From 1c5f8889bd87bcd07d6573e3a697f1a38cc6ceff Mon Sep 17 00:00:00 2001 From: Swissky Date: Tue, 2 Oct 2018 16:17:16 +0200 Subject: [PATCH] Network Discovery and Subdomains enumerations --- .../Methodology_and_enumeration.md | 94 ----------- .../Network Discovery.md | 138 ++++++++++++++++ .../Subdomains Enumeration.md | 149 ++++++++++++++++++ README.md | 2 + 4 files changed, 289 insertions(+), 94 deletions(-) create mode 100644 Methodology and Resources/Network Discovery.md create mode 100644 Methodology and Resources/Subdomains Enumeration.md diff --git a/Methodology and Resources/Methodology_and_enumeration.md b/Methodology and Resources/Methodology_and_enumeration.md index 49a9237..57b56d2 100644 --- a/Methodology and Resources/Methodology_and_enumeration.md +++ b/Methodology and Resources/Methodology_and_enumeration.md @@ -2,14 +2,6 @@ ## Summary -* [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext) - * Subbrute - * KnockPy - * GoogleDorks - * EyeWitness - * Sublist3r - * Aquatone - * [Passive Recon](#passive-recon) * Shodan * Wayback Machine @@ -32,92 +24,6 @@ * Nikto * Payment functionality -## Enumerate all subdomains (only if the scope is *.domain.ext) - -### Using Subbrute - -```bash -git clone https://github.com/TheRook/subbrute -python subbrute.py domain.example.com -``` - -### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS" - -```bash -git clone https://github.com/guelfoweb/knock -git clone https://github.com/danielmiessler/SecLists.git -knockpy domain.com -w subdomains-top1mil-110000.txt -``` - -### Using Google Dorks and Google Transparency Report - -You need to include subdomains ;) -https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true - -```bash -site:*.domain.com -www -site:domain.com filetype:pdf -site:domain.com inurl:'&' -site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin -site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf -site:*.*.domain.com -``` - -### Subdomain take over using HostileSubBruteForcer - -```bash -git clone https://github.com/nahamsec/HostileSubBruteforcer -chmox +x sub_brute.rb -./sub_brute.rb -``` - -### EyeWitness and Nmap scans from the KnockPy and enumall scans - -```bash -git clone https://github.com/ChrisTruncer/EyeWitness.git -./setup/setup.sh -./EyeWitness.py -f filename -t optionaltimeout --open (Optional) -./EyeWitness -f urls.txt --web -./EyeWitness -x urls.xml -t 8 --headless -./EyeWitness -f rdp.txt --rdp -``` - -### Using Sublist3r - -```bash -To enumerate subdomains of specific domain and show the results in realtime: -python sublist3r.py -v -d example.com - -To enumerate subdomains and enable the bruteforce module: -python sublist3r.py -b -d example.com - -To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines -python sublist3r.py -e google,yahoo,virustotal -d example.com - -python sublist3r.py -b -d example.com -``` - -### Using Aquatone - -```powershell -gem install aquatone - -Discover subdomains : results in ~/aquatone/example.com/hosts.txt -aquatone-discover --domain example.com -aquatone-discover --domain example.com --threads 25 -aquatone-discover --domain example.com --sleep 5 --jitter 30 -aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ - -Active scans : results in ~/aquatone/example.com/urls.txt -aquatone-scan --domain example.com -aquatone-scan --domain example.com --ports 80,443,3000,8080 -aquatone-scan --domain example.com --ports large -aquatone-scan --domain example.com --threads 25 - -Final results -aquatone-gather --domain example.com -``` - ## Passive recon * Using Shodan (https://www.shodan.io/) to detect similar app diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md new file mode 100644 index 0000000..85c234c --- /dev/null +++ b/Methodology and Resources/Network Discovery.md @@ -0,0 +1,138 @@ +# Network Discovery + +## Netdiscover + +```powershell +netdiscover -i eth0 -r 192.168.1.0/24 +Currently scanning: Finished! | Screen View: Unique Hosts + +20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876 +_____________________________________________________________________________ +IP At MAC Address Count Len MAC Vendor / Hostname +----------------------------------------------------------------------------- +192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom +192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor +192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc. +192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD +``` + +## Responder + +```powershell +responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding. +responder.py -I eth0 -wrf +``` + +Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows) + +## Bettercap + +```powershell +bettercap -X --proxy --proxy-https -T +# better cap in spoofing, discovery, sniffer +# intercepting http and https requests, +# targetting specific IP only +``` + +## Nmap + +* Ping sweep (No port scan, No DNS resolution) + +```powershell +nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down" +``` + +* Basic NMAP + +```bash +sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 +sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv + +• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports +• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) +• 192.168.0.1 is the IP address to scan +• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" +• -iL INPUTFILE tells Nmap to use the provided file as inputs +``` + +* CTF NMAP + +This configuration is enough to do a basic check for a CTF VM + +```bash +nmap -sV -sC -oA ~/nmap-initial 192.168.1.1 + +-sV : Probe open ports to determine service/version info +-sC : to enable the script +-oA : to save the results + +After this quick command you can add "-p-" to run a full scan while you work with the previous result +``` + +* Aggressive NMAP + +```bash +nmap -A -T4 scanme.nmap.org +• -A: Enable OS detection, version detection, script scanning, and traceroute +• -T4: Defines the timing for the task (options are 0-5 and higher is faster) +``` + +* Using searchsploit to detect vulnerable services + +```bash +nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml +``` + +* Generating nice scan report + +```bash +nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html" +``` + +* NMAP Scripts + +```bash +nmap -sC : equivalent to --script=default + +nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap +PORT STATE SERVICE +80/tcp open http +| http-enum: +| /phpmyadmin/: phpMyAdmin +| /.git/HEAD: Git folder +| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' +|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' + +nmap --script smb-enum-users.nse -p 445 [target host] +Host script results: +| smb-enum-users: +| METASPLOITABLE\backup (RID: 1068) +| Full name: backup +| Flags: Account disabled, Normal user account +| METASPLOITABLE\bin (RID: 1004) +| Full name: bin +| Flags: Account disabled, Normal user account +| METASPLOITABLE\msfadmin (RID: 3000) +| Full name: msfadmin,,, +| Flags: Normal user account + +List Nmap scripts : ls /usr/share/nmap/scripts/ +``` + +## Reconnoitre + +Dependencies: + +* nbtscan +* nmap + +```powershell +python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick +``` + +If you have a segfault with nbtscan, read the following quote. +> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255 + +## Thanks + +* [TODO](TODO) \ No newline at end of file diff --git a/Methodology and Resources/Subdomains Enumeration.md b/Methodology and Resources/Subdomains Enumeration.md new file mode 100644 index 0000000..f646eea --- /dev/null +++ b/Methodology and Resources/Subdomains Enumeration.md @@ -0,0 +1,149 @@ +# Subdomains Enumeration + +## Summary + +* [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext) + * Subbrute + * KnockPy + * GoogleDorks + * EyeWitness + * Sublist3r + * Aquatone + * Subfinder + * AltDNS + * MassDNS +* Subdomain take over + * HostileSubBruteForcer + * SubOver + +## Enumerate all subdomains (only if the scope is *.domain.ext) + +### Using Subbrute + +```bash +git clone https://github.com/TheRook/subbrute +python subbrute.py domain.example.com +``` + +### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS" + +```bash +git clone https://github.com/guelfoweb/knock +git clone https://github.com/danielmiessler/SecLists.git +knockpy domain.com -w subdomains-top1mil-110000.txt +``` + +### Using Google Dorks and Google Transparency Report + +You need to include subdomains ;) +https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true + +```bash +site:*.domain.com -www +site:domain.com filetype:pdf +site:domain.com inurl:'&' +site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin +site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf +site:*.*.domain.com +``` + +### EyeWitness and Nmap scans from the KnockPy and enumall scans + +```bash +git clone https://github.com/ChrisTruncer/EyeWitness.git +./setup/setup.sh +./EyeWitness.py -f filename -t optionaltimeout --open (Optional) +./EyeWitness -f urls.txt --web +./EyeWitness -x urls.xml -t 8 --headless +./EyeWitness -f rdp.txt --rdp +``` + +### Using Sublist3r + +```bash +To enumerate subdomains of specific domain and show the results in realtime: +python sublist3r.py -v -d example.com + +To enumerate subdomains and enable the bruteforce module: +python sublist3r.py -b -d example.com + +To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines +python sublist3r.py -e google,yahoo,virustotal -d example.com + +python sublist3r.py -b -d example.com +``` + +### Using Aquatone + +```powershell +gem install aquatone + +Discover subdomains : results in ~/aquatone/example.com/hosts.txt +aquatone-discover --domain example.com +aquatone-discover --domain example.com --threads 25 +aquatone-discover --domain example.com --sleep 5 --jitter 30 +aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ + +Active scans : results in ~/aquatone/example.com/urls.txt +aquatone-scan --domain example.com +aquatone-scan --domain example.com --ports 80,443,3000,8080 +aquatone-scan --domain example.com --ports large +aquatone-scan --domain example.com --threads 25 + +Final results +aquatone-gather --domain example.com +``` + +Alternatively, you can use the [Docker image](https://hub.docker.com/r/txt3rob/aquatone-docker/) provided by txt3rob. + +```powershell +https://hub.docker.com/r/txt3rob/aquatone-docker/ +docker pull txt3rob/aquatone-docker +docker run -it txt3rob/aquatone-docker aq example.com +``` + +### Using Subfinder + +```powershell +go get github.com/subfinder/subfinder +./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY' +./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD" +./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET" +./Subfinder/subfinder --set-config SecurityTrailsKey='KEY' +./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt +``` + +### Using AltDNS + +It's recommended to use massdns in order to resolve the result of `AltDNS` + +```powershell +WORDLIST_PERMUTATION="./Altdns/words.txt" +python2.7 ./Altdns/altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION +``` + +Alternatively you can use [goaltdns](https://github.com/subfinder/goaltdns) + +### Using MassDNS + +```powershell +DNS_RESOLVERS="./resolvers.txt" +cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt +``` + +## Subdomain take over + +### Using HostileSubBruteForcer + +```bash +git clone https://github.com/nahamsec/HostileSubBruteforcer +chmox +x sub_brute.rb +./sub_brute.rb +``` + +### Using SubOver + +```powershell +go get github.com/Ice3man543/SubOver +./SubOver -l subdomains.txt +``` \ No newline at end of file diff --git a/README.md b/README.md index f0d1c38..b243888 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,9 @@ You might also like : - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md) - [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md) - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md) + - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discover.md) - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) + - [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md) - [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md) - [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md) - [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)