mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 00:47:24 +00:00
GitBook: [#3156] No subject
This commit is contained in:
parent
ba2c87e63b
commit
d3bfa1f49f
4 changed files with 38 additions and 57 deletions
Binary file not shown.
Before Width: | Height: | Size: 8.4 KiB After Width: | Height: | Size: 280 KiB |
Binary file not shown.
Before Width: | Height: | Size: 280 KiB After Width: | Height: | Size: 8.4 KiB |
|
@ -16,32 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## External Recon Methodology
|
||||
{% hint style="danger" %}
|
||||
****<img src="../.gitbook/assets/image (620).png" alt="" data-size="original">****\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
### External Recon Methodology
|
||||
|
||||
<img src="../.gitbook/assets/image (620) (2) (7).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
{% endhint %}
|
||||
|
||||
#### Assets discoveries
|
||||
## Assets discoveries
|
||||
|
||||
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
|
||||
|
||||
|
@ -52,7 +35,7 @@ The goal of this phase is to obtain all the **companies owned by the main compan
|
|||
3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively)
|
||||
4. Use other techniques like shodan `org`and `ssl`filters to search for other assets (the `ssl` trick can be done recursively).
|
||||
|
||||
**Acquisitions**
|
||||
### **Acquisitions**
|
||||
|
||||
First of all, we need to know which **other companies are owned by the main company**.\
|
||||
One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.\
|
||||
|
@ -60,7 +43,7 @@ Other option is to visit the **Wikipedia** page of the main company and search f
|
|||
|
||||
> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
|
||||
|
||||
**ASNs**
|
||||
### **ASNs**
|
||||
|
||||
An autonomous system number (**ASN**) is a **unique number** assigned to an **autonomous system** (AS) by the **Internet Assigned Numbers Authority (IANA)**.\
|
||||
An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
|
||||
|
@ -78,13 +61,13 @@ amass intel -asn 8911,50313,394161
|
|||
You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com) (it has free API).\
|
||||
You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com).
|
||||
|
||||
**Looking for vulnerabilities**
|
||||
### **Looking for vulnerabilities**
|
||||
|
||||
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\
|
||||
Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running\*\*.\*\*\
|
||||
Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
|
||||
**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
|
||||
|
||||
#### Domains
|
||||
## Domains
|
||||
|
||||
> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
|
||||
|
||||
|
@ -92,7 +75,7 @@ _Please, note that in the following purposed techniques you can also find subdom
|
|||
|
||||
First of all you should look for the **main domain**(s) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
|
||||
|
||||
**Reverse DNS**
|
||||
### **Reverse DNS**
|
||||
|
||||
As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8)
|
||||
|
||||
|
@ -106,7 +89,7 @@ dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
|
|||
For this to work, the administrator has to enable manually the PTR.\
|
||||
You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com)
|
||||
|
||||
**Reverse Whois (loop)**
|
||||
### **Reverse Whois (loop)**
|
||||
|
||||
Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** (for example other whois registries where the same email appears).\
|
||||
You can use online tools like:
|
||||
|
@ -124,7 +107,7 @@ You can also perform some automatic reverse whois discovery with [amass](https:/
|
|||
|
||||
**Note that you can use this technique to discover more domain names every time you find a new domain.**
|
||||
|
||||
**Trackers**
|
||||
### **Trackers**
|
||||
|
||||
If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.\
|
||||
For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
|
||||
|
@ -136,7 +119,7 @@ There are some pages that let you search by these trackers and more:
|
|||
* [**Publicwww**](https://publicwww.com)
|
||||
* [**SpyOnWeb**](http://spyonweb.com)
|
||||
|
||||
**Favicon**
|
||||
### **Favicon**
|
||||
|
||||
Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Here’s how to use it:
|
||||
|
||||
|
@ -155,7 +138,7 @@ Moreover, you can also search technologies using the favicon hash as explained i
|
|||
hodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'
|
||||
```
|
||||
|
||||
**Other ways**
|
||||
### **Other ways**
|
||||
|
||||
**Note that you can use this technique to discover more domain names every time you find a new domain.**
|
||||
|
||||
|
@ -173,20 +156,20 @@ Go to the main page an find something that identifies the company, like the copy
|
|||
|
||||
[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
|
||||
|
||||
**Looking for vulnerabilities**
|
||||
### **Looking for vulnerabilities**
|
||||
|
||||
Check for some [domain takeover](../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
|
||||
|
||||
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
|
||||
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
|
||||
|
||||
#### Subdomains
|
||||
## Subdomains
|
||||
|
||||
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
|
||||
|
||||
It's time to find all the possible subdomains of each found domain.
|
||||
|
||||
**DNS**
|
||||
### **DNS**
|
||||
|
||||
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
|
||||
|
||||
|
@ -194,7 +177,7 @@ Let's try to get **subdomains** from the **DNS** records. We should also try for
|
|||
dnsrecon -a -d tesla.com
|
||||
```
|
||||
|
||||
**OSINT**
|
||||
### **OSINT**
|
||||
|
||||
The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities: [https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html)
|
||||
|
||||
|
@ -219,7 +202,7 @@ This project offers for **free all the subdomains related to bug-bounty programs
|
|||
|
||||
You could also find subdomains scrapping the web pages and parsing them (including JS files) searching for subdomains using [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) or [subscraper](https://github.com/Cillian-Collins/subscraper).
|
||||
|
||||
**RapidDNS**
|
||||
### **RapidDNS**
|
||||
|
||||
Quickly find subdomains using [RapidDNS](https://rapiddns.io) API (from [link](https://twitter.com/Verry\_\_D/status/1282293265597779968)):
|
||||
|
||||
|
@ -232,7 +215,7 @@ curl -s "https://rapiddns.io/subdomain/$1?full=1" \
|
|||
}
|
||||
```
|
||||
|
||||
**Shodan**
|
||||
### **Shodan**
|
||||
|
||||
You found **dev-int.bigcompanycdn.com**, make a Shodan query like the following:
|
||||
|
||||
|
@ -243,7 +226,7 @@ It is possible to use Shodan from the official CLI to quickly analyze all IPs in
|
|||
|
||||
* https://book.hacktricks.xyz/external-recon-methodology
|
||||
|
||||
**DNS Brute force**
|
||||
### **DNS Brute force**
|
||||
|
||||
Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.\
|
||||
The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) **and** [**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors (you should always check for **false positives**) and the second one **is more reliable** (always use gobuster).
|
||||
|
@ -272,9 +255,7 @@ puredns bruteforce all.txt domain.com
|
|||
|
||||
Note how these tools require a **list of IPs of public DNSs**. If these public DNSs are malfunctioning (DNS poisoning for example) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them.
|
||||
|
||||
**VHosts / Virtual Hosts**
|
||||
|
||||
**IP VHosts**
|
||||
### **VHosts / Virtual Hosts**
|
||||
|
||||
You can find some VHosts in IPs using [HostHunter](https://github.com/SpiderLabs/HostHunter)
|
||||
|
||||
|
@ -298,7 +279,7 @@ VHostScan -t example.com
|
|||
With this technique you may even be able to access internal/hidden endpoints.
|
||||
{% endhint %}
|
||||
|
||||
**CORS Brute Force**
|
||||
### **CORS Brute Force**
|
||||
|
||||
Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behavior to **discover** new **subdomains**.
|
||||
|
||||
|
@ -306,20 +287,20 @@ Sometimes you will find pages that only return the header _**Access-Control-Allo
|
|||
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
|
||||
```
|
||||
|
||||
**DNS Brute Force v2**
|
||||
### **DNS Brute Force v2**
|
||||
|
||||
Once you have finished looking for subdomains you can use [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**,** [**altdns**](https://github.com/infosec-au/altdns) and [**gotator**](https://github.com/Josue87/gotator) to generate possible permutations of the discovered subdomains and use again **massdns** and **gobuster** to search new domains.
|
||||
|
||||
**Buckets Brute Force**
|
||||
### **Buckets Brute Force**
|
||||
|
||||
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../pentesting/pentesting-web/buckets/)**.**\
|
||||
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../pentesting/pentesting-web/buckets/).
|
||||
|
||||
**Monitorization**
|
||||
### **Monitorization**
|
||||
|
||||
You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does.
|
||||
|
||||
**Looking for vulnerabilities**
|
||||
### **Looking for vulnerabilities**
|
||||
|
||||
Check for possible [**subdomain takeovers**](../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
|
||||
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../pentesting/pentesting-web/buckets/).
|
||||
|
@ -327,7 +308,7 @@ If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions
|
|||
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
|
||||
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
|
||||
|
||||
#### Web servers hunting
|
||||
## Web servers hunting
|
||||
|
||||
> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
|
||||
|
||||
|
@ -343,17 +324,17 @@ cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 an
|
|||
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
|
||||
```
|
||||
|
||||
**Screenshots**
|
||||
### **Screenshots**
|
||||
|
||||
Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**.
|
||||
|
||||
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), \[shutter]\([**https://shutter-project.org/downloads/**](https://shutter-project.org/downloads/)) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
|
||||
|
||||
#### Cloud Assets
|
||||
### Cloud Assets
|
||||
|
||||
Just with some **specific keywords** identifying the company it's possible to enumerate possible cloud assets belonging to them with tools like [**cloud\_enum**](https://github.com/initstring/cloud\_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) **or** [**cloudlist**](https://github.com/projectdiscovery/cloudlist)**.**
|
||||
|
||||
#### Recapitulation 1
|
||||
## Recapitulation 1
|
||||
|
||||
> Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).\
|
||||
> Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
|
||||
|
@ -368,7 +349,7 @@ So you have already:
|
|||
|
||||
Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** (you can see a [guide for that here](../pentesting/pentesting-network/)), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open (this book already contains tons of information about possible vulnerabilities on a lot of common services). **But, don't forget that if the scope allows it, you should give it a try.**
|
||||
|
||||
#### Github leaked secrets
|
||||
### Github leaked secrets
|
||||
|
||||
{% content-ref url="github-leaked-secrets.md" %}
|
||||
[github-leaked-secrets.md](github-leaked-secrets.md)
|
||||
|
@ -376,11 +357,11 @@ Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not goin
|
|||
|
||||
You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth\_key)
|
||||
|
||||
#### [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
|
||||
### [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
|
||||
|
||||
Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../pentesting/pentesting-web/).
|
||||
|
||||
#### Recapitulation 2
|
||||
## Recapitulation 2
|
||||
|
||||
> Congratulations! The testing has finished! I hope you have find some vulnerabilities.
|
||||
|
||||
|
@ -389,7 +370,7 @@ As you can see there is a lot of different vulnerabilities to search for.
|
|||
|
||||
**If you have find any vulnerability thanks to this book, please reference the book in your write-up.**
|
||||
|
||||
#### **Automatic Tools**
|
||||
### **Automatic Tools**
|
||||
|
||||
There are several tools out there that will perform part of the proposed actions against a given scope.
|
||||
|
||||
|
@ -398,7 +379,7 @@ There are several tools out there that will perform part of the proposed actions
|
|||
* [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw)
|
||||
* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - A little old and not updated
|
||||
|
||||
#### **References**
|
||||
## **References**
|
||||
|
||||
* **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)**
|
||||
|
||||
|
|
|
@ -344,7 +344,7 @@ Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, b
|
|||
![](<../.gitbook/assets/image (638).png>)
|
||||
{% endhint %}
|
||||
|
||||
![](<../.gitbook/assets/image (620).png>)
|
||||
![](<../.gitbook/assets/image (620) (4).png>)
|
||||
|
||||
For more info you can check [https://unit42.paloaltonetworks.com/dns-rebinding/](https://unit42.paloaltonetworks.com/dns-rebinding/)
|
||||
|
||||
|
|
Loading…
Reference in a new issue