0xspade

Recon/Enumeration Techniques

Oct 2nd, 2018
269
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.62 KB | None | 0 0
  1. RECON AND DISCOVER
  2.  
  3. ASN's =======================================================
  4. bgp.he.net << ASN search company name
  5. $ whois -h whois.cymru.com $(dig +short example.com)
  6. $ amass intel -org Company
  7. $ amass intel -asn XXXXX
  8. https://whois.arin.net/ui/query.do
  9. https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
  10. https://www.shodan.io/search?query=org%3a%22COMPANY%22
  11. =============================================================
  12.  
  13. BRAND / TLD =================================================
  14. https://www.owler.com/company/COMPANY
  15. https://www.crunchbase.com/organization/COMPANY#section-acquisitions
  16. https://acquiredby.co/?s=COMPANY&submit=Search
  17. https://builtwith.com/example.com
  18. https://www.shodan.io/search?query=http.favicon.hash:81586312
  19. WIKIPEDIA
  20. LINKEDIN
  21. $ amass intel -d example.com -whois
  22. =============================================================
  23.  
  24. SUBDOMAIN ENUMERATION =======================================
  25. $ amass enum -d example.com -ip
  26. $ subfinder -d example.com -silent
  27. * jhaddix all.txt
  28. * altdns = altdns -l ~/urls.txt -o output.txt
  29. * commonspeak = https://github.com/assetnote/commonspeak2/releases
  30. * massdns = massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results.txt
  31. * gobuster3
  32. * https://opendata.rapid7.com/sonar.fdns_v2/2019-07-26-1564183467-fdns_any.json.gz
  33. $ pv <filename> | pigz -dc | grep -E "\.example\.com\"," | jq -r '.name'
  34. $ certstream | grep -E "\.example\.com$"
  35. =============================================================
  36.  
  37. FINGERPRINT =================================================
  38. https://builtwith.com/example.com
  39. * WAPPALYZER
  40. $ whatweb example.com
  41. $ masscan -p-65535 $(dig +short example.com) --rate 10000
  42. $ nmap -sV -p <ports from masscan> example.com
  43. $ cat urls.txt | aquatone
  44. =============================================================
  45.  
  46. DORKING =====================================================
  47. https://www.shodan.io/search?query=org%3a%22COMPANY%22
  48. https://www.shodan.io/search?query=ssl%3a%22COMPANY%22
  49. https://www.shodan.io/search?query=ssl%3a%22COMPANY%22+http.component%3A%22Drupal%22
  50. https://www.shodan.io/search?query=ssl%3a%22COMPANY%22+http.title%3A%22login%22
  51. https://www.shodan.io/search?query=http.favicon.hash:81586312
  52. https://censys.io/ipv4?q=443.https.tls.certificate.parsed.subject.organizational_unit%3A+COMPANY
  53. --GITHUB--
  54. "example.com" "ssh|sftp|ftp|proxy|vpn|vsphere|internal|siem|firewall"
  55. "Company" password|secret|credentials|token|config|key|secret|pass|login|ftp|pwd
  56. "Company" security_credentials|connectionstring|JDBC|ssh2_auth_password|send_keys|send,keys
  57. "Company" language:{programming language} keyword
  58. "Company" language:{programming language} keyword NOT some_keyword_you_dont_want
  59. org:organization_name
  60. user:username_github
  61. "example.com" dotfiles
  62. --------
  63. https://github.com/codingo/dorky
  64. =============================================================
  65.  
  66. CONTENT DISCOVERY ===========================================
  67. - Burp crawler
  68. * Linkfinder
  69. * jsparser
  70. $ gobuster dir -u https://example.com -w wordlist.txt
  71. $ recursebuster -u https://example.com -w wordlist.txt
  72. $ echo www.example.com | otxurls
  73. $ echo www.example.com | waybackurls
  74. ~ Burp Plugin Asset Discovery by redhuntlabs
  75. =============================================================
  76.  
  77. PARAMETER DISCOVERY =========================================
  78. -- parameth
  79. ~ Burp Plugin backlash-powered-scanner by @albinowax
  80. =============================================================
  81.  
  82. AUTOMATION ==================================================
  83. https://github.com/codingo/Interlace
  84. https://github.com/nahamsec/lazyrecon
  85. =============================================================
Add Comment
Please, Sign In to add comment