Web Recon-01
Manually Walking through the target
Google Dorking
if you wanted to search for the syntax of Python’s print() function, you could limit your results to the official Python documentation with this search
print site:python.org:
Searches for pages with a URL that match the search string
inurl:"/course/jumpto.php" site:example.comg
Searches for web pages that contain links to a specified URL
link:"<https://en.wikipedia.org/wiki/ReDoS>"
Finds specific strings in a page’s title. This is useful because it allows you to find pages that contain a particular type of content
intitle:"index of" site:example.com.
Searches for pages with a specific file extension. This is an incredible tool for hacking; hackers often use it to locate files on their target sites that might be sensitive, such as log and password files. For example, this query searches for log files, which often have the .log file extension, on the target site:
filetype:log site:example.com
You can use the wildcard operator () within searches to mean any character or series of characters
"how to hack * using Google".
Adding quotation marks around your search terms forces an exact match
"how to hack"
The or operator is denoted with the pipe character (|) and can be used to search for one search term or the other, or both at the same time. The pipe character must be surrounded by spaces. For example, this query will search for how to hack on either Reddit or Stack Overflow:
"how to hack" site:(reddit.com | stackoverflow.com)
The minus operator (-) excludes certain search results. For example, let’s say you’re interested in learning about websites that discuss hacking, but not those that discuss hacking PHP
"how to hack websites" -php
site:*.example.com
site:example.com inurl:app/kibana
site:s3.amazonaws.com COMPANY_NAME
site:example.com ext:php
site:example.com ext:log
site:example.com ext:txt password
Google Hacking Database https://www.exploit-db.com/google-hacking-database/
Scope Discovery
WhoIs and Reverse WhoIs
领英推荐
$ whois facebook.com
You could then conduct a reverse WHOIS search, searching a database by using an organization name, a phone number, or an email address to find domains registered with it. This way, you can find all the domains that belong to the same owner. Reverse WHOIS is extremely useful for finding obscure or internal domains not otherwise disclosed to the public.
IP Addresses
Find the IP address of a domain you know by running the nslookup command.
$ nslookup facebook.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: facebook.com
Address: 157.240.2.35
Perform a reverse IP lookup. Reverse IP searches look for domains hosted on the same server, given an IP or domain. You can also use ViewDNS.info for this.
Run the whois command on an IP address, and then see if the target has a dedicated IP range by checking the NetRange field
$ whois 157.240.2.35
NetRange: 157.240.0.0 - 157.240.255.255
CIDR: 157.240.0.0/16
NetName: THEFA-3
NetHandle: NET-157-240-0-0-1
Parent: NET157 (NET-157-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Facebook, Inc. (THEFA-3)
Another way of finding IP addresses in scope is by looking at autonomous systems, which are routable networks within the public internet. Autonomous system numbers (ASNs) identify the owners of these networks. By checking if two IP addresses share an ASN, you can determine whether the IPs belong to the same owner.
$ whois -h whois.cymru.com 157.240.2.20
AS | IP | AS Name
32934 | 157.240.2.20 | FACEBOOK, US
$ whois -h whois.cymru.com 157.240.2.27
AS | IP | AS Name
32934 | 157.240.2.27 | FACEBOOK, US
$ whois -h whois.cymru.com 157.240.2.35
AS | IP | AS Name
32934 | 157.240.2.35 | FACEBOOK, US
-h flag in the whois command sets the WHOIS server to retrieve information from, and whois.cymru.com is a database that translates IPs to ASNs.
Certificate Parsing
A SSL certificate’s Subject Alternative Name field lets certificate owners specify additional hostnames that use the same certificate, so you can find those hostnames by parsing this field.
Use online databases like crt.sh, Censys, and Cert Spotter to find certificates for a domain
example:
X509v3?Subject?Key?Identifier
15:FA:54:EC:86:AD:21:94:1E:1D:30:C5:CA:93:45:77:A7:98:6E:B1
X509v3?Subject?Alternative?Name:
DNS:*.rampart.facebook.com
DNS:*.svcscm.rampart001.rampart.facebook.com
DNS:*.svcscm.rampart001.rampart.oculus.com
DNS:*.svcscm.rampart002.rampart.facebook.com
DNS:*.svcscm.rampart002.rampart.oculus.com
DNS:*.svcscm.rampart003.rampart.facebook.com
DNS:*.svcscm.rampart003.rampart.oculus.com
DNS:*.svcscm.rampart004.rampart.facebook.com
DNS:*.svcscm.rampart004.rampart.oculus.com
DNS:*.svcscm.rampart005.rampart.facebook.com
DNS:*.svcscm.rampart005.rampart.oculus.com:
Subdomain Enumeration
Sublist3r works by querying search engines and online subdomain databases, while SubBrute is a brute-forcing tool that guesses possible subdomains until it finds real ones. Amass uses a combination of DNS zone transfers, certificate parsing, search engines, and subdomain databases to find subdomains.
Daniel Miessler’s SecLists https://github.com/danielmiessler/SecLists/
Commonspeak2 https://github.com/assetnote/commonspeak2/
Removing duplicate from two wordlists :
sort -u wordlist1.txt wordlist2.txt
Gobuster for sub-domain enum:
gobuster dns -d target_domain -w wordlist
Once you’ve found a good number of subdomains, you can discover more by identifying patterns. For example, if you find two subdomains of example .com named 1.example.com and 3.example.com, you can guess that 2.example.com is probably also a valid subdomain.
A good tool for automating this process is Altdns (https://github.com/infosec-au/altdns/), which discovers subdomains with names that are permutations of other subdomain names.
You can find subdomains of subdomains by running enumeration tools recursively: add the results of your first run to your Known Domains list and run the tool again. Ref: