guaranteed to be owned by the target.
~~~bash
# enumerate buckets for evilcorp.com
bbot -t evilcorp.com -f subdomain-enum cloud-enum
# single cloud provider + permutations (-dev, -test, etc.)
bbot -t evilcorp.com -m bucket_aws -c modules.bucket_aws.permutations=true
~~~
A good tool to review your configuration in several clouds is: [https://github.com/nccgroup/ScoutSuite](https://github.com/nccgroup/ScoutSuite)
[**AWS S3 hacking tricks**](broken-reference)

7
pentesting-web/domain-subdomain-takeover.md
View file

@ -31,6 +31,7 @@ A subdomain of the company is pointing to a **third-party service with a name no
There are several tools with dictionaries to check for possible takeovers:
* [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
* [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot)
* [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper)
* [https://github.com/haccer/subjack](https://github.com/haccer/subjack)
* [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)
@ -41,6 +42,12 @@ There are several tools with dictionaries to check for possible takeovers:
* [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
* [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover)
#### Scanning for Hijackable Subdomains with [BBOT](https://github.com/blacklanternsecurity/bbot):
Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz).
~~~bash
bbot -t evilcorp.com -f subdomain-enum
~~~
### Subdomain Takeover Generation via DNS Wildcard
When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be **resolved to the same information**. This could be an A ip address, a CNAME...