From f69d75ccbffa06b1701f3a0d8b5a20698c507014 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 9 Nov 2024 12:36:01 +0100 Subject: [PATCH] Web Attack Surface --- .../ad-adds-machineaccountquota.md | 3 +- .../access/attack-surface-enumeration.md | 203 ------------------ docs/redteam/access/web-attack-surface.md | 150 +++++++++++++ 3 files changed, 151 insertions(+), 205 deletions(-) delete mode 100644 docs/redteam/access/attack-surface-enumeration.md create mode 100644 docs/redteam/access/web-attack-surface.md diff --git a/docs/active-directory/ad-adds-machineaccountquota.md b/docs/active-directory/ad-adds-machineaccountquota.md index fd3005b..24ba23e 100644 --- a/docs/active-directory/ad-adds-machineaccountquota.md +++ b/docs/active-directory/ad-adds-machineaccountquota.md @@ -38,8 +38,7 @@ The system compares this count to the `MachineAccountQuota` value set for that u $computerCount ``` -4. **Failure Handling**: - - If the quota is exceeded, the user attempting to create the account will receive an error message indicating that they cannot create a new computer account because they have reached their quota limit. +4. **Failure Handling**: If the quota is exceeded, the user attempting to create the account will receive an error message indicating that they cannot create a new computer account because they have reached their quota limit. ## References diff --git a/docs/redteam/access/attack-surface-enumeration.md b/docs/redteam/access/attack-surface-enumeration.md deleted file mode 100644 index d47a5c3..0000000 --- a/docs/redteam/access/attack-surface-enumeration.md +++ /dev/null @@ -1,203 +0,0 @@ -# Subdomains Enumeration - -## Summary - -* [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext) - * Subbrute - * KnockPy - * GoogleDorks - * EyeWitness - * Sublist3r - * Subfinder - * Findomain - * Aquatone (Ruby and Go versions) - * AltDNS - * MassDNS - * Nmap - * Dnsdumpster -* Subdomain take over - * tko-subs - * HostileSubBruteForcer - * SubOver - -## Enumerate all subdomains (only if the scope is *.domain.ext) - -### Using Subbrute - -```bash -git clone https://github.com/TheRook/subbrute -python subbrute.py domain.example.com -``` - -### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS" - -```bash -git clone https://github.com/guelfoweb/knock -git clone https://github.com/danielmiessler/SecLists.git -knockpy domain.com -w subdomains-top1mil-110000.txt -``` - -Using EyeWitness and Nmap scans from the KnockPy and enumall scans - -```bash -git clone https://github.com/ChrisTruncer/EyeWitness.git -./setup/setup.sh -./EyeWitness.py -f filename -t optionaltimeout --open (Optional) -./EyeWitness -f urls.txt --web -./EyeWitness -x urls.xml -t 8 --headless -./EyeWitness -f rdp.txt --rdp -``` - -### Using Google Dorks and Google Transparency Report - -You need to include subdomains ;) -https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true - -```bash -site:*.domain.com -www -site:domain.com filetype:pdf -site:domain.com inurl:'&' -site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin -site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf -site:*.*.domain.com -``` - -### Using Sublist3r - -```bash -To enumerate subdomains of specific domain and show the results in realtime: -python sublist3r.py -v -d example.com - -To enumerate subdomains and enable the bruteforce module: -python sublist3r.py -b -d example.com - -To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines -python sublist3r.py -e google,yahoo,virustotal -d example.com - -python sublist3r.py -b -d example.com -``` - -### Using Subfinder - -```powershell -go get github.com/subfinder/subfinder -./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY' -./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD" -./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET" -./Subfinder/subfinder --set-config SecurityTrailsKey='KEY' -./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt -``` - -### Using Findomain - -```powershell -$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux -$ chmod +x findomain-linux -$ findomain_spyse_token="YourAccessToken" -$ findomain_virustotal_token="YourAccessToken" -$ findomain_fb_token="YourAccessToken" -$ ./findomain-linux -t example.com -o -``` - -### Using Aquatone - old version (Ruby) - -```powershell -gem install aquatone - -Discover subdomains : results in ~/aquatone/example.com/hosts.txt -aquatone-discover --domain example.com -aquatone-discover --domain example.com --threads 25 -aquatone-discover --domain example.com --sleep 5 --jitter 30 -aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ - -Active scans : results in ~/aquatone/example.com/urls.txt -aquatone-scan --domain example.com -aquatone-scan --domain example.com --ports 80,443,3000,8080 -aquatone-scan --domain example.com --ports large -aquatone-scan --domain example.com --threads 