Whoami???
Greetings, Amazing People.
I’m Manan Patel, and I’m an Indian security researcher (Gujarat). In this blog, I’ll discuss My Recon Tools, which were a great aid to me as I developed and learned new skills and perspectives.
Since I’ve been working in this industry for more than two years, I’ll be offering some advice on how I approach a target.
1. Read the program scope:
Yes, it seems to be the most obvious thing to do, but always check the program rules twice.
This preliminary investigation reveals a great deal about the target:
→What is its scope?
→What should I avoid testing?
→What kinds of vulnerabilities and reports are accepted?
→What flaws have already been reported? (If for instance- public disclosure on HackerOne)
→Rewards?
Looking at a program’s rules will help you quickly understand how URLs and other elements work.
Reading everything at once saves time because you won’t need to concentrate on irrelevant topics or services.
Instead of using the primary web app domain, such as www.domain.com, I typically search on wildcard domains like *.domain.com!
2. Enumeration
Assetfinder –
It draws data from a variety of sources, including Facebook, Virustotal, and certificate transparency. It functions right out of the box, but you may set the API keys for the services that require them if you want more outcomes.
The command is easy to execute if you have installed and configured Go; all you need to do is stream your target to the tool.
echo domain.com | assetfinder --subs-only
OWASP Amass –
It conducts DNS resolution, allows passive and active enumeration, and can brute-force subdomains using a wordlist of your choosing. The user manual is thorough and includes executable command examples. The following would be the quickest and easiest subdomain enumeration command:
amass enum -d domain.com -passive
Sublist3r -
It is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
python sublist3r.py -d domain.com
AQUATONE —
It is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
https://github.com/michenriksen/aquatone
Subdomain Takeover:
You should check “Can I take over XYZ”. It’s a GitHub repository created by Ed Overflow and you will know if it’s possible to takeover a subdomain used by a service (GitHub pages, Heroku, CloudFront, etc.)
It has most of the service covered if it can be taken over or not.
https://github.com/EdOverflow/can-i-take-over-xyz
3. Tech Stack Used
Prior to looking for vulnerabilities, it is critical to understand the technology that your target uses to operate:
Do they employ WAFs like CloudFront or CloudFlare?
Use a CMS like Wordpress, Drupal, or Joomla do they?
use, among others, frameworks like CakePHP or AngularJS?
Which Apache version is this?
Are they use a Smarty or Jinja2 like template engine?
Knowing whatever technology they use can aid you in your hunt for weaknesses, and having the version will be ideal.
For example : Your target have a profile page where you can control input (like name or nickname) which is reflected on a public page. If you know the framework version, you can possibly try XSS PayLoads or others payloads!
If your target use a template engine like Smarty, check the version and try template injection!
To get these information about a target, I installed a plugin called Wappalyzer.
This plugin works on Google Chrome and Firefox. And to use it, you just need to go on your target. You will see a small icon displayed next to the URL.
If you click on it, Wappaylzer should display interesting information about your target. Sometimes you will not see the version, but it can be useful anyway.
4. Dorks
1. Shodan : With its ever-growing database and ease of use, Shodan has become one of the most popular tools used by security researchers for gathering IoT intelligence.
Shodan provides a great starting point for researchers performing any information gathering task. By being able to filter data by its location, software version, when it was last seen and much more, Shodan can help researchers target specific research points, making their work easier and more efficient.
Dork list: https://github.com/IFLinfosec/shodan-dorks
2. Google : Google helps you to find Vulnerable Websites that Indexed in Google Search Results. Here is the latest collection of Google Dorks. A collection of 13.760 Dorks ..!
Dork List: https://github.com/BullsEye0/google_dork_list
3. Github: Github Search is a quite powerful and useful feature that can be used to search for sensitive data on repositories. Collection of Github dorks can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc. This list is supposed to be useful for assessing security and performing pen-testing of systems.
Dork List: https://github.com/techgaun/github-dorks
5. Perfect Wordlist and Directory Fuzzing
Because of my experience, I now know that targets always have a page that shouldn’t be seen by the public, shouldn’t be on this website, and shouldn’t be reachable without authorization.
I highly suggest this fantastic GitHub repository where wonderful folks offer their lists and information in order to assist me in finding these “hidden” pages.
SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.
https://github.com/danielmiessler/SecLists
To use the SecList, I recommand you to use one of these tools:
Dirsearch : https://github.com/maurosoria/dirsearch
Dirb : Installed by default on Kali Linux
FFUF : sudo apt install ffuf
You can specify a list of words you want to use and an extension file or extension list. The tool will test one by one all entries and you will see the result directly in the terminal.
Hit me up on Twitter for some Awesome oneliners to use for automating stuffs.
Try making your own bash scripts and automate hacking.
I hope you enjoyed the article. Let’s Learn, Earn & Grow together with Infosec Community.
Give a Follow If you want more such content —
Twitter: https://twitter.com/0xManan/
LinkedIn: https://www.linkedin.com/in/manan-patel-4330101b4/