.png)
3 years ago
338 BOOK THIS SPACE FOR AD
ARTICLE AD
This is just a self-note on different steps to perform while approaching a target.
Perform whois search and other [dmitry]Perform nikto scan [Domain and SubDomains]Perfrom wpscan on wordpress site [Domain and SubDomains]Perform asn enumeration and find acquisitions of a targetTo find acquisitions you can use crunchbase and other search engine like wikipedia, google, etc.
To find ASN number (http://bgp.he.net) and asnlookup.com
You can use ASN in amass to find seed domains
Command: amass intel -asn 46489
5. Find subdomains from multiple tools [amass, assetfinder, findomain, etc]
assetfinder
assetfinder -subs-only cynicaltechnology.com | anew subdomains
findomain
findomain -o -t cynicaltechnology.com
[using -o output will be saved in ./cynicaltechnology.com.txt]
findomain -f wildcards -u findomain-subdomain
[-f will read from a file & -u is used to provide own file name]
6. Perform Subdomain bruteforce [amass and other tools]
Subdomain Bruteforce using amass
Command: amass enum -brute -d twitch.tv -src (it has a built in list but you can specify your own list)
You can also specify any number of resolvers
amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
7. Probe for working http/ https servers from a list of domains [httprobe or httpx (with title, status code, content length)]
8. Use Aquatone or Eyewitness tools for screenshot of domains lists also manually check for domains
9. Perform Directory Brute force
10. Find S3 Bucket of the company/ target
To find S3 Bucket
Find Amazon S3 Bucket of the company (which are misconfigured):
- Using a google dork to find them: site:s3.amazonaws.com + hackme.tld
- We can look them up on github: “hackme.tld” + “s3”
- We can bruteforce AWS to find specific s3 buckets and automate this to speed it up
[Lazys3](http://github.com/nahamsec/lazys3) was developed based on method #3.
13. Perform github recon, google dorking, bing, duckduckgo
Resources:
https://securitytrails.com/blog/github-dorks
14. Use waybackurls and gau
15. Perform port scanning [nmap or mascan]
16. Find the technologies used (builtwith.com)
17. Perform different search and extract information for shodan.io and censys.io
Censys.io
There are different methods and syntaxes to discover content using censys (https://censys.io/overview)
For example, using the string `443.https.tls.certificate.parsed.extensions.subject\_alt\_name.dns\_names:Yahoo.com` allows us to pull any subdomains/properties that point to Yahoo.com.
https://dnsdumpster.com/
https://www.threatcrowd.org/
https://censys.io/
https://shodan.io
https://www.zoomeye.org/
https://crt.sh/
reverseip lookup (https://yougetsignal.com)
https://virustotal.com
Bengali (Bangladesh) · 
English (United States) ·