Resources
- Core Concepts
- Exploitation :
Commands
- General
- Fingerprinting
- File Fuzzing
-e. php # change the extention based on ur site - Explore JS & webarchive
./wayback_crawler.sh -d facebook.com -e txt # My own script cat * | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u | grep facebook.com # subdomains cat * | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u # endpoints js-beautify rocket-loader.min.js > beauty_rocket-loader.min.js - Parameters
arjun -u https://facebook.com --passive echo facebook.com | gau --subs | grep '=' | unfurl keys | sort -u
- File Fuzzing
- Crawling
photon -u https://facebook.com -e json -o ./smartcrwl --wayback katana -u https://facebook.com/CTSC -jc -c 3 -headless --no-sandbox -d 10 -kf -H 'Cookie: JSESSIONID=gph_lasdifj2389fjwe9ufhwe89fh234w' gospider -s https://facebook.com/CTSC -H 'Cookie: JSESSIONID=gph_lasdifj2389fjwe9ufhwe89fh234w' --sitemap --robots -o ./crwl python3 ReconSpider.py https://facebook.com # wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip - Technologies
whatweb https://facebook.com/CTSC -a 4 -H 'Cookie: JSESSIONID=gph_lasdifj2389fjwe9ufhwe89fh234w' curl -I inlanefreight.com curl -I https://inlanefreight.com wafw00f https://facebook.com nikto -h facebook.com -Tuning b - Cloud or Server
host flaws.cloud # look at the IP's nslookup 52.218.201.195
- Fingerprinting
- Subdomain Enum
- Prequisites
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt - Bruteforce
shuffledns -d facebook.com -w best-dns-wordlist.txt -r resolvers.txt -mode bruteforce gobuster dns -w best-dns-wordlist.txt -do facebook.com -t 50 - Hybard
subfinder -d facebook.com -rL resolvers.txt -all -o subfinder.txt -ip -nW subfinder -d facebook.com -all -o juicy.txt for domain in $(cat juicy.txt); do host $domain; done | grep "has address" - Subject Alternative Name (SAN)
true | openssl s_client -connect sub.facebook.com:443 2>/dev/null | openssl x509 -noout -text | grep "DNS" | tr ',' '\n' | cut -d ":" -f2 - vhosts
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://62.171.184.221 -H "Host: FUZZ.facebook.com" interlace -tL ips.txt -threads 10 -c "ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://_target_ -H 'Host: FUZZ.facebook.com' -fc 403,404,301,302 -o _target_-ffuf.txt" gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain gobuster vhost --url http://192.168.99.9:50092 -r -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain --domain inlanefreight.htb # The best
- Prequisites
- Automation
amass enum -active -d paypal.com
nuclei -target https://facebook.com/CTSC -headless -H 'Cookie: JSESSIONID=gph_lasdifj2389fjwe9ufhwe89fh234w'
finalrecon --url https://facebook.com --full -dt 80 -T 5
# Misc :
amass db -list
amass db -show -d owasp.org
amass viz -d3 -dir paypal
amass track -d paypal.com- Filtration
cat sub.txt | httpx -sc -cl --title -ip -favicon -o facebook-alive-subdomain.txt # live domains
cat facebook-alive-subdomain.txt | awk '{print $1}' > eyewitness_targets.txt
eyewitness -f eyewitness_targets.txt --web --timeout 50 -d screenshots
jq -r 'select(.status == 200) | .url + " " + (.status|tostring)' fero.jsonTools
- Dnsvalidator : https://github.com/vortexau/dnsvalidator
- shufflends : https://github.com/projectdiscovery/shuffledns
- eyewitness : https://github.com/RedSiege/EyeWitness
- bbot : https://github.com/blacklanternsecurity/bbot
- js-beautify : https://github.com/beautifier/js-beautify | https://beautifier.io/
- Photon : https://github.com/s0md3v/Photon
- katana : https://github.com/projectdiscovery/katana
- wappalyzer : https://www.wappalyzer.com/
- Finalrecon : https://github.com/thewhiteh4t/FinalRecon
Notes
Tips
- For custom wordlist
sed 's/^/facebook-/' /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt > facebook_wordlist.txt
How it works ?
Vhost
