.png)
1 week ago
18 BOOK THIS SPACE FOR AD
ARTICLE ADOne of the most used tools for this activity is whois. There are several web-based services:
You can also use it from the command line.
whois <domain>Another interesting Footprinting technique is reverse DNS — enumerating domains that point to the same IP address that are related to each other or not (shared hosting).
There are several DNS utility tools, it depends on your preference.
# dig @<DNS Server> <domain> <record>dig @8.8.4.4 google.com ANY
dnsenum google.com
dnsrecon google.com
If you want to understand more about DNS entries, I recommend taking a look at this CloudFlare post.
The host command allows you to list the IPs of a domain, which are not always legitimate, as the servers may be behind firewalls/proxies. To check this there is the wafw00f tool (or you can use Nmap Scripts):
wafw00f <url>nmap -p 80,443 <host> --script=http-waf-detect
nmap -p 80,443 <host> --script=http-waf-fingerprint
And right away you can test for SPF misconfiguration, which allows you to send emails with someone else’s domain:
host -t TXT <host>If the SPF TXT record returns ?all, the server is vulnerable. If it returns ~all, the failure has a minor impact (since the email will fall into the SPAM folder — it’s worth noting that most organizations of bug bounty programs disregard the bug in this case). The server is safe if it returns -all.
You can also test DNS Zone Transfer, which is a serious flaw and difficult to be present, but it doesn’t hurt to try:
host -t ns <host>dig axfr @<ns> <host>
This flaw allows you to list all subdomains and DNS records, allowing you to extract a lot of information about the target:
One of the most used tools in bug bounty for enumerating subdomains is sublist3r:
sublist3r -d <domain> -t <threads> -e <engines: bing,google>Another interesting tools are FFuF and Amass:
ffuf -w <wordlist> -u https://FUZZ.<website># VHost Enumeration
ffuf -w <wordlist> -H "Host: FUZZ.<website>" -u <url>
amass enum -d <domain>
Another way to enumerate subdomains is by signing the digital certificate. There are services that do this like crt.sh.
Recently I developed a script that uses the crt.sh API to export subdomains via CLI:
# Installationgit clone https://github.com/DavidKarpinski/crt-subdomain-enum.git
cd crt-subdomain-enum
npm i
# Usage
nodejs index.js <domain> | tee <output file>
It is actually very useful to do a quick SYN Scan to get a superficial view of the target we are attacking, and then better map all the ports found:
nmap -T4 -p- <host> -sS -Pn -oN scan.initialnmap -A <host> -p <comma-separated ports> -Pn -oN scan.aggressive # Warning: very loud!
After scanning for open ports, it is helpful to know how to enumerate specific services, such as SMB and RPC:
# SMB (default ports: 139 and 445)nbtscan <host> # Scan AD Network
smbclient -L <host> # List all shares
smbclient //<host>/<share> # Access a specific share
smbclient //<host>/<share> -U <username>
# RPC
rpcclient <host>
rpcclient <host> -U <username> -P <password> # If you already have credentials
By employing a combination of tools and methodologies outlined in this article, a hacker can effectively map out the network landscape, identify potential weaknesses, and fortify defenses against cyber threats.
Thanks!
Happy Hacking!
Bengali (Bangladesh) · 
English (United States) ·