Scribd
Upload
162 views9 pages

Reconnaissance - Phase-2

The document discusses techniques for reconnaissance on targets including using wordlists to find subdomains, files, and passwords. It covers tools for subdomain enumeration like certificate transparency logs, search engines, GitHub, and bruteforcing. It also discusses content discovery, inspecting JavaScript files, and using Google dorks.

Uploaded by

setyahangga3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
162 views9 pages

Reconnaissance - Phase-2

The document discusses techniques for reconnaissance on targets including using wordlists to find subdomains, files, and passwords. It covers tools for subdomain enumeration like certificate transparency logs, search engines, GitHub, and bruteforcing. It also discusses content discovery, inspecting JavaScript files, and using Google dorks.

Uploaded by

setyahangga3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Reconnaissance - Phase2.

md
github.com/IamLucif3r/Bug-Hunting/blob/main/Notes/Reconnaissance- Phase1.md

Files

1. Wordlists
Word lists are used to find new subdomains, interesting files, cracking passwords, and
much more.

1.1 Sec List

If you’re looking for a good wordlist this should be the first place you look, chances
are they have the wordlist you're looking for.
https://github.com/danielmiessler/SecLists
Robots Disallow: The robots.txt disallow directory is used to tell scraping
bots such as google to not crawl certain files and file paths, this can be a good
indication that they are trying to hide something.
RAFT: The RAFT wordlists contains a large number of interesting filenames
and directories. There are several different versions of this list ranging in size
but I generally just go with the largest list.
Technology Specific: Seclists contains specific wordlists for PHP, Golang,
ASP, Apache, IIS, and a bunch more.

1.2 Common Speak

https://github.com/assetnote/commonspeak2
https://github.com/assetnote/commonspeak2-wordlists
Common speak from Assetnote has a unique way of generating wordlists.

1.3 All

The majority of people use this wordlist for subdomain brute forcing.
You won’t find a bigger word list than this one.
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

1.4 CRTSH

Every https domain is logged in a database somewhere. Internetwache created a


tool to scrape this database for subdomains. Every hour Internetwache uses this
tool to update his wordlist.
https://github.com/internetwache/CT_subdomains

1/9
2. Subdomain Enumeration

2.1 Certification Transparency Logs

Any site that starts with HTTPS:// uses SSL certificates to provide a secure
connection. If a hacker or rogue certificate authority is able to forge this certificate
they would be able to perform man in the middle attacks.

The certificate transparency log is used to monitor and audit unauthorized


certificates. Every time you get an SSL certificate for your domain or subdomain it
will be logged in certificate transparency logs

We can find all SSL certificates belonging to a domain by issuing a GET request to
https://crt.sh/?q=%25.facebook.com as shown below:

2/9
Tools:

Crtsh.py

2.2 Search Engine

Google dorks can be utilized to find subdomains with the following dork:
Site:
This dork wil return all the links belonging to a specific domain.

2.4 Github

Almost every developer uses GitHub to store their source code. Developers will
often hard code private or hidden endpoint points in their source code.
Tool : Github-Search by gwen001.

2.5 Brute Force

Brute forcing is probably the most popular way to find subdomains. You might think
that you send a get requests to a bunch of subdomains and see which ones resolve
but that’s wrong. DNS can be used to brute force subdomains without sending
packets to your target. All you do is perform a DNS requests against a subdomain if
it resolves to an IP then you know it’s live.
GoBuster: GoBuster is a good tool for discovering the directories hosted on a web
server as well as a enumerating the Subdomains.
It is however dependent on how good wordlist are you using for the
enumeratoin.

2.6 Subdomain Permutation

One of the best ways to find hidden assets is through the use of permutations. A
permutation is a way a set of words can be rearranged.

3/9
For example, if we have the subdomain test.starbcuks.com and the words dev,
stage, and production we could come up with several possible subdomains. We
would have dev-test.starbucks.com, dev.test.starbucks.com, production-
test.starbucks.com, andso on.
All this can be done automatically with altdns:
Altdns

Using altdns we can pass in a list of found subdomains and a list of


words and the tool will output a huge list of permutations. The tool can
also resolve eachnewly found subdomain to see if they are live:

altdns -i found_subdomains.txt -o permutation_output -w words.txt -r -s


resolved_output.txt

Other Tools: There are a lot of other techniques and resources that people can
use to find subdomains.

Virus Total
Netcraft
DNSdumpster
Threat crowed
Shodan
Cencys
DNSdb
Pastebin

2.7 Tools

1. Amass:
https://github.com/OWASP/Amass
Amass will utilize a bunch of online resources to find subdomains. Most of
these are third party vendors which they scrape or utilize their API to pull a
listsubdomains.
2. Knock.py:
https://github.com/guelfoweb/knock
it shows the response status and the technology stack. This is very useful for
quickly understanding each subdomain.

3. DNS Resolutions
During the subdomain enumeration process, you should have generated a large list
subdomains. In order to start probing these endpoints you need to know which ones
are live.
To do this we can perform a DNS lookup against a domain to see if it contains an A
record.

4/9
Massdns: The tool is written in C and requires us to build it before we can use it.

4. Screen Shot
When you’re dealing with thousands of targets it is much easier to scroll through a
bunch of screenshots than visiting each site manually. Just by looking at a screen
shot you can determine several things such as its technology, is it old, does it look
interesting, is there login functionality, and much more.
Eyewitness: It attempts to take a screenshot of each domain in the list that was
passed to the tool. Once the tool is finished you can scroll through each of the
screen shots to find interesting endpoints.

5. Content Discovery
Content discovery is a vital process in the reconnaissance phase. Failing to perform
this phase properly will result in lots of missed vulnerabilities. The main purpose
behind content discovery is to find endpoints on a target domain.
You are looking for things such as log files, config files, interesting technologies or
applications, and anything else that is hosted on the website.

5.1 Self Crawl

One of the best ways to find endpoints on a target is to crawl the application.
Crawling a website involves recursively visiting each link and saving each link on a
web page recursively.
Tool: Crawler.

5.2 Wayback Machine Crawl Data

5/9
The Wayback Machine is an archive of the entire internet. Basically, they go to
every website and they crawl it while taking screenshots and logging the data to a
database.
interesting filters include:
.zip
.config
/admin/
/api/
Once you get the data start looking for interesting files and GET parameters that
might be vulnerable.

5.3 Common Crawl Data

5.4 Directory Brute Force

Depending on your wordlists you can find all kinds of interesting endpoints like
backup files, core dumps, config files, and a whole lot more.
Tool: GoBuster

6. Inspecting JS Files
There are interesting things in JavaScript files such as AWS keys, S3 bucket endpoints,
API keys, and much more.

6.1 Link Finder

Linkfinder is one of the best tools for parsing endpoints from JavaScript files. The
tool works by using jsbeautifier with a list of regexes to find URLs.
LinkFinder Tool

6.2 JSearch

Jssearch is another JavaScript parser except this tool primarily used to find
sensitive or interesting strings.
For instance, developers will sometimes hard code API keys, AWS credentials, and
other sensitive information in JavaScript files. This information can easily be parsed
out with the use of regexes.
JSearch Tool

7. Google Dorks
A huge list of interesting dorks can be found on the exploit-db website.
https://www.exploit-db.com/google-hacking-database

7.1 Dork Basics

6/9
Dorks work on the vast majority of search engines such as Bing, AOL, and yahoo.
Depending on how thorough you want to be you may wish to utilize the results of
multiple search engines.
site: domainName
“inurl:” and “intitle:”
https://gbhackers.com/latest-google-dorks-list/

7.2 Third Party Vendors

Organizations utilize sites such as Trello, Pastebin, GitHub, Jira, and more in their
daily operations. Using Google dorks, you can find these endpoints and search for
sensitive information.
There have been several instances where I have found credentials stored on a
public Trello board. A typical dork when looking for third party vendors looks like:
site: ThirdPartyVendor CompanyName

7.3 Content

7/9
8/9
Conclusion

Google dorks can be used to find anything and everything about your target.Google dorks
have been around for a long time and they don’t seem to be going away anytime soon.
There are some people who solely rely on google dorks to find their vulnerabilities.
Exploit-db has a huge list of dorks that can be used to find sensitive or vulnerable
endpoints. Although exploit-db contains many interesting dorks I often find myself
searching for third party vendors for interesting information.

9/9

You might also like