BOOK THIS SPACE FOR AD
ARTICLE ADHey Comrades,
As you may know recon is the most important step to compromise a target’s infrastructure, because the target company can not protect what they don’t know they have. There are many methods and techniques to get familiar with your target’s environment, and the mix of tools and skills invested in reconnaissance, is what determines whether you re going to hack them or not.
the methodology which i’m about to talk about, allowed me to lay my vision on all of target’s infrastructure. By using Subbrute, Gotator, and HTTPX. In other words, these well designed tools gathered all the subdomains of the target’s subdomains.
For example I ran:
python3 subbrute.py target.com > subs.txt
The output is a list of the target subdomains stored in a subs.txt file.
Then I passed the file to Gotator to enumerate the subdomains of the domains stored in subs.txt. I got something like this:
Of course the output of Gotator is massive because it tries to guess every possible subdomain or domain related to the target subdomains. So, to filter the output I had to use the mighty Httpx and store the alive targets in a file called aliveGotator.txt. Also, you don’t want to trigger a WAF and get blocked, so it’s better if you used httpx rate limmitted to “< 50 requests per second”. Because it sends 150 requests per second as default.
gotator -sub /Users/whalebone/Desktop/subs.txt | httpx -rl 50 -t 10 > aliveGotator.txt
Now that That you have almost every possible subdomain. Get that bounty ;)!