📔
HackTricks - Boitatech
  • HackTricks
  • About the author
  • Getting Started in Hacking
  • Pentesting Methodology
  • External Recon Methodology
    • Github Leaked Secrets
  • Phishing Methodology
    • Clone a Website
    • Detecting Phising
    • Phishing Documents
  • Exfiltration
  • Tunneling and Port Forwarding
  • Brute Force - CheatSheet
  • Search Exploits
  • Shells
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • Linux/Unix
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • PAM - Pluggable Authentication Modules
      • SELinux
      • Logstash
      • AppArmor
      • Containerd (ctr) Privilege Escalation
      • Docker Breakout
      • electron/CEF/chromium debugger abuse
      • Escaping from Jails
      • Cisco - vmanage
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Interesting Groups - Linux PE
        • lxd/lxc Group - Privilege escalation
      • ld.so exploit example
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Payloads to execute
      • RunC Privilege Escalation
      • Seccomp
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Socket Command Injection
      • Wildcards Spare tricks
    • Useful Linux Commands
      • Bypass Bash Restrictions
    • Linux Environment Variables
  • MacOS
    • MacOS Security & Privilege Escalation
      • Mac OS Architecture
      • MacOS MDM
        • Enrolling Devices in Other Organisations
      • MacOS Protocols
      • MacOS Red Teaming
      • MacOS Serial Number
      • MacOS Apps - Inspecting, debugging and Fuzzing
  • Windows
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • DPAPI - Extracting Passwords
      • SeImpersonate from High To System
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • Dll Hijacking
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JAWS
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • PowerUp
      • Privilege Escalation Abusing Tokens
      • Privilege Escalation with Autoruns
      • RottenPotato
      • Seatbelt
      • SeDebug + SeImpersonate copy token
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
      • AD information in printers
      • ASREPRoast
      • BloodHound
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • DSRM Credentials
      • Golden Ticket
      • Kerberos Authentication
      • Kerberoast
      • MSSQL Trusted Links
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying
      • Force NTLM Privileged Authentication
      • Privileged Accounts and Token Privileges
      • Resource-based Constrained Delegation
      • Security Descriptors
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • NTLM
      • Places to steal NTLM creds
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WmicExec
      • AtExec / SchtasksExec
      • WinRM
    • Stealing Credentials
      • Credentials Protections
      • Mimikatz
    • Authentication, Credentials, UAC and EFS
    • Basic CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView
    • AV Bypass
  • Mobile Apps Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Burp Suite Configuration for Android
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable applciation
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Inspeckage Tutorial
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • Basic iOS Testing Operations
      • Burp Suite Configuration for iOS
      • Extracting Entitlements From Compiled Application
      • Frida Configuration in iOS
      • iOS App Extensions
      • iOS Basics
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
  • Pentesting
    • Pentesting Network
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
      • Wifi Attacks
        • Evil Twin EAP-TLS
      • Pentesting IPv6
      • Nmap Summary (ESP)
      • Network Protocols Explained (ESP)
      • IDS and IPS Evasion
      • DHCPv6
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
      • Accounting bypass
      • Buffer Overflows
      • Credentials Disclosure / Brute-Force
      • Cross-Site Printing
      • Document Processing
      • Factory Defaults
      • File system access
      • Firmware updates
      • Memory Access
      • Physical Damage
      • Software packages
      • Transmission channel
      • Print job manipulation
      • Print Job Retention
      • Scanner and Fax
    • Pentesting SAP
    • Pentesting Kubernetes
      • Enumeration from a Pod
      • Hardening Roles/ClusterRoles
      • Pentesting Kubernetes from the outside
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Apache
      • Artifactory Hacking guide
      • Buckets
        • Firebase Database
        • AWS-S3
      • CGI
      • Code Review Tools
      • Drupal
      • Flask
      • Git
      • Golang
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • JBOSS
      • Jenkins
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks (SPA)
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      • Python
      • Special HTTP headers
      • Spring Actuators
      • Symphony
      • Tomcat
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • Web API Pentesting
      • WebDav
      • werkzeug
      • Wordpress
      • XSS to RCE Electron Desktop Apps
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
      • Oracle Pentesting requirements installation
      • TNS Poison
      • Remote stealth pass brute force
      • Oracle RCE & more
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS)
    • 5432,5433 - Pentesting Postgresql
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8089 - Splunkd
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
    • 15672 - Pentesting RabbitMQ Management
    • 27017,27018 - Pentesting MongoDB
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Abusing hop-by-hop headers
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • Cross-site WebSocket hijacking (CSWSH)
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
    • Domain/Subdomain takeover
    • Email Header Injection
    • File Inclusion/Path traversal
      • phar:// deserialization
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • H2C Smuggling
    • IDOR
    • JWT Vulnerabilities (Json Web Tokens)
    • NoSQL injection
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • PostMessage Vulnerabilities
    • Race Condition
    • Rate Limit Bypass
    • Registration Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MSSQL Injection
      • Oracle injection
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Extensions
      • MySQL injection
        • Mysql SSRF
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
    • Reverse Tab Nabbing
    • Unicode Normalization vulnerability
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • PDF Injection
      • DOM XSS
      • Server Side XSS (Dynamic PDF)
      • XSS Tools
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search
  • Forensics
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Adquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • EXT
        • File/Data Carving & Recovery Tools
        • NTFS
      • Pcap Inspection
        • DNSCat pcap analysis
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • .pyc
        • Browser Artifacts
        • Desofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Windows Processes
        • Interesting Windows Registry Keys
  • A.I. Exploiting
    • BRA.I.NSMASHER Presentation
      • Basic Bruteforcer
      • Basic Captcha Breaker
      • BIM Bruteforcer
      • Hybrid Malware Classifier Part 1
  • Blockchain
    • Blockchain & Crypto Currencies
  • Courses and Certifications Reviews
    • INE Courses and eLearnSecurity Certifications Reviews
  • Cloud Security
    • Cloud security review
    • AWS Security
  • Physical attacks
    • Physical Attacks
    • Escaping from KIOSKs
      • Show file extensions
  • Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Word Macros
  • Exploiting
    • Linux Exploiting (Basic) (SPA)
      • Format Strings Template
      • ROP - call sys_execve
      • ROP - Leaking LIBC address
        • ROP - Leaking LIBC template
      • Bypassing Canary & PIE
      • Ret2Lib
      • Fusion
    • Exploiting Tools
      • PwnTools
    • Windows Exploiting (Basic Guide - OSCP lvl)
  • Cryptography
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
  • BACKDOORS
    • Merlin
    • Empire
    • Salseo
    • ICMPsh
  • Stego
    • Stego Tricks
    • Esoteric languages
  • MISC
    • Basic Python
      • venv
      • Bypass Python sandboxes
      • Magic Methods
      • Web Requests
      • Bruteforce hash (few chars)
    • Other Big References
  • TODO
    • More Tools
    • MISC
    • Pentesting DNS
  • Burp Suite
  • Other Web Tricks
  • Interesting HTTP
  • Emails Vulnerabilities
  • Android Forensics
  • TR-069
  • 6881/udp - Pentesting BitTorrent
  • CTF Write-ups
    • challenge-0521.intigriti.io
    • Try Hack Me
      • hc0n Christmas CTF - 2019
      • Pickle Rick
  • 1911 - Pentesting fox
  • Online Platforms with API
  • Stealing Sensitive Information Disclosure from a Web
  • Post Exploitation
Powered by GitBook
On this page
  • Assets discoveries
  • Acquisitions
  • ASNs
  • Looking for vulnerabilities
  • Domains
  • Reverse DNS
  • Reverse Whois (loop)
  • Trackers
  • Favicon
  • Other ways
  • Looking for vulnerabilities
  • Subdomains
  • DNS
  • OSINT
  • DNS Brute force
  • VHosts / Virtual Hosts
  • CORS Brute Force
  • DNS Brute Force v2
  • Buckets Brute Force
  • Monitorization
  • Looking for vulnerabilities
  • Web servers hunting
  • Screenshots
  • Cloud Assets
  • Recapitulation 1
  • Github leaked secrets
  • Pentesting Web Methodology
  • Recapitulation 2
  • Automatic Tools
  • References

Was this helpful?

External Recon Methodology

PreviousPentesting MethodologyNextGithub Leaked Secrets

Last updated 3 years ago

Was this helpful?

Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the , or follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Assets discoveries

So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.

The goal of this phase is to obtain all the companies owned by the main company and then all the assets of these companies. To do so, we are going to:

  1. Find the acquisitions of the main company, this will give us the companies inside the scope.

  2. Find the ASN (if any) of each company, this will give us the IP ranges owned by each company

  3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively)

  4. Use other techniques like shodan organd sslfilters to search for other assets (the ssl trick can be done recursively).

Acquisitions

First of all, we need to know which other companies are owned by the main company. One option is to visit , search for the main company, and click on "acquisitions". There you will see other companies acquired by the main one. Other option is to visit the Wikipedia page of the main company and search for acquisitions.

Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.

ASNs

An autonomous system number (ASN) is a unique number assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA). An AS consists of blocks of IP addresses which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.

It's interesting to find if the company have assigned any ASN to find its IP ranges. It will be interested to perform a vulnerability test against all the hosts inside the scope and look for domains inside these IPs. You can search by company name, by IP or by domain in . Depending on the region of the company this links could be useful to gather more data: (Africa), (North America), (Asia), (Latin America), (Europe). Anyway, probably all the useful information (IP ranges and Whois) appears already in the first link.

#You can try "automate" this with amass, but it's not very recommended
amass intel -org tesla
amass intel -asn 8911,50313,394161

Looking for vulnerabilities

Domains

We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.

Please, note that in the following purposed techniques you can also find subdomains and that information shouldn't be underrated.

First of all you should look for the main domain(s) of each company. For example, for Tesla Inc. is going to be tesla.com.

Reverse DNS

As you have found all the IP ranges of the domains you could try to perform reverse dns lookups on those IPs to find more domains inside the scope. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8)

dnsrecon -r <DNS Range> -n <IP_DNS>   #DNS reverse of all of the addresses
dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns
dnsrecon -r 157.240.221.35/24 -n 1.1.1.1 #Using cloudflares dns
dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns

Reverse Whois (loop)

Inside a whois you can find a lot of interesting information like organisation name, address, emails, phone numbers... But which is even more interesting is that you can find more assets related to the company if you perform reverse whois lookups by any of those fields (for example other whois registries where the same email appears). You can use online tools like:

Note that you can use this technique to discover more domain names every time you find a new domain.

Trackers

If find the same ID of the same tracker in 2 different pages you can suppose that both pages are managed by the same team. For example, if you see the same Google Analytics ID or the same Adsense ID on several pages.

There are some pages that let you search by these trackers and more:

Favicon

cat my_targets.txt | xargs -I %% bash -c 'echo "http://%%/favicon.ico"' > targets.txt
python3 favihash.py -f https://target/favicon.ico -t targets.txt -s

Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target.

Other ways

Note that you can use this technique to discover more domain names every time you find a new domain.

Shodan

As you already know the name of the organisation owning the IP space. You can search by that data in shodan using: org:"Tesla, Inc." Check the found hosts for new unexpected domains in the TLS certificate.

You could access the TLS certificate of the main web page, obtain the Organisation name and then search for that name inside the TLS certificates of all the web pages known by shodan with the filter : ssl:"Tesla Motors"

Google

Go to the main page an find something that identifies the company, like the copyright ("Tesla © 2020"). Search for that in google or other browsers to find possible new domains/pages.

Assetfinder

Looking for vulnerabilities

Subdomains

We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.

It's time to find all the possible subdomains of each found domain.

