Refer to Simple WebPentest Checklist
Subdomain Enumeration
git clone https://github.com/TheRook/subbrute.git
python subbrute.py domain.com > subdomains.txt
git clone https://github.com/infosec-au/altdns.git
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
#paste the list into Bulk URL HTTP Status Code, Header & Redirect Checker | httpstatus.io
# this will give live hosts status
make sure to check subdomain of the sub-domains
#Other Tools
amass enum -passive -norecursive -noalts –df domin.txt -o subs-1.txt
amass enum -passive -norecursive -noalts –df subs-1.txt -o all-sub.txt
Recon Automation
#Better use https://github.com/smicallef/spiderfoot
- this automates most of the basic tasks
#use ReconFTW
git clone https://github.com/six2dez/reconftw
cd reconftw/
./install.sh
./reconftw.sh -d target.com -r
#or Setup a container
docker pull six2dez/reconftw:main
docker run -it --rm \
-v "${PWD}/OutputFolder/":'/reconftw/Recon/' \
six2dez/reconftw:main -d example.com -r
Find origin IPs to Bypass waf via match & replace in burp
shodan.io 🡺 Ssl.cert.subject.CN:"domain/subdomain"
en.fofa.info 🡺 normal search for domain/subdomain
search.censys.io 🡺 normal search for domain/subdomain
securitytrails.com 🡺 normal search for domain/subdomain
Finding Hidden paths
- go to urlscan.io/search
- domain.com -www.domain.com -auth.domain.com
- Google Dorks
- Ignore known domains and search for new endpoints/domains
- site:domain.com -site:duplicate.domain.com
- go to https://en.fofa.info/
- search for a domain and select the favicon of the company
- it shows the hash of the favicon
- use this query to find domains with favicon hash - `http.favicon.hash:-1243154474`
Comments
Post a Comment