2017-03-26 16:00:23 +00:00
# Bug Hunting Methodology and Enumeration
2016-11-06 05:42:50 +00:00
2017-03-26 16:00:23 +00:00
## Enumerate all subdomains (only if the scope is *.domain.ext)
2016-11-06 09:52:40 +00:00
2017-03-26 16:00:23 +00:00
* Using Subbrute
2017-03-30 18:20:52 +00:00
```bash
2017-02-21 14:00:35 +00:00
git clone https://github.com/TheRook/subbrute
2016-12-20 18:46:06 +00:00
python subbrute.py domain.example.com
```
2017-03-26 16:00:23 +00:00
* Using KnockPy with Daniel Miessler’ s SecLists for subdomain "/Discover/DNS"
2017-03-30 18:20:52 +00:00
```bash
2016-11-06 05:42:50 +00:00
git clone https://github.com/guelfoweb/knock
git clone https://github.com/danielmiessler/SecLists.git
2017-05-01 20:40:36 +00:00
knockpy domain.com -w subdomains-top1mil-110000.txt
2016-11-06 05:42:50 +00:00
```
2017-06-05 12:57:28 +00:00
* Using Google Dorks and Google Transparency Report
2017-03-30 18:20:52 +00:00
```bash
2016-12-20 18:46:06 +00:00
site:*.domain.com -www
site:http://domain.com filetype:pdf
2017-05-01 20:40:36 +00:00
site:http://domain.com inurl:&
site:http://domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
site:http://domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
2017-06-05 12:57:28 +00:00
You need to include subdomains ;)
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g& incl_exp=true& incl_sub=true
2016-12-20 18:46:06 +00:00
```
2017-05-01 20:40:36 +00:00
* Subdomain take over using HostileSubBruteForcer
2017-03-30 18:20:52 +00:00
```bash
2016-11-06 05:42:50 +00:00
git clone https://github.com/nahamsec/HostileSubBruteforcer
chmox +x sub_brute.rb
./sub_brute.rb
```
2016-11-06 09:49:33 +00:00
* EyeWitness and Nmap scans from the KnockPy and enumall scans
2017-03-30 18:20:52 +00:00
```bash
2016-11-06 05:42:50 +00:00
git clone https://github.com/ChrisTruncer/EyeWitness.git
./setup/setup.sh
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml -t 8 --headless
./EyeWitness -f rdp.txt --rdp
```
2017-03-26 16:00:23 +00:00
## Passive recon
2017-05-17 18:40:45 +00:00
* Using Shodan (https://www.shodan.io/) to detect similar app
2017-05-01 20:40:36 +00:00
2017-05-17 18:40:45 +00:00
* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints,
```
look for JS files, old links
```
2017-05-01 20:40:36 +00:00
2017-05-17 18:40:45 +00:00
* Using The Harvester (https://github.com/laramies/theHarvester)
```
python theHarvester.py -b all -d domain.com
```
2017-01-07 19:51:47 +00:00
2017-03-26 16:00:23 +00:00
## Active recon
2017-05-17 18:40:45 +00:00
* Basic NMAP
```bash
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
• 192.168.0.1 is the IP address to scan
• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
• -iL INPUTFILE tells Nmap to use the provided file as inputs
```
* Aggressive NMAP
```bash
nmap -A -T4 scanme.nmap.org
• -A: Enable OS detection, version detection, script scanning, and traceroute
• -T4: Defines the timing for the task (options are 0-5 and higher is faster)
```
* NMAP and add-ons
1. Using searchsploit to detect vulnerable services
```bash
nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
```
2. Generating nice scan report
```bash
nmap -sV IP_ADDRESS -oX scan.xml & & xsltproc scan.xml -o "`date +%m%d%y`_report.html"
```
2016-11-06 05:42:50 +00:00
2017-05-01 20:40:36 +00:00
* NMAP Scripts
2017-05-17 18:40:45 +00:00
```bash
nmap -sC : equivalent to --script=default
nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /phpmyadmin/: phpMyAdmin
| /.git/HEAD: Git folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
nmap --script smb-enum-users.nse -p 445 [target host]
Host script results:
| smb-enum-users:
| METASPLOITABLE\backup (RID: 1068)
| Full name: backup
| Flags: Account disabled, Normal user account
| METASPLOITABLE\bin (RID: 1004)
| Full name: bin
| Flags: Account disabled, Normal user account
| METASPLOITABLE\msfadmin (RID: 3000)
| Full name: msfadmin,,,
| Flags: Normal user account
List Nmap scripts : ls /usr/share/nmap/scripts/
```
* RPCClient
```bash
╰─$ rpcclient -U "" [target host]
rpcclient $> querydominfo
Domain: WORKGROUP
Server: METASPLOITABLE
Comment: metasploitable server (Samba 3.0.20-Debian)
Total Users: 35
rpcclient $> enumdomusers
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
```
* Enum4all
```
Usage: ./enum4linux.pl [options]ip
-U get userlist
-M get machine list*
-S get sharelist
-P get password policy information
-G get group and member list
-d be detailed, applies to -U and -S
-u user specify username to use (default “”)
-p pass specify password to use (default “”
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
-o Get OS information
-i Get printer information
==============================
| Users on XXX.XXX.XXX.XXX |
==============================
index: 0x1 Account: games Name: games Desc: (null)
index: 0x2 Account: nobody Name: nobody Desc: (null)
index: 0x3 Account: bind Name: (null) Desc: (null)
index: 0x4 Account: proxy Name: proxy Desc: (null)
index: 0x5 Account: syslog Name: (null) Desc: (null)
index: 0x6 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 Account: www-data Name: www-data Desc: (null)
index: 0x8 Account: root Name: root Desc: (null)
```
2016-12-20 18:46:06 +00:00
2017-05-01 20:40:36 +00:00
## List all the subdirectories and files
* Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
```bash
git clone https://github.com/mazen160/bfac
Check a single URL
bfac --url http://example.com/test.php --level 4
Check a list of URLs
bfac --list testing_list.txt
```
2017-03-26 16:00:23 +00:00
* Using DirBuster or GoBuster
2017-03-30 18:20:52 +00:00
```bash
2016-11-06 05:42:50 +00:00
./gobuster -u http://buffered.io/ -w words.txt -t 10
-u url
-w wordlist
-t threads
More subdomain :
./gobuster -m dns -w subdomains.txt -u google.com -i
2016-12-20 18:46:06 +00:00
gobuster -w wordlist -u URL -r -e
2016-11-06 05:42:50 +00:00
```
2017-05-17 18:40:45 +00:00
* Using Sublist3r
```bash
To enumerate subdomains of specific domain and show the results in realtime:
python sublist3r.py -v -d example.com
To enumerate subdomains and enable the bruteforce module:
python sublist3r.py -b -d example.com
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python sublist3r.py -e google,yahoo,virustotal -d example.com
python sublist3r.py -b -d example.com
```
2017-03-26 16:00:23 +00:00
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
2017-03-30 18:20:52 +00:00
```bash
2016-12-20 18:46:06 +00:00
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
2016-11-06 05:42:50 +00:00
```
2017-03-26 16:00:23 +00:00
* Using a script to detect all .htpasswd files in a range of IPs
2017-03-30 18:20:52 +00:00
```bash
2016-12-20 18:46:06 +00:00
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
2016-11-06 05:42:50 +00:00
```
2017-03-26 16:00:23 +00:00
## Looking for Web vulnerabilities
* Look for private information in GitHub repos with GitRob
```
git clone https://github.com/michenriksen/gitrob.git
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
```
2017-01-07 19:51:47 +00:00
2016-12-20 18:46:06 +00:00
* Explore the website with a proxy (ZAP/Burp Suite)
2017-05-01 20:40:36 +00:00
1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
2017-03-30 18:20:52 +00:00
2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
3. Explore and understand available functionality, noting areas that correspond to vulnerability types
2017-05-01 20:40:36 +00:00
```bash
2017-03-26 18:40:32 +00:00
Burp Proxy configuration on port 8080 (in .bashrc):
alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
2017-05-01 20:40:36 +00:00
alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
2017-03-26 18:40:32 +00:00
then launch Burp with : java -jar burpsuite_free_v*.jar &
2016-11-06 05:42:50 +00:00
```
2017-03-26 18:51:40 +00:00
* Checklist for Web vulns
```
[] AWS Amazon Bucket S3
[] Git Svn insecure files
[] CVE Shellshock Heartbleed
[] Open redirect
[] Traversal directory
[] XSS injection
[] CRLF injection
[] CSRF injection
[] SQL injection
[] NoSQL injection
[] PHP include
[] Upload insecure files
[] SSRF injection
[] XXE injections
2017-05-01 20:40:36 +00:00
[] CSV injection
[] PHP serialization
...
2017-03-26 18:51:40 +00:00
```
2016-12-20 18:46:06 +00:00
* Subscribe to the site and pay for the additional functionality to test
* Launch a Nikto scan in case you missed something
2017-03-26 18:40:32 +00:00
```
2017-05-01 20:40:36 +00:00
nikto -h http://domain.example.com
2017-03-26 18:40:32 +00:00
```
2016-11-06 05:42:50 +00:00
## Thanks to
2017-02-21 14:00:35 +00:00
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/