mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-09-28 15:21:32 +02:00
Methodology update - design + nmap
This commit is contained in:
Swissky
parent
90265b8250
commit
af01b04a30
@ -1,17 +1,15 @@
|
||||
# Methodology and Enumeration
|
||||
# Bug Hunting Methodology and Enumeration
|
||||
|
||||
## Bug Hunting Methodology
|
||||
* Enumerate all subdomains (only if the scope is *.domain.ext)
|
||||
## Enumerate all subdomains (only if the scope is *.domain.ext)
|
||||
|
||||
Using Subbrute
|
||||
* Using Subbrute
|
||||
```
|
||||
git clone https://github.com/TheRook/subbrute
|
||||
|
||||
python subbrute.py domain.example.com
|
||||
```
|
||||
|
||||
|
||||
Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||
* Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
|
||||
```
|
||||
git clone https://github.com/guelfoweb/knock
|
||||
git clone https://github.com/danielmiessler/SecLists.git
|
||||
@ -19,16 +17,14 @@ git clone https://github.com/danielmiessler/SecLists.git
|
||||
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
|
||||
```
|
||||
|
||||
|
||||
Using Google Dorks
|
||||
* Using Google Dorks
|
||||
```
|
||||
site:*.domain.com -www
|
||||
site:http://domain.com ext:php
|
||||
site:http://domain.com filetype:pdf
|
||||
```
|
||||
|
||||
|
||||
Using Jason Haddix's enumall Recon-ng script,
|
||||
* Using Jason Haddix's enumall Recon-ng script,
|
||||
```
|
||||
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
|
||||
cd recon-ng
|
||||
@ -45,7 +41,6 @@ cd domain
|
||||
-i to feed a list of domains (can also type extra domains into the original command)
|
||||
```
|
||||
|
||||
|
||||
* Subdomain take over using HostileSubBruteForcer
|
||||
```
|
||||
git clone https://github.com/nahamsec/HostileSubBruteforcer
|
||||
@ -53,7 +48,6 @@ chmox +x sub_brute.rb
|
||||
./sub_brute.rb
|
||||
```
|
||||
|
||||
|
||||
* EyeWitness and Nmap scans from the KnockPy and enumall scans
|
||||
```
|
||||
git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
@ -64,13 +58,14 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
|
||||
./EyeWitness -f rdp.txt --rdp
|
||||
```
|
||||
|
||||
* Passive recon
|
||||
## Passive recon
|
||||
```
|
||||
Use shodan to detect similar app
|
||||
Use the wayback machine to detect forgotten endpoint
|
||||
```
|
||||
|
||||
|
||||
## Active recon
|
||||
* Basic NMAP (if allowed ^^')
|
||||
```
|
||||
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
|
||||
@ -84,10 +79,22 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
|
||||
• -T4 defines the timing for the task (options are 0-5 and higher is faster)
|
||||
```
|
||||
|
||||
* NMAP Script
|
||||
```
|
||||
nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
|
||||
PORT STATE SERVICE
|
||||
80/tcp open http
|
||||
| http-enum:
|
||||
| /phpmyadmin/: phpMyAdmin
|
||||
| /.git/HEAD: Git folder
|
||||
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|
||||
|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|
||||
|
||||
* List all the subdirectories and files
|
||||
```
|
||||
|
||||
Using DirBuster or GoBuster
|
||||
|
||||
## List all the subdirectories and files
|
||||
* Using DirBuster or GoBuster
|
||||
```
|
||||
./gobuster -u http://buffered.io/ -w words.txt -t 10
|
||||
-u url
|
||||
@ -101,20 +108,27 @@ gobuster -w wordlist -u URL -r -e
|
||||
```
|
||||
|
||||
|
||||
Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
```
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||
```
|
||||
|
||||
Using a script to detect all .htpasswd files in a range of IPs
|
||||
* Using a script to detect all .htpasswd files in a range of IPs
|
||||
```
|
||||
#!/bin/bash
|
||||
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
```
|
||||
|
||||
## Looking for Web vulnerabilities
|
||||
|
||||
* Look for private information in GitHub repos with GitRob
|
||||
```
|
||||
git clone https://github.com/michenriksen/gitrob.git
|
||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
* Explore the website with a proxy (ZAP/Burp Suite)
|
||||
```
|
||||
@ -123,23 +137,6 @@ wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||
- Explore and understand available functionality, noting areas that correspond to vulnerability types
|
||||
```
|
||||
|
||||
|
||||
* Look for Web Vulns
|
||||
```
|
||||
- SQLi
|
||||
- XSS
|
||||
- RCE
|
||||
- LFI/RFI
|
||||
etc
|
||||
```
|
||||
|
||||
|
||||
* Look for private information in GitHub repos with GitRob
|
||||
```
|
||||
git clone https://github.com/michenriksen/gitrob.git
|
||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
* Subscribe to the site and pay for the additional functionality to test
|
||||
|
||||
* Launch a Nikto scan in case you missed something
|
||||
|
||||
Loading…
Reference in New Issue
Block a user