Scanning and Recon: Difference between revisions

Latest revision as of 08:41, 16 October 2023

These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests. Using APIs will advance your scanning but may cost $$$.

NOTE: This is not an exhaustive list.

WAF detect

Your target may have a web application firewall (WAF) which might try to prevent scanning, exploitation and other security tests. It's important that we can identify what WAF is in place so we can try and bypass it. Some targets might be vulnerable and normally an exploit would work however the WAF is preventing the exploit from popping the box. You can try to encode the payload (Burpsuite is good for this) amongst other things to bypass the WAF.

Blog: https://labs.detectify.com/2022/05/09/discovering-the-origin-host-to-bypass-waf
Blog: https://blog.yeswehack.com/yeswerhackers/web-application-firewall-bypass
Identify and fingerprint web application firewalls: https://github.com/EnableSecurity/wafw00f
Detect and bypass web application firewalls: https://github.com/Ekultek/WhatWaf
Everything about web application firewalls (educational): https://github.com/0xInfection/Awesome-WAF
Nuclei template to detect WAFs: https://github.com/projectdiscovery/nuclei-templates/blob/master/technologies/waf-detect.yaml
Detect WAFs using: asnmap -org paypal -silent | dnsx -ptr -ro -silent | cdncheck -resp -silent

Reconnaissance

Automated recon scripts which automates a lot of the boring aspects of recon for you. They can be used to run some cursory automated vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers. Also can perform passive and active recon testing such as subdomain enumeration, credential bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records and directory fuzzing, dorking, ports scanning, screenshots, nuclei scanning on your targets and more. The best one is reconFTW but we provide others for comparison.

Vulnerability scanners

To quickly cover a lot of ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.

Axiom distributes the load of your scanning tools across multiple servers. https://github.com/pry0cc/axiom | Twitter Thread
Nuclei scanner: https://github.com/projectdiscovery/nuclei | The Ultimate Guide to Finding Bugs With Nuclei
- WordPress related Nuclei templates: https://github.com/topscoder/nuclei-wordfence-cve
Use Osmedeus to build your own reconnaissance system (Great for scanning large amount of target hosts): https://github.com/osmedeus/osmedeus-base [Free and Paid]
CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs: https://github.com/Tuhinshubhra/CMSeeK
The Swiss Army knife for automated Web Application Testing: https://github.com/jaeles-project/jaeles | Jaeles Scanner
Attack Surface Management Platform, used to discover hidden assets and vulnerabilities: https://github.com/1N3/Sn1per
Enumerate subdomains and vulnerability scan them: subfinder -d nasa.gov -silent | httpx -silent | nuclei -silent -s critical,high,medium,low -o vulns.txt
Wordpress CMS specific vulnerability scanner, version detection, plugin enumeration and user account bruteforce tool: https://github.com/wpscanteam/wpscan | WPScan Documentation [Free and paid]
Joomla CMS specific vulnerability scanner: https://github.com/OWASP/joomscan
Drupal CMS specific vulnerability scanner: https://github.com/immunIT/drupwn
Watch Catalan police union hack to learn how to utilize ZAP to discover vulnerabilities: https://www.zaproxy.org
Pyfiscan is a web-application vulnerability and version scanner which can be used to locate out-dated versions of common web-applications: https://github.com/fgeek/pyfiscan
User-Agent , X-Forwarded-For and Referer SQLI Fuzzer: https://github.com/root-tanishq/userefuzz
Nmap Scripting Engine (NSE) can be used to perform version detection, network discovery and vulnerability scan/exploitation: https://nmap.org/book/man-nse.html | Nmap Scripting Engine | Scripts
Scan for SQLi/XSS/LFI/RFI and other common vulnerabilities: https://github.com/v3n0m-Scanner/V3n0M-Scanner
Quickly discover the attack surface, and identify vulnerabilities: https://github.com/yogeshojha/rengine
XSS specific scanner and utility focused on automation: https://github.com/hahwul/dalfox
high-performance vulnerability scanner! Supports user-defined PoC and comes with several built-in types, such as CVE, CNVD, default passwords, information disclosure, fingerprint identification, unauthorized access, arbitrary file reading, and command execution: https://github.com/zan8in/afrog

Subdomain enumeration

Enumerate your targets top level domain (TLD) as part of your recon to identify entry points in your targets infrastructure. Pay special attention to interesting subdomains such as test, dev, backup, etc. Your targets subdomains may also be running out of date software, subdomains might not be behind a WAF where the main page will be, less or no authentication where there should be and more vulnerabilities may exist as opposed to the TLD.

https://github.com/OWASP/Amass
https://github.com/aboul3la/Sublist3r
You can also try using reconftw for a more comprehensive subdomain enumeration, using different tools and techniques. ./reconftw.sh -d nasa.gov -s
https://github.com/projectdiscovery/subfinder
Subdomain enumeration dork: site:.nasa.gov
https://github.com/projectdiscovery/shuffledns
https://github.com/projectdiscovery/dnsx
https://github.com/infosec-au/altdns
https://github.com/resyncgg/ripgen

Subdomain screenshot

Screenshot subdomains during your recon process to quickly sift through and identify different subdomains without needing to load each one

gowitness - a golang, web screenshot utility using Chrome Headless: https://github.com/sensepost/gowitness
httpx -l subdomains.txt -screenshot | https://github.com/projectdiscovery/httpx
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible: https://github.com/RedSiege/EyeWitness

Subdomain takeover

A subdomain takeover allows us to gain control over a misconfigured or abandoned subdomain. This is done by exploiting vulnerabilities in DNS settings, expired or deleted services, or incomplete migrations. Once control is established, we can employ social engineering tactics such as phishing, this could be hosting phishing pages on legitimate company subdomains that are already trusted by employees.

Subdomain monitoring

Monitor your target for new subdomains whenever they pop up. Sometimes developers will create a new and temporary subdomain for testing and development, be notified whenever this happens. Include vulnerability scanners into the below bash script such as nuclei to automate some security testing as well.

#!/bin/bash
while true
do
  subfinder -silent -dL domains.txt -all | anew subdomains.txt | notify
  sleep 3600
done

Be notified when your target updates their website.

#!/bin/bash
while true
do
  cat subdomains.txt -silent | httpx -sc -cl -location -title -silent | anew changes.txt | notify
  sleep 15
done

Content discovery

Find endpoints, URLs, Parameters, Resources and much more with content discovery.

https://github.com/praetorian-inc/fingerprintx
https://github.com/projectdiscovery/httpx
https://github.com/tomnomnom/waybackurls
Find AWS S3 buckets and test their permissions: https://github.com/gwen001/s3-buckets-finder
Scan for open S3 buckets and dump the contents: https://github.com/sa7mon/S3Scanner
Chrome extension that lists Amazon S3 Buckets while browsing: https://github.com/AlecBlance/S3BucketList

Fuzzing

Word Lists

Word lists can be used in your content discovery when performing directory bruteforcing and subdomain bruteforcing.

All the best word lists for different tools and content discovery goals: https://wordlists.assetnote.io
Repository of many different kinds of word lists: https://github.com/danielmiessler/SecLists
Quickly generate context-specific wordlists for content discovery from lists of URLs or paths : https://github.com/ameenmaali/wordlistgen
Content discovery URLs and files word list: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10
File and directory discovery word list: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
Subdomain enumeration word list: https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a
Potentially dangerous files: https://github.com/Bo0oM/fuzz.txt
Download and search specific domain names using (only includes popular cloud providers): https://kaeferjaeger.gay/?dir=sni-ip-ranges
- Search for and extract your targets domains: cat ~/sni_ip_ranges/*.txt | grep "\target\.com" | awk -F'-- ' '{print $2}' | tr ' ' '\n' | tr '[' ' ' | sed 's/ //' | sed 's/\]//' | sort -u
  - Extract only domains: grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/*.txt > domains.txt

Port scanners

When performing a port scan pay special attention to non-standard ports.

Technology scanners

NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.

When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working public exploits.

Browser add-on to detect web technologies: https://www.wappalyzer.com
Browser add-on to detect web technologies: https://www.whatruns.com
Browser add-on to detect web technologies: https://builtwith.com/toolbar
WhatWeb identifies web technologies: https://github.com/urbanadventurer/whatweb
Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning: https://github.com/rverton/webanalyze
subfinder -d nasa.gov -silent | httpx -silent | nuclei -t technologies -silent
A utility to detect various technology for a given IP address: https://github.com/projectdiscovery/cdncheck

Web Crawlers

Crawl a website, extract all URL endpoints and save them for further analysis. Useful for digging up parameters on websites to test for common vulnerabilities (XSS, SQLi, IDOR, LFI/RFI, etc)

ASN scanners

Map out an organizations network ranges using ASN information.

https://github.com/projectdiscovery/asnmap
https://github.com/banviktor/asnlookup
amass intel -asn AS21556
echo 'nasa' | metabigor net --org -v
echo 'AS21556' | metabigor net --asn -v
amass intel -active -org nasa -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 -I@ -d ',' amass intel -active -asn @ -max-dns-queries 2500| sort -u

Google hacking

Refine your google searches (also works on Bing and DuckDuckGo) to discover paths, files, vulnerabilities, endpoints, login portals and technology.

(Book) Google Hacking for Penetration Testers 3rd Edition
https://github.com/Proviesec/google-dorks
https://www.exploit-db.com/google-hacking-database
https://dorksearch.com
https://taksec.github.io/google-dorks-bug-bounty

Intercepting proxies

Exploitation

For automatic exploit tools and payloads, see exploitation.

@@ Line 13: / Line 13: @@
 * Nuclei template to detect WAFs: https://github.com/projectdiscovery/nuclei-templates/blob/master/technologies/waf-detect.yaml
 * Detect WAFs using: <code>asnmap -org paypal -silent | dnsx -ptr -ro -silent | cdncheck -resp -silent</code>
+=== Reconnaissance ===
+Automated recon scripts which automates a lot of the boring aspects of recon for you. They can be used to run some cursory automated vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers. Also can perform passive and active recon testing such as subdomain enumeration, credential bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records and directory fuzzing, dorking, ports scanning, screenshots, nuclei scanning on your targets and more. The best one is [https://github.com/six2dez/reconftw reconFTW] but we provide others for comparison.
+* https://github.com/six2dez/reconftw | [https://gist.github.com/jhaddix/141d9cb07ca0590dbc43389e0e4af98f Free scan config (no API)]
+* https://github.com/Tib3rius/AutoRecon
+* https://github.com/AdmiralGaust/bountyRecon
+* https://github.com/offhourscoding/recon
+* https://github.com/Sambal0x/Recon-tools
+* https://github.com/yourbuddy25/Hunter
+* https://github.com/venom26/recon/blob/master/ultimate_recon.sh
+* https://gist.github.com/dwisiswant0/5f647e3d406b5e984e6d69d3538968cd
+* https://github.com/capt-meelo/LazyRecon
+* https://github.com/phspade/Automated-Scanner
+* https://github.com/shmilylty/OneForAll
+* https://github.com/SolomonSklash/chomp-scan
+* https://github.com/Screetsec/Sudomy
+* https://github.com/Edu4rdSHL/findomain
+* https://github.com/SilverPoision/Rock-ON
+* https://github.com/epi052/recon-pipeline
 === Vulnerability scanners ===
@@ Line 18: / Line 38: @@
 * Axiom distributes the load of your scanning tools across multiple servers. https://github.com/pry0cc/axiom | [https://twitter.com/Jhaddix/status/1633936278222962688?cxt=HHwWgIDUkeuY9KwtAAAA Twitter Thread]
-* A fully automated recon tool (its great as a tool installer on a fresh VPS): https://github.com/six2dez/reconftw | [https://gist.github.com/jhaddix/141d9cb07ca0590dbc43389e0e4af98f Free scan config (no API)]
+* Nuclei scanner: https://github.com/projectdiscovery/nuclei | [https://blog.projectdiscovery.io/ultimate-nuclei-guide The Ultimate Guide to Finding Bugs With Nuclei]
-* Nuclei offers scanning for a variety of protocols, it offers powerful and flexible templating which can be used to perform all kinds of security checks against a target: https://github.com/projectdiscovery/nuclei | [https://blog.projectdiscovery.io/ultimate-nuclei-guide The Ultimate Guide to Finding Bugs With Nuclei]
+** WordPress related Nuclei templates: https://github.com/topscoder/nuclei-wordfence-cve
 * Use Osmedeus to build your own reconnaissance system (Great for scanning large amount of target hosts): https://github.com/osmedeus/osmedeus-base [Free and Paid]
 * CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs: https://github.com/Tuhinshubhra/CMSeeK
@@ Line 34: / Line 54: @@
 * Scan for SQLi/XSS/LFI/RFI and other common vulnerabilities: https://github.com/v3n0m-Scanner/V3n0M-Scanner
 * Quickly discover the attack surface, and identify vulnerabilities: https://github.com/yogeshojha/rengine
-* <code>subfinder -d nasa.gov -silent | httpx -silent | naabu -top-ports 1000 -silent | nuclei -silent -o results.txt</code>
+* XSS specific scanner and utility focused on automation: https://github.com/hahwul/dalfox
+* high-performance vulnerability scanner! Supports user-defined PoC and comes with several built-in types, such as CVE, CNVD, default passwords, information disclosure, fingerprint identification, unauthorized access, arbitrary file reading, and command execution: https://github.com/zan8in/afrog
 === Subdomain enumeration ===
@@ Line 48: / Line 69: @@
 * https://github.com/infosec-au/altdns
 * https://github.com/resyncgg/ripgen
-*
+==== Subdomain screenshot ====
+Screenshot subdomains during your recon process to quickly sift through and identify different subdomains without needing to load each one
+* gowitness - a golang, web screenshot utility using Chrome Headless: https://github.com/sensepost/gowitness
+* <code>httpx -l subdomains.txt -screenshot</code> | https://github.com/projectdiscovery/httpx
+* EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible: https://github.com/RedSiege/EyeWitness
 ==== Subdomain takeover ====
@@ Line 66: / Line 92: @@
 <pre>
-while true;
+#!/bin/bash
+while true
 do
-   subfinder -silent -dL domains.txt -all | anew subdomains.txt | notify;
+   subfinder -silent -dL domains.txt -all | anew subdomains.txt | notify
-sleep 3600;
+  sleep 3600
+done
+</pre>
+Be notified when your target updates their website.
+<pre>
+#!/bin/bash
+while true
+do
+  cat subdomains.txt -silent | httpx -sc -cl -location -title -silent | anew changes.txt | notify
+  sleep 15
 done
 </pre>
@@ Line 99: / Line 136: @@
 * File and directory discovery word list: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
 * Subdomain enumeration word list: https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a
+* Potentially dangerous files: https://github.com/Bo0oM/fuzz.txt
+* Download and search specific domain names using (only includes popular cloud providers): https://kaeferjaeger.gay/?dir=sni-ip-ranges
+** Search for and extract your targets domains: <code>cat ~/sni_ip_ranges/*.txt | grep "\target\.com" | awk -F'-- ' '{print $2}' | tr ' ' '\n' | tr '[' ' ' | sed 's/ //' | sed 's/\]//' | sort -u</code>
+*** Extract only domains: <code>grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/*.txt > domains.txt</code>
 === Port scanners ===
@@ Line 123: / Line 164: @@
 === Web Crawlers ===
-Crawl a website, extract all URL endpoints and save them for further analysis. Useful for digging up parameters on websites to test for common vulnerabilities ([https://enlacehacktivista.org/index.php?title=Exploitation#Payloads XSS, SQLi, IDOR, RFI/LFI, etc])
+Crawl a website, extract all URL endpoints and save them for further analysis. Useful for digging up parameters on websites to test for common vulnerabilities ([https://enlacehacktivista.org/index.php?title=Exploitation#Payloads XSS, SQLi, IDOR, LFI/RFI, etc])
 * https://github.com/projectdiscovery/katana
@@ Line 150: / Line 191: @@
 === Intercepting proxies ===
-* https://enlacehacktivista.org/index.php?title=Hacking_APIs#Intercepting_proxies
+* https://mitmproxy.org
+* https://portswigger.net/burp
+* https://www.zaproxy.org
+* https://github.com/projectdiscovery/proxify
 == Exploitation ==
 For automatic exploit tools and payloads, see [[exploitation]].