DNS

Let's try to get subdomains from the DNS records. We should also try for Zone Transfer (If vulnerable, you should report it).

dnsrecon -a -d tesla.com

OSINT

amass enum [-active] [-ip] -d tesla.com
./subfinder-linux-amd64 -d tesla.com [-silent]
./findomain-linux -t tesla.com [--quiet]
python3 oneforall.py --target tesla.com [--dns False] [--req False] run
assetfinder --subs-only <domain>
curl https://sonar.omnisint.io/subdomains/tesla.com

RapidDNS

rapiddns(){
curl -s "https://rapiddns.io/subdomain/$1?full=1" \
 | grep -oP '_blank">\K[^<]*' \
 | grep -v http \
 | sort -u
}

Shodan

You found dev-int.bigcompanycdn.com, make a Shodan query like the following:

  • http.html:”dev-int.bigcompanycdn.com”

DNS Brute force

For this action you will need some common subdomains lists like:

Gobuster bruteforcing dns
gobuster dns -d mysite.com -t 50 -w subdomains.txt
sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt

shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt
puredns bruteforce all.txt domain.com

VHosts / Virtual Hosts

IP VHosts

Brute Force

If you suspect that some subdomain can be hidden in a web server you could try to brute force it:

gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100

#From https://github.com/allyshka/vhostbrute
vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list"

#https://github.com/codingo/VHostScan
VHostScan -t example.com

With this technique you may even be able to access internal/hidden endpoints.

CORS Brute Force

Sometimes you will find pages that only return the header Access-Control-Allow-Origin when a valid domain/subdomain is set in the Origin header. In these scenarios, you can abuse this behavior to discover new subdomains.

ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body

DNS Brute Force v2

Buckets Brute Force

Monitorization

Looking for vulnerabilities

Web servers hunting

We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.

In the previous steps you have probably already performed some recon of the IPs and domains discovered, so you may have already found all the possible web servers. However, if you haven't we are now going to see some fast tricks to search for web servers inside the scope.

Please, note that this will be oriented for web apps discovery, so you should perform the vulnerability and port scanning also (if allowed by the scope).

cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443

Screenshots

Now that you have discovered all the web servers present in the scope (among the IPs of the company and all the domains and subdomains) you probably don't know where to start. So, let's make it simple and start just taking screenshots of all of them. Just by taking a look at the main page you can find weird endpoints that are more prone to be vulnerable.

Cloud Assets

Recapitulation 1

Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later). Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.

So you have already:

  1. Found all the companies inside the scope

  2. Found all the assets belonging to the companies (and perform some vuln scan if in scope)

  3. Found all the domains belonging to the companies

  4. Found all the subdomains of the domains (any subdomain takeover?)

  5. Found all the web servers and took a screenshot of them (anything weird worth a deeper look?)

Github leaked secrets

Recapitulation 2

Congratulations! The testing has finished! I hope you have find some vulnerabilities.

At this point you should have already read the Pentesting Web Methodology and applied it to the scope. As you can see there is a lot of different vulnerabilities to search for.

If you have find any vulnerability thanks to this book, please reference the book in your write-up.

Automatic Tools

There are several tools out there that will perform part of the proposed actions against a given scope.

References

You can find the IP ranges of an organisation also using (it has free API). You can fins the IP and ASN of a domain using .

At this point we known all the assets inside the scope, so if you are allowed you could launch some vulnerability scanner (Nessus, OpenVAS) over all the hosts. Also, you could launch some or use services like shodan to find open ports and depending on what you find you should take a look in this book to how to pentest several possible service running. Also, It could be worth it to mention that you can also prepare some default username and passwords lists and try to bruteforce services with .

For this to work, the administrator has to enable manually the PTR. You can also use a online tool for this info:

- Free

- Free

- Free

- Free web, not free API.

- Not free

- Not Free (only 100 free searches)

- Not Free

You can automate this task using (requires a whoxy API key). You can also perform some automatic reverse whois discovery with : amass intel -d tesla.com -whois

Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what tool made by does. Here’s how to use it:

favihash - discover domains with the