25 - -Final results -aquatone-gather --domain example.com -``` - -Alternatively, you can use the [Docker image](https://hub.docker.com/r/txt3rob/aquatone-docker/) provided by txt3rob. - -```powershell -https://hub.docker.com/r/txt3rob/aquatone-docker/ -docker pull txt3rob/aquatone-docker -docker run -it txt3rob/aquatone-docker aq example.com -``` - -### Using Aquatone - new version (Go) - -```powershell -# Subfinder version -./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1 -cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1 - -# Amass version -./Amass/amass enum -active -brute -o /tmp/hosts.txt -d $1 -cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1 -``` - -### Using AltDNS - -It's recommended to use massdns in order to resolve the result of `AltDNS` - -```powershell -WORDLIST_PERMUTATION="./Altdns/words.txt" -python2.7 ./Altdns/altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION -``` - -Alternatively you can use [goaltdns](https://github.com/subfinder/goaltdns) - -### Using MassDNS - -```powershell -DNS_RESOLVERS="./resolvers.txt" -cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt -``` - -### Using Nmap - -```powershell -nmap -sn --script hostmap-crtsh host_to_scan.tld -``` - -### Using dnsdumpster - -```ps1 -git clone https://github.com/nmmapper/dnsdumpster -python dnsdumpster.py -d domainname.com -``` - -## Subdomain take over - -Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records. - -### Using tko-subs - -```powershell -go get github.com/anshumanbh/tko-subs -./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv -``` - -### Using HostileSubBruteForcer - -```bash -git clone https://github.com/nahamsec/HostileSubBruteforcer -chmod +x sub_brute.rb -./sub_brute.rb -``` - -### Using SubOver - -```powershell -go get github.com/Ice3man543/SubOver -./SubOver -l subdomains.txt -``` - -## References - -* [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/) -* [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/) diff --git a/docs/redteam/access/web-attack-surface.md b/docs/redteam/access/web-attack-surface.md new file mode 100644 index 0000000..ac8b723 --- /dev/null +++ b/docs/redteam/access/web-attack-surface.md @@ -0,0 +1,150 @@ +# Web Attack Surface + +## Summary + +* [Enumerate Subdomains](#enumerate-subdomains) + * [Subdomains Databases](#subdomains-databases) + * [Bruteforce Subdomains](#bruteforce-subdomains) + * [Certificate Transparency Logs](#certificate-transparency-logs) + * [DNS Resolution](#dns-resolution) + * [Technology Discovery](#technology-discovery) +* [Subdomain Takeover](#subdomain-takovers) +* [References](#references) + + +## Enumerate Subdomains + +Subdomain enumeration is the process of identifying all subdomains associated with a main domain (e.g., finding `blog.example.com`, `shop.example.com`, etc., for `example.com`). + + +### Subdomains Databases + +Many databases and tools aggregate data from a variety of online sources, such as DNS databases, certificate transparency logs, APIs (e.g., Shodan, VirusTotal), and other publicly available sources to compile a comprehensive list of potential subdomains. + +* [projectdiscovery/chaos-client](https://github.com/projectdiscovery/chaos-client) - Go client to communicate with Chaos DB API. + ```ps1 + chaos -d hackerone.com + ``` + +* [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder) - Fast passive subdomain enumeration tool. + ```ps1 + subfinder -d hackerone.com + ``` + +* [owasp-amass/amass](https://github.com/owasp-amass/amass) - In-depth attack surface mapping and asset discovery + ```ps1 + amass enum -d example.com + ``` + +* [Findomain/Findomain](https://github.com/Findomain/Findomain) - The complete solution for domain recognition. + ```ps1 + findomain -t example.com -u /tmp/example.com.out + ``` + + +### Bruteforce Subdomains + +Subdomain brute-forcing is a technique used to discover subdomains of a target domain by systematically trying out potential subdomain names against it. This is done by using a predefined list of common or likely subdomain names, known as a wordlist. Each word in the wordlist is appended to the target domain (e.g., admin.example.com, mail.example.com) to check if it resolves to a valid subdomain. + + + +* [assetnote/wordlists](https://github.com/assetnote/wordlists) +* [danielmiessler/SecLists/Discovery/DNS](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS) +* [jhaddix/all.txt](https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a) + + +Unlike passive subdomain enumeration, which relies on existing data from sources, brute-forcing actively queries DNS records to discover live subdomains that may not be listed in public databases. + +* [infosec-au/altdns](https://github.com/infosec-au/altdns) - Generates permutations, alterations and mutations of subdomains and then resolves them. + ```powershell + altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w ./words.txt + ``` +* [owasp-amass/amass](https://github.com/owasp-amass/amass) - In-depth attack surface mapping and asset discovery. + ```ps1 + amass enum -active -brute -o /tmp/hosts.txt -d $1 + ``` +* [projectdiscovery/dnsx](https://github.com/projectdiscovery/dnsx) - A fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers. + ```ps1 + dnsx -silent -d facebook.com -w dns_worldlist.txt + ``` +* [subfinder/goaltdns](https://github.com/subfinder/goaltdns) - A permutation generation tool written in golang. + ```ps1 + altdns -l ./input_domains.txt -o ./output.txt + ``` + + +### Certificate Transparency Logs + +Certificate Transparency (CT) logs are public databases that record all SSL/TLS certificates issued by certificate authorities (CAs). These logs are designed to improve the security and transparency of the SSL/TLS ecosystem by making it easier to monitor and audit certificates. + +* [CertStream Calidog](https://certstream.calidog.io/) +* [Meta Certificate Transparency](https://developers.facebook.com/docs/certificate-transparency) +* [Google Certificate Transparency](certificate.transparency.dev) + + +### DNS Resolution + +Once you've generated a list of potential subdomains, the next step is to resolve them to retrieve their DNS records (A and AAAA) to obtain their IPv4 and IPv6 addresses. + +* [blechschmidt/massdns](https://github.com/blechschmidt/massdns) + ```ps1 + cat /tmp/results_subfinder.txt | massdns -r ./resolvers.txt -t A -o S -w /tmp/results_subfinder_resolved.txt + ``` +* [projectdiscovery/dnsx](https://github.com/projectdiscovery/dnsx) - a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers. + ```ps1 + subfinder -silent -d hackerone.com | dnsx -silent -a -resp + subfinder -silent -d hackerone.com | dnsx -silent -cname -resp + subfinder -silent -d hackerone.com | dnsx -silent -asn + echo 173.0.84.0/24 | dnsx -silent -resp-only -ptr + echo AS17012 | dnsx -silent -resp-only -ptr + ``` + + +## Technology Discovery + +Technology discovery is the process of identifying the underlying technologies, software, and frameworks used by a website or digital infrastructure. This often includes detecting web servers, CMS platforms, programming languages, databases, JavaScript libraries, and other software components. + +* [projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) - A fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library. + ```ps1 + httpx -u 'https://example.com' -title -tech-detect -status-code -follow-redirects + ``` + +* [projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo) - A high performance go implementation of Wappalyzer Technology Detection Library. +* [michenriksen/aquatone](https://github.com/michenriksen/aquatone) - A Tool for Domain Flyovers + ``` + cat hosts.txt | aquatone -ports 80,443,3000,3001 + ``` + +* [rverton/webanalyze](https://github.com/rverton/webanalyze) - Port of Wappalyzer in Go + ```ps1 + webanalyze -host example.com -crawl 1 + ``` + +* [wappalyzer](https://www.wappalyzer.com/) - Identify technologies on websites. + + + +## Subdomain Takover + +A subdomain takeover is a type of security vulnerability that occurs when a subdomain (e.g., `sub.example.com`) is still live but its DNS records point to a service or platform (like AWS S3, GitHub Pages, or Heroku) that is no longer active or properly configured. This situation can allow an attacker to claim the unclaimed resource and take control of the subdomain, enabling them to host malicious content or impersonate the legitimate website. + +For example, if `sub.example.com` points to an AWS S3 bucket that has been deleted or abandoned, an attacker could create a new S3 bucket with the same name, gaining control over the subdomain and potentially causing security risks, like phishing attacks or reputational damage to the main domain. + +Refer to [EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) for a list of services and guidance on claiming subdomains with dangling DNS records. + + +* [projectdiscovery/nuclei-templates/http/takeovers](https://github.com/projectdiscovery/nuclei-templates/tree/main/http/takeovers) - Community curated list of templates for the nuclei engine to find security vulnerabilities. + ```powershell + nuclei -t nuclei-templates/http/takeovers -u https://example.com + ``` + +* [anshumanbh/tko-subs](https://github.com/anshumanbh/tko-subs) - A tool that can help detect and takeover subdomains with dead DNS records + ```powershell + ./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv + ``` + + +## References + +- [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak (@0xpatrik) - May 21, 2018](https://0xpatrik.com/takeover-proofs/) +- [Subdomain Takeover: Basics - Patrik Hudak (@0xpatrik) - June 27, 2018](https://0xpatrik.com/subdomain-takeover-basics/) \ No newline at end of file