2016-11-06 05:42:50 +00:00
|
|
|
|
# Methodology and Enumeration
|
|
|
|
|
|
|
|
|
|
## Bug Hunting Methodology
|
2016-11-06 09:49:33 +00:00
|
|
|
|
* Enumerate all subdomains (only if the scope is *.domain.ext)
|
2016-11-06 09:52:40 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
Using Subbrute
|
|
|
|
|
```
|
2017-02-21 14:00:35 +00:00
|
|
|
|
git clone https://github.com/TheRook/subbrute
|
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
python subbrute.py domain.example.com
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
2016-11-06 05:42:50 +00:00
|
|
|
|
Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/guelfoweb/knock
|
|
|
|
|
git clone https://github.com/danielmiessler/SecLists.git
|
|
|
|
|
|
|
|
|
|
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
|
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
Using Google Dorks
|
|
|
|
|
```
|
|
|
|
|
site:*.domain.com -www
|
|
|
|
|
site:http://domain.com ext:php
|
|
|
|
|
site:http://domain.com filetype:pdf
|
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-11-06 05:42:50 +00:00
|
|
|
|
Using Jason Haddix's enumall Recon-ng script,
|
|
|
|
|
```
|
|
|
|
|
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
|
|
|
|
|
cd recon-ng
|
|
|
|
|
pip install -r REQUIREMENTS
|
|
|
|
|
ln -s /$recon-ng_path /usr/share/recon-ng
|
|
|
|
|
git clone https://github.com/jhaddix/domain.git
|
|
|
|
|
cd domain
|
|
|
|
|
./setup_enumall.sh
|
|
|
|
|
|
|
|
|
|
./enumall.py domain.com
|
|
|
|
|
-w to run a custom wordlist with recon-ng
|
|
|
|
|
-a to use alt-dns
|
|
|
|
|
-p to feed a custom permutations list to alt-dns (requires -a flag)
|
|
|
|
|
-i to feed a list of domains (can also type extra domains into the original command)
|
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-11-06 09:49:33 +00:00
|
|
|
|
* Subdomain take over using HostileSubBruteForcer
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
|
|
|
|
chmox +x sub_brute.rb
|
|
|
|
|
./sub_brute.rb
|
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-11-06 09:49:33 +00:00
|
|
|
|
* EyeWitness and Nmap scans from the KnockPy and enumall scans
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
|
|
|
|
./setup/setup.sh
|
|
|
|
|
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
|
|
|
|
./EyeWitness -f urls.txt --web
|
|
|
|
|
./EyeWitness -x urls.xml -t 8 --headless
|
|
|
|
|
./EyeWitness -f rdp.txt --rdp
|
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
* Passive recon
|
|
|
|
|
```
|
|
|
|
|
Use shodan to detect similar app
|
|
|
|
|
Use the wayback machine to detect forgotten endpoint
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
2016-11-06 09:49:33 +00:00
|
|
|
|
* Basic NMAP (if allowed ^^')
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
2016-11-11 09:03:35 +00:00
|
|
|
|
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
|
|
|
|
|
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
|
2016-11-06 05:42:50 +00:00
|
|
|
|
|
|
|
|
|
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
|
|
|
|
|
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
|
|
|
|
|
• 192.168.0.1 is the IP address to scan
|
|
|
|
|
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
|
2016-11-11 09:03:35 +00:00
|
|
|
|
• -iL INPUTFILE tells Nmap to use the provided file as inputs
|
2016-11-06 05:42:50 +00:00
|
|
|
|
• -T4 defines the timing for the task (options are 0-5 and higher is faster)
|
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
* List all the subdirectories and files
|
|
|
|
|
|
|
|
|
|
Using DirBuster or GoBuster
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
|
|
|
|
-u url
|
|
|
|
|
-w wordlist
|
|
|
|
|
-t threads
|
|
|
|
|
|
|
|
|
|
More subdomain :
|
|
|
|
|
./gobuster -m dns -w subdomains.txt -u google.com -i
|
2016-12-20 18:46:06 +00:00
|
|
|
|
|
|
|
|
|
gobuster -w wordlist -u URL -r -e
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
2016-12-20 18:46:06 +00:00
|
|
|
|
#!/bin/bash
|
|
|
|
|
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
|
|
|
|
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
Using a script to detect all .htpasswd files in a range of IPs
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
2016-12-20 18:46:06 +00:00
|
|
|
|
#!/bin/bash
|
|
|
|
|
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
|
|
|
|
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
* Explore the website with a proxy (ZAP/Burp Suite)
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
2016-12-20 18:46:06 +00:00
|
|
|
|
- Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
|
|
|
|
|
- Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
|
|
|
|
|
- Explore and understand available functionality, noting areas that correspond to vulnerability types
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
* Look for Web Vulns
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
2016-12-20 18:46:06 +00:00
|
|
|
|
- SQLi
|
|
|
|
|
- XSS
|
|
|
|
|
- RCE
|
|
|
|
|
- LFI/RFI
|
|
|
|
|
etc
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-01-07 19:51:47 +00:00
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
* Look for private information in GitHub repos with GitRob
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
2016-12-20 18:46:06 +00:00
|
|
|
|
git clone https://github.com/michenriksen/gitrob.git
|
|
|
|
|
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
2016-11-06 05:42:50 +00:00
|
|
|
|
```
|
|
|
|
|
|
2016-12-20 18:46:06 +00:00
|
|
|
|
* Subscribe to the site and pay for the additional functionality to test
|
|
|
|
|
|
|
|
|
|
* Launch a Nikto scan in case you missed something
|
2016-11-06 05:42:50 +00:00
|
|
|
|
|
|
|
|
|
## Thanks to
|
2017-02-21 14:00:35 +00:00
|
|
|
|
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|