Scanning and Recon: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
(15 intermediate revisions by the same user not shown)
Line 13: Line 13:


=== Vulnerability scanners ===
=== Vulnerability scanners ===
To quickly cover a lot ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.
To quickly cover a lot of ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.


* https://github.com/pry0cc/axiom. [https://twitter.com/Jhaddix/status/1633936278222962688?cxt=HHwWgIDUkeuY9KwtAAAA Twitter Thread]
* Axiom distributes the load of your scanning tools across multiple servers. https://github.com/pry0cc/axiom. [https://twitter.com/Jhaddix/status/1633936278222962688?cxt=HHwWgIDUkeuY9KwtAAAA Twitter Thread]
* https://github.com/six2dez/reconftw. [https://gist.github.com/jhaddix/141d9cb07ca0590dbc43389e0e4af98f Free scan config (no API)]
* https://github.com/six2dez/reconftw. [https://gist.github.com/jhaddix/141d9cb07ca0590dbc43389e0e4af98f Free scan config (no API)]
* https://github.com/lanmaster53/recon-ng
* https://github.com/lanmaster53/recon-ng
* https://github.com/Dionach/CMSmap
* https://github.com/Dionach/CMSmap
* https://github.com/edoardottt/cariddi
* https://github.com/jaeles-project/jaeles
* https://github.com/jaeles-project/jaeles
* https://github.com/1N3/Sn1per
* https://github.com/1N3/Sn1per
* https://w3af.org/
* https://w3af.org/
* https://github.com/projectdiscovery/nuclei
* https://github.com/projectdiscovery/nuclei
* <code>subfinder -d nasa.gov -silent | httpx -silent | nuclei -t cves -silent>/code>
* <code>[https://github.com/projectdiscovery/subfinder subfinder] -d nasa.gov -silent | httpx -silent | nuclei -silent -s critical,high,medium,low -o results.txt</code>
* https://github.com/wpscanteam/wpscan [Free and paid]
* https://github.com/wpscanteam/wpscan [Free and paid]
* https://github.com/OWASP/joomscan
* https://github.com/OWASP/joomscan
Line 45: Line 44:


=== Subdomain enumeration ===
=== Subdomain enumeration ===
Enumerate your targets top level domain (TLD) as part of your recon to identify entry points in your targets infrastructure. Pay special attention to interesting subdomains such as test, dev, backup, etc. Your targets subdomains may also be running out of date software, less or no authentication where there should be and more vulnerabilities as opposed to the TLD.
* https://github.com/OWASP/Amass
* https://github.com/OWASP/Amass
* https://github.com/aboul3la/Sublist3r
* https://github.com/aboul3la/Sublist3r
Line 51: Line 52:
* Subdomain enumeration dork: <code>[https://www.google.com/search?q=site:*.nasa.gov site:*.nasa.gov]</code>
* Subdomain enumeration dork: <code>[https://www.google.com/search?q=site:*.nasa.gov site:*.nasa.gov]</code>
* https://github.com/projectdiscovery/shuffledns
* https://github.com/projectdiscovery/shuffledns
* https://github.com/projectdiscovery/dnsx
* https://github.com/infosec-au/altdns
* https://github.com/resyncgg/ripgen


==== Subdomain takeover ====
==== Subdomain takeover ====
Line 57: Line 61:
* https://github.com/EdOverflow/can-i-take-over-xyz
* https://github.com/EdOverflow/can-i-take-over-xyz
* https://github.com/Ice3man543/SubOver
* https://github.com/Ice3man543/SubOver
* https://github.com/projectdiscovery/nuclei-templates/tree/main/takeovers
* https://github.com/projectdiscovery/nuclei-templates/tree/main/http/takeovers
* https://www.hackerone.com/application-security/guide-subdomain-takeovers
* https://www.hackerone.com/application-security/guide-subdomain-takeovers


Line 96: Line 100:


=== Web Crawlers ===
=== Web Crawlers ===
* https://github.com/projectdiscovery/katana
* https://github.com/jaeles-project/gospider
* https://github.com/jaeles-project/gospider
* https://github.com/hakluke/hakrawler
* https://github.com/hakluke/hakrawler
* https://www.zaproxy.org
* https://www.zaproxy.org
* https://github.com/edoardottt/cariddi


=== ASN scanners ===
=== ASN scanners ===

Revision as of 16:57, 29 May 2023

These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests.

NOTE: This is not an exhaustive list.

WAF detect

Your target may have a web application firewall (WAF) which might try to prevent scanning, exploitation and other security tests. It's important that we can identify what WAF is in place so we can try and bypass it. Some targets might be vulnerable and normally an exploit would work however the WAF is preventing the exploit from popping the box. You can try to encode the payload amongst other things.

Vulnerability scanners

To quickly cover a lot of ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.

Subdomain enumeration

Enumerate your targets top level domain (TLD) as part of your recon to identify entry points in your targets infrastructure. Pay special attention to interesting subdomains such as test, dev, backup, etc. Your targets subdomains may also be running out of date software, less or no authentication where there should be and more vulnerabilities as opposed to the TLD.

You can also try ./reconftw.sh -d nasa.gov -s for a more comprehensive subdomain enumeration.

Subdomain takeover

A subdomain takeover allows us to gain control over a misconfigured or abandoned subdomain. This is done by exploiting vulnerabilities in DNS settings, expired or deleted services, or incomplete migrations. Once control is established, we can employ social engineering tactics such as phishing, this could be hosting phishing pages on legitimate company subdomains that are already trusted by employees.

Content discovery

Word Lists

Word lists can be used in your content discovery when performing directory bruteforcing, subdomain bruteforcing and password attacks.

Port scanners

When performing a port scan pay special attention to non-standard ports.

Technology scanners

NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.

When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working public exploits.

Web Crawlers

ASN scanners

Google hacking

Exploitation

For automatic exploit tools and payloads, see exploitation.