Domain Spray and Pray

From Enlace Hacktivista
Jump to navigation Jump to search

To get a list of government domains (as an example) you can either masscan the internet using zmap for port 443 and then proceed to grab banners and certificates using zgrab and then grep for .gov TLDs or you can download a list of domains from popular cloud providers (limiting) such as Amazon, Digital Ocean, Google, Microsoft and Oracle.

NOTE: This is very loud and not recommended. However for large scale hacktivist operations where the operation seeks to target as much as possible in regards to specific TLDs or countries this method works quite well in regards to identifying low hanging fruit vulnerabilities. A more targeted penetration test against a target list will be much better and more effective.

Mass Scanning

If you don't want to limit your scan by cloud providers and you want to get more coverage for domains you can use both zmap and zgrab to port scan and download SSL/TLS certificate data to then grep for domains. A lot of organizations suffer from shadow IT and dont have great insights into the assets they own and are exposed. We can exploit this with mass spray and pray campaigns.


Scan the internets IPV4 space for port 443:

  • sudo zmap -p 443 -o targets.txt


Using zmaps output as input now download the certificate data:

  • zgrab2 tls --input-file=targets.txt --output-file=certs.json

After which you will want to parse the output for government top level domains (or other):

  • grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' certs.json > domains.txt
    • grep -i '\.gov$' domains.txt > gov_domains.txt

Cloud Domains

To begin, download all of the cloud providers text files and parse them.

Output all cloud provider text files into one big file:

  • user@host:~/sni_ip_ranges$ cat *.txt > all.txt

Parse all.txt for domains:

  • grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/all.txt > domains.txt

Grep specifically for your targets TLDs:

  • grep -i '\.gov$' domains.txt > gov_domains.txt

Enumerate Subdomains

To be thorough in our scanning we will enumerate all the domains in the domains.txt file for their subdomains to ensure complete coverage (nuclei will filter duplicates).

  • subfinder -dL gov_domains.txt -o government_domains.txt

Port scan

To ensure a thorough vulnerability scan we will want to port scan our targets for their open ports to ensure we scan all their services.

  • naabu -l government_domains.txt -o government_domains_final.txt

Vulnerability Scan

Finally we vulnerability scan the targeted domains to later exploit.

  • nuclei -l government_domains_final.txt -s critical,high -o vuln_gov_domains.txt