Scribd
Upload
456 views71 pages

Advanced Web Recon Techniques

The document provides tips for recon like a boss by increasing your attack area and discovering more targets, opportunities, and options. It recommends using tools like Wayback Machine, Waybackurls, Waybackrobots, Knockpy, Sublist3r, SubBrute to discover more subdomains, URLs, and technologies used by a target website. It also suggests using tools like EyeWitness, Grab Them All, altdns, SubBrute to validate subdomains and find subdomains of subdomains. The document recommends determining the target's IP range using tools like ARIN and scanning the entire IP range. It also provides tips for finding new endpoints from JavaScript files using Burp Suite, Zscanner, and JS

Uploaded by

Farizul Momin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
456 views71 pages

Advanced Web Recon Techniques

The document provides tips for recon like a boss by increasing your attack area and discovering more targets, opportunities, and options. It recommends using tools like Wayback Machine, Waybackurls, Waybackrobots, Knockpy, Sublist3r, SubBrute to discover more subdomains, URLs, and technologies used by a target website. It also suggests using tools like EyeWitness, Grab Them All, altdns, SubBrute to validate subdomains and find subdomains of subdomains. The document recommends determining the target's IP range using tools like ARIN and scanning the entire IP range. It also provides tips for finding new endpoints from JavaScript files using Burp Suite, Zscanner, and JS

Uploaded by

Farizul Momin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 71

Recon Like A Boss

Author: Dirty Coder(@dirtycoder0124)


More Targets- More Options-
More Opportunities
AGENDA
• Increase Your Attack Area
• Determine Technologies used by Website.
• Amazon Web Service (AWS) Recon & Hacking
• Github Recon
• Content Discovery
Increase Your
Attack Area
Recon- Go Back in Time
• Wayback Machine to view old files like robots.txt
and URLs
Recon- Go Back in Time
• Tools are out to automate this
• waybackurls.py
Download:
https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b3720
50

• waybackrobots.py
Download:
https://gist.github.com/mhmdiaa/2742c5e147d49a804b408bfed3d32
d07
Now We Have
Waybackurls
Sub-domains Discovery
• Brute force on main domain
• Some scripts to automate this task
– Knockpy:-
https://github.com/guelfoweb/knock
– Sublist3r:-
https://github.com/aboul3la/Sublist3r
– SubBrute
https://github.com/TheRook/subbrute
Sub-domains Discovery
Knockpy
• Usage: ./knockpy target.com
Sub-domains Discovery
Sublist3r
• Usage: python sublist3r.py -d target.com
Sub-domains Discovery
Sublist3r Cont.
• Find sub-domains with specific open ports
• Usage: python sublist3r.py -d target.com -p 80,443
Sub-domains Discovery
SubBrute.

• Usage: ./subbrute.py google.com

• You can give list of domains like this


Usage: ./subbrute.py -t list.txt
Sub-domains Discovery Cont.
• Google Dork
site:target.com –site www.target.com
• Online Resource:
– https://dnsdumpster.com/
– https://searchdns.netcraft.com/
– https://www.virustotal.com (Go to search and
type target.com)
– https://crt.sh/?q=%25paypal.com
(Use “%target.com”. )
Now We Have
WaybackURls
+
Subdomains
Don’t Stop Here
Find Sub-domains of Sub-domain
http://bf1-adxdb-001.data.bf1.yahoo.com/about.php

Some website have 5th and 6th level sub-domain


Find Subdomains of Subdomain

Tool: altdns (https://github.com/infosec-au/altdns)


Input : sub-domain list
Usage: ./altdns.py -i subdomains.txt -o
data_output -w words.txt -r -s output.txt
Find Subdomains of Subdomain

Tool: SubBrute

Usage:
./subbrute.py target.com > sudomains.txt

Then

./subbrute.py –t subdomains.txt
Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
Sub-domain Validation
Tool: EyeWitness (https://github.com/ChrisTruncer/EyeWitness)

Provide list of sub-domains and it will give you


report with screenshots of sub-domain

Usage: ./EyeWitness.py -f subdomains.txt


Sub-domain Validation
• Tool: Grab Them All (Mozilla addon)
Other sites on the same domain
• www.yougetsignal.com
Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
+
Other Sites on the same Domain
Target IP Range
• Url: https://whois.arin.net
• Search by Target IP
IP Range of Target Cont.
• Yahoo! owns a massive block of IP addresses

• From 98.136.0.0 - 98.139.255.255

• Which is 260,000 unique IP addresses


Got Huge IP Range
Real Case Study
• Patrik Fehrenbach (@ITSecurityguard)

Wrote a Bash script to download phpinfo.php


file (if found) from Yahoo! IP range

(98.136.0.0 - 98.139.255.255)
Real Case Study
• And Finally
http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php
Bash Script
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&

Only 3 lines of code


Takeaways
• When hacking, consider a company’s entire
infrastructure. I know that Patrik has employed
similar techniques to find some more.
(Eg. Many people keep Backup.rar)

• Additionally, you’ll notice there was 260,000


potential addresses here, which would have been
impossible to scan manually.

• When performing this type of testing,


automation is hugely important.
Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
+
Other Sites on the same Domain
+
IP Range
Find New Endpoints from JS Files
• Tools used

1. Burp Suite
2. InputScanner (Zscanner)
3. JS-Scan
Find New Endpoints from JS Files
(Tools Intro.)
• Burp Suite: Proxy

• Zscanner: A tool designed to scrape a list of


URLs. This tool will also scrape .js urls found
on each page

• JS-Scan: A tool designed to scrape a list of .js


files and extract urls
How to use these tools
together??
Find New Endpoints from JS Files
(Burp Suite)
• Run Spider tool on your target in Burp Suite
• Once the spider has finished right click on the host
and click "Copy Urls in this host“
Find New Endpoints from JS Files
(Zscanner)
• Once copied, paste them into urls.txt
• Put urls.txt file in the root of Zscanner
Eg. c/xampp/htdocs/zscanner/urls.txt
• Now open zscanner in browser
Find New Endpoints from JS Files
(Zscanner.)
• Click on “Begin Scanner”
• 4 files are outputted in the /outputs/ folder:
JS-output.txt, GET-output.txt, POSTHost-
output.txt, POSTData-output.txt
• Copy JS-output.txt file and put it in the root of
JS-Scan root folder
Eg. c/xampp/js-scan/JS-output.txt
Find New Endpoints from JS Files
(JS-Scan)
• Open JS-Scan in browser
Find New Endpoints from JS Files
(JS-Scan)
• Click on Run Scanner and you will see
something similar to this. That’s it.
Takeaways

• Endpoints extracted from JS files are more


vulnerable then Endpoints defined in
WebPages.

• Automated Scanners generally don’t scan


Endpoints defined in JS files.

• Developers & Testers don’t care about them.


Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
+
Other Sites on the same Domain
+
IP Range
+
New Endpoints From JS FIles
Technologies Used by Web
Technologies Used by Web
• Wappalizer (Mozilla Addon)
Amazon Web Services

AWS or S3 Buckets
Amazon Web Services
• AWS Simple Storage Service (often shortened
to S3) is used by companies that don’t want to
build and maintain their own storage
repositories
• By using Amazon Simple Storage Service, they
can store objects and files on a virtual server
instead of on physical racks
Amazon Web Services
• After the user has created their bucket, they
can start storing their source code,
certificates, passwords, content, databases
and other data.
Amazon Web Services

What if target is vulnerable

• You can get full access to S3 bucket

• You can download, upload and overwrite files.


How to find S3
Buckets?
Find S3 Buckets
• Google Dork
site: amazonaws.com inurl: yahoo

• Tool: S3 bucket finder


(Download: https://digi.ninja/projects/bucket_finder.php)
Find S3 Buckets
• Burp Suite can also Help
AWS
HACKING
AWS HACKING
• Install awscli in kali

• Interact with Bucket

• Find World Writable Directory.


Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
+
Other Sites on the same Domain
+
IP Range
+
New Endpoints From JS Files
+
S3 Buckets
Github Recon
What you can find on Github
• FTP Credentials

• Secret Keys [API_key, Aws_secret key, etc.]

• Internal credentials [Employee credentials]

• API Endpoints

• Domain Patterns
Github Recon
• Go to github and search
Eg.
- “target.com” “dev”

- “dev.target.com”

- “target.com” API_key

- “target.com” password

- “api.target.com”
Github Recon
Github Recon
• Google can also help
Dork:
site: “github.com” + “Target” + password
Github Recon
Tools are out to automate this
• Gitrob
• Git-all-secrets
• truffleHog
• Git-secrets
• Repo-supervisor
• Do it manually [Best way]

– All tools are available on github


Tool- truffleHog
• Usage:
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
Content Discovery
Content Discovery
• Google is your friend
• Use Google Dork to find:-
- File Extensions
- Parameters
- Login Page
- Sometimes Directory Structure
- Important Stuff
Content Discovery
• I often use Google Dork to find files with
specific extension which also reveal
technology used by Target.
• Google Dork:
-site:target.com filetype:php
- site:target.com filetype:aspx
- site:target.com filetype:swf (Shockwave Flash)
- site:target.com filetype:wsdl
Content Discovery
• Find Parameter
• Google Dork:
- site: target.com inurl:.php?id=
- site: target.com inurl:.php?user=
- site: target.com inurl:.php?book=
Content Discovery
• Find Login Page
• Google Dork
- site: target.com inurl:login.php
- site: target.com intext: “login”
- site: target.com inurl:portal.php
- site: target.com inurl:register.php

(Note: if site has register page, there are chances


that site also have login page)
Content Discovery
• Find Directory Structure
• Google Dork:
-site: target.com intext: “index of /”
Content Discovery
• Find important Stuff
• Google Dork:
-site: target.com filetype:txt
- site: target.com inurl:.php.txt
-site: target.com ext:txt
In most cases you will find robot.txt
But sometimes you will find really juicy stuff
Content Discovery
• I found code in txt file which includes FTP
credentials, SMTP credentials
Content Discovery
• Even some big names in IT Field.
Content Discovery
• Tools:
– GoBuster [https://github.com/OJ/gobuster]
Use:
gobuster –w wordlist.txt –u http://trgt.com
– Dirbuster
Thank You

You might also like