Subdomain enumeration - New Aquatone (Go)
Swissky
parent
6bcb43e39c
commit
1b2ee3e67a
|
|
@ -8,11 +8,12 @@
|
|||
* GoogleDorks
|
||||
* EyeWitness
|
||||
* Sublist3r
|
||||
* Aquatone
|
||||
* Subfinder
|
||||
* Aquatone (Ruby and Go versions)
|
||||
* AltDNS
|
||||
* MassDNS
|
||||
* Subdomain take over
|
||||
* tko-subs
|
||||
* HostileSubBruteForcer
|
||||
* SubOver
|
||||
|
||||
|
|
@ -33,6 +34,17 @@ git clone https://github.com/danielmiessler/SecLists.git
|
|||
knockpy domain.com -w subdomains-top1mil-110000.txt
|
||||
```
|
||||
|
||||
Using EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||
|
||||
```bash
|
||||
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
./setup/setup.sh
|
||||
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
||||
./EyeWitness -f urls.txt --web
|
||||
./EyeWitness -x urls.xml -t 8 --headless
|
||||
./EyeWitness -f rdp.txt --rdp
|
||||
```
|
||||
|
||||
### Using Google Dorks and Google Transparency Report
|
||||
|
||||
You need to include subdomains ;)
|
||||
|
|
@ -47,17 +59,6 @@ site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
|
|||
site:*.*.domain.com
|
||||
```
|
||||
|
||||
### EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||
|
||||
```bash
|
||||
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
./setup/setup.sh
|
||||
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
|
||||
./EyeWitness -f urls.txt --web
|
||||
./EyeWitness -x urls.xml -t 8 --headless
|
||||
./EyeWitness -f rdp.txt --rdp
|
||||
```
|
||||
|
||||
### Using Sublist3r
|
||||
|
||||
```bash
|
||||
|
|
@ -73,7 +74,18 @@ python sublist3r.py -e google,yahoo,virustotal -d example.com
|
|||
python sublist3r.py -b -d example.com
|
||||
```
|
||||
|
||||
### Using Aquatone
|
||||
### Using Subfinder
|
||||
|
||||
```powershell
|
||||
go get github.com/subfinder/subfinder
|
||||
./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
|
||||
./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
|
||||
./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
|
||||
./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
|
||||
./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
|
||||
```
|
||||
|
||||
### Using Aquatone - old version (Ruby)
|
||||
|
||||
```powershell
|
||||
gem install aquatone
|
||||
|
|
@ -102,15 +114,16 @@ docker pull txt3rob/aquatone-docker
|
|||
docker run -it txt3rob/aquatone-docker aq example.com
|
||||
```
|
||||
|
||||
### Using Subfinder
|
||||
### Using Aquatone - new version (Go)
|
||||
|
||||
```powershell
|
||||
go get github.com/subfinder/subfinder
|
||||
./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
|
||||
./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
|
||||
./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
|
||||
./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
|
||||
./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
|
||||
# Subfinder version
|
||||
./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1
|
||||
cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
|
||||
|
||||
# Amass version
|
||||
./Amass/amass -active -brute -o /tmp/hosts.txt -d $1
|
||||
cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
|
||||
```
|
||||
|
||||
### Using AltDNS
|
||||
|
|
@ -135,6 +148,13 @@ cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/res
|
|||
|
||||
Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
|
||||
|
||||
### Using tko-subs
|
||||
|
||||
```powershell
|
||||
go get github.com/anshumanbh/tko-subs
|
||||
./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv
|
||||
```
|
||||
|
||||
### Using HostileSubBruteForcer
|
||||
|
||||
```bash
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Open URL Redirection
|
||||
|
||||
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
## Fuzzing
|
||||
|
||||
|
|
@ -57,6 +57,12 @@ Using null byte "%00" to bypass blacklist filter
|
|||
//google%00.com
|
||||
```
|
||||
|
||||
Using parameter pollution
|
||||
|
||||
```powershell
|
||||
?next=whitelisted.com&next=google.com
|
||||
```
|
||||
|
||||
Using "@" character, browser will redirect to anything after the "@"
|
||||
|
||||
```powershell
|
||||
|
|
@ -88,8 +94,39 @@ XSS from javascript:// wrapper
|
|||
http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
```
|
||||
|
||||
## Common injection parameters
|
||||
|
||||
```powershell
|
||||
/{payload}
|
||||
?next={payload}
|
||||
?url={payload}
|
||||
?target={payload}
|
||||
?rurl={payload}
|
||||
?dest={payload}
|
||||
?destination={payload}
|
||||
?redir={payload}
|
||||
?redirect_uri={payload}
|
||||
?redirect_url={payload}
|
||||
?redirect={payload}
|
||||
/redirect/{payload}
|
||||
/cgi-bin/redirect.cgi?{payload}
|
||||
/out/{payload}
|
||||
/out?{payload}
|
||||
?view={payload}
|
||||
/login?to={payload}
|
||||
?image_url={payload}
|
||||
?go={payload}
|
||||
?return={payload}
|
||||
?returnTo={payload}
|
||||
?return_to={payload}
|
||||
?checkout_url={payload}
|
||||
?continue={payload}
|
||||
?return_path={payload}
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* filedescriptor
|
||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||
|
|
|
|||
Loading…
Reference in New Issue