weyne/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/weyne85/PayloadsAllTheThings.git synced 2025-10-29 16:57:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Methodology update - design + nmap

Browse Source
This commit is contained in:
Swissky 2017-03-26 18:00:23 +02:00
parent 90265b8250
commit af01b04a30
1 changed files with 31 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
Methodology_and_enumeration.md
View File

@ -1,17 +1,15 @@
# Methodology and Enumeration # Bug Hunting Methodology and Enumeration
## Bug Hunting Methodology ## Enumerate all subdomains (only if the scope is *.domain.ext)
* Enumerate all subdomains (only if the scope is *.domain.ext)
Using Subbrute * Using Subbrute
``` ```
git clone https://github.com/TheRook/subbrute git clone https://github.com/TheRook/subbrute
python subbrute.py domain.example.com python subbrute.py domain.example.com
``` ```
* Using KnockPy with Daniel Miesslers SecLists for subdomain "/Discover/DNS"
Using KnockPy with Daniel Miesslers SecLists for subdomain "/Discover/DNS"
``` ```
git clone https://github.com/guelfoweb/knock git clone https://github.com/guelfoweb/knock
git clone https://github.com/danielmiessler/SecLists.git git clone https://github.com/danielmiessler/SecLists.git
@ -19,16 +17,14 @@ git clone https://github.com/danielmiessler/SecLists.git
knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
``` ```
* Using Google Dorks
Using Google Dorks
``` ```
site:*.domain.com -www site:*.domain.com -www
site:http://domain.com ext:php site:http://domain.com ext:php
site:http://domain.com filetype:pdf site:http://domain.com filetype:pdf
``` ```
* Using Jason Haddix's enumall Recon-ng script,
Using Jason Haddix's enumall Recon-ng script,
``` ```
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng cd recon-ng
@ -45,7 +41,6 @@ cd domain
-i to feed a list of domains (can also type extra domains into the original command) -i to feed a list of domains (can also type extra domains into the original command)
``` ```
* Subdomain take over using HostileSubBruteForcer * Subdomain take over using HostileSubBruteForcer
``` ```
git clone https://github.com/nahamsec/HostileSubBruteforcer git clone https://github.com/nahamsec/HostileSubBruteforcer
@ -53,7 +48,6 @@ chmox +x sub_brute.rb
./sub_brute.rb ./sub_brute.rb
``` ```
* EyeWitness and Nmap scans from the KnockPy and enumall scans * EyeWitness and Nmap scans from the KnockPy and enumall scans
``` ```
git clone https://github.com/ChrisTruncer/EyeWitness.git git clone https://github.com/ChrisTruncer/EyeWitness.git
@ -64,13 +58,14 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
./EyeWitness -f rdp.txt --rdp ./EyeWitness -f rdp.txt --rdp
``` ```
* Passive recon ## Passive recon
``` ```
Use shodan to detect similar app Use shodan to detect similar app
Use the wayback machine to detect forgotten endpoint Use the wayback machine to detect forgotten endpoint
``` ```
## Active recon
* Basic NMAP (if allowed ^^') * Basic NMAP (if allowed ^^')
``` ```
sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
@ -84,10 +79,22 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
• -T4 defines the timing for the task (options are 0-5 and higher is faster) • -T4 defines the timing for the task (options are 0-5 and higher is faster)
``` ```
* NMAP Script
```
nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /phpmyadmin/: phpMyAdmin
| /.git/HEAD: Git folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
* List all the subdirectories and files ```
Using DirBuster or GoBuster
## List all the subdirectories and files
* Using DirBuster or GoBuster
``` ```
./gobuster -u http://buffered.io/ -w words.txt -t 10 ./gobuster -u http://buffered.io/ -w words.txt -t 10
-u url -u url
@ -101,20 +108,27 @@ gobuster -w wordlist -u URL -r -e
``` ```
Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) * Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
``` ```
#!/bin/bash #!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done & wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
``` ```
Using a script to detect all .htpasswd files in a range of IPs * Using a script to detect all .htpasswd files in a range of IPs
``` ```
#!/bin/bash #!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 3 http://${ipa}/.htpasswd; done & wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
``` ```
## Looking for Web vulnerabilities
* Look for private information in GitHub repos with GitRob
```
git clone https://github.com/michenriksen/gitrob.git
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
```
* Explore the website with a proxy (ZAP/Burp Suite) * Explore the website with a proxy (ZAP/Burp Suite)
``` ```
@ -123,23 +137,6 @@ wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
- Explore and understand available functionality, noting areas that correspond to vulnerability types - Explore and understand available functionality, noting areas that correspond to vulnerability types
``` ```
* Look for Web Vulns
```
- SQLi
- XSS
- RCE
- LFI/RFI
etc
```
* Look for private information in GitHub repos with GitRob
```
git clone https://github.com/michenriksen/gitrob.git
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
```
* Subscribe to the site and pay for the additional functionality to test * Subscribe to the site and pay for the additional functionality to test
* Launch a Nikto scan in case you missed something * Launch a Nikto scan in case you missed something