GitBook: [#3156] No subject

This commit is contained in:
CPol 2022-04-30 20:17:53 +00:00 committed by gitbook-bot
parent ba2c87e63b
commit d3bfa1f49f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 38 additions and 57 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8.4 KiB

After

Width:  |  Height:  |  Size: 280 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 280 KiB

After

Width:  |  Height:  |  Size: 8.4 KiB

View file

@ -16,32 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## External Recon Methodology
{% hint style="danger" %}
****<img src="../.gitbook/assets/image (620).png" alt="" data-size="original">****\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
### External Recon Methodology
<img src="../.gitbook/assets/image (620) (2) (7).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
#### Assets discoveries
## Assets discoveries
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
@ -52,7 +35,7 @@ The goal of this phase is to obtain all the **companies owned by the main compan
3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively)
4. Use other techniques like shodan `org`and `ssl`filters to search for other assets (the `ssl` trick can be done recursively).
**Acquisitions**
### **Acquisitions**
First of all, we need to know which **other companies are owned by the main company**.\
One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.\
@ -60,7 +43,7 @@ Other option is to visit the **Wikipedia** page of the main company and search f
> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
**ASNs**
### **ASNs**
An autonomous system number (**ASN**) is a **unique number** assigned to an **autonomous system** (AS) by the **Internet Assigned Numbers Authority (IANA)**.\
An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
@ -78,13 +61,13 @@ amass intel -asn 8911,50313,394161
You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com) (it has free API).\
You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com).
**Looking for vulnerabilities**
### **Looking for vulnerabilities**
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\
Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running\*\*.\*\*\
Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
#### Domains
## Domains
> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
@ -92,7 +75,7 @@ _Please, note that in the following purposed techniques you can also find subdom
First of all you should look for the **main domain**(s) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
**Reverse DNS**
### **Reverse DNS**
As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8)
@ -106,7 +89,7 @@ dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
For this to work, the administrator has to enable manually the PTR.\
You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com)
**Reverse Whois (loop)**
### **Reverse Whois (loop)**
Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** (for example other whois registries where the same email appears).\
You can use online tools like:
@ -124,7 +107,7 @@ You can also perform some automatic reverse whois discovery with [amass](https:/
**Note that you can use this technique to discover more domain names every time you find a new domain.**
**Trackers**
### **Trackers**
If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.\
For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
@ -136,7 +119,7 @@ There are some pages that let you search by these trackers and more:
* [**Publicwww**](https://publicwww.com)
* [**SpyOnWeb**](http://spyonweb.com)
**Favicon**
### **Favicon**
Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Heres how to use it:
@ -155,7 +138,7 @@ Moreover, you can also search technologies using the favicon hash as explained i
hodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'
```
**Other ways**
### **Other ways**
**Note that you can use this technique to discover more domain names every time you find a new domain.**
@ -173,20 +156,20 @@ Go to the main page an find something that identifies the company, like the copy
[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
**Looking for vulnerabilities**
### **Looking for vulnerabilities**
Check for some [domain takeover](../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
#### Subdomains
## Subdomains
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
It's time to find all the possible subdomains of each found domain.
**DNS**
### **DNS**
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
@ -194,7 +177,7 @@ Let's try to get **subdomains** from the **DNS** records. We should also try for
dnsrecon -a -d tesla.com
```
**OSINT**
### **OSINT**
The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities: [https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html)
@ -219,7 +202,7 @@ This project offers for **free all the subdomains related to bug-bounty programs
You could also find subdomains scrapping the web pages and parsing them (including JS files) searching for subdomains using [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) or [subscraper](https://github.com/Cillian-Collins/subscraper).
**RapidDNS**
### **RapidDNS**
Quickly find subdomains using [RapidDNS](https://rapiddns.io) API (from [link](https://twitter.com/Verry\_\_D/status/1282293265597779968)):
@ -232,7 +215,7 @@ curl -s "https://rapiddns.io/subdomain/$1?full=1" \
}
```
**Shodan**
### **Shodan**
You found **dev-int.bigcompanycdn.com**, make a Shodan query like the following:
@ -243,7 +226,7 @@ It is possible to use Shodan from the official CLI to quickly analyze all IPs in
* https://book.hacktricks.xyz/external-recon-methodology
**DNS Brute force**
### **DNS Brute force**
Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.\
The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) **and** [**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors (you should always check for **false positives**) and the second one **is more reliable** (always use gobuster).
@ -272,9 +255,7 @@ puredns bruteforce all.txt domain.com
Note how these tools require a **list of IPs of public DNSs**. If these public DNSs are malfunctioning (DNS poisoning for example) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them.
**VHosts / Virtual Hosts**
**IP VHosts**
### **VHosts / Virtual Hosts**
You can find some VHosts in IPs using [HostHunter](https://github.com/SpiderLabs/HostHunter)
@ -298,7 +279,7 @@ VHostScan -t example.com
With this technique you may even be able to access internal/hidden endpoints.
{% endhint %}
**CORS Brute Force**
### **CORS Brute Force**
Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behavior to **discover** new **subdomains**.
@ -306,20 +287,20 @@ Sometimes you will find pages that only return the header _**Access-Control-Allo
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
```
**DNS Brute Force v2**
### **DNS Brute Force v2**
Once you have finished looking for subdomains you can use [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**,** [**altdns**](https://github.com/infosec-au/altdns) and [**gotator**](https://github.com/Josue87/gotator) to generate possible permutations of the discovered subdomains and use again **massdns** and **gobuster** to search new domains.
**Buckets Brute Force**
### **Buckets Brute Force**
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../pentesting/pentesting-web/buckets/)**.**\
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../pentesting/pentesting-web/buckets/).
**Monitorization**
### **Monitorization**
You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does.
**Looking for vulnerabilities**
### **Looking for vulnerabilities**
Check for possible [**subdomain takeovers**](../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../pentesting/pentesting-web/buckets/).
@ -327,7 +308,7 @@ If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
#### Web servers hunting
## Web servers hunting
> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
@ -343,17 +324,17 @@ cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 an
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
```
**Screenshots**
### **Screenshots**
Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**.
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), \[shutter]\([**https://shutter-project.org/downloads/**](https://shutter-project.org/downloads/)) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
#### Cloud Assets
### Cloud Assets
Just with some **specific keywords** identifying the company it's possible to enumerate possible cloud assets belonging to them with tools like [**cloud\_enum**](https://github.com/initstring/cloud\_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) **or** [**cloudlist**](https://github.com/projectdiscovery/cloudlist)**.**
#### Recapitulation 1
## Recapitulation 1
> Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).\
> Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
@ -368,7 +349,7 @@ So you have already:
Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** (you can see a [guide for that here](../pentesting/pentesting-network/)), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open (this book already contains tons of information about possible vulnerabilities on a lot of common services). **But, don't forget that if the scope allows it, you should give it a try.**
#### Github leaked secrets
### Github leaked secrets
{% content-ref url="github-leaked-secrets.md" %}
[github-leaked-secrets.md](github-leaked-secrets.md)
@ -376,11 +357,11 @@ Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not goin
You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth\_key)
#### [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
### [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../pentesting/pentesting-web/).
#### Recapitulation 2
## Recapitulation 2
> Congratulations! The testing has finished! I hope you have find some vulnerabilities.
@ -389,7 +370,7 @@ As you can see there is a lot of different vulnerabilities to search for.
**If you have find any vulnerability thanks to this book, please reference the book in your write-up.**
#### **Automatic Tools**
### **Automatic Tools**
There are several tools out there that will perform part of the proposed actions against a given scope.
@ -398,7 +379,7 @@ There are several tools out there that will perform part of the proposed actions
* [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw)
* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - A little old and not updated
#### **References**
## **References**
* **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)**

View file

@ -344,7 +344,7 @@ Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, b
![](<../.gitbook/assets/image (638).png>)
{% endhint %}
![](<../.gitbook/assets/image (620).png>)
![](<../.gitbook/assets/image (620) (4).png>)
For more info you can check [https://unit42.paloaltonetworks.com/dns-rebinding/](https://unit42.paloaltonetworks.com/dns-rebinding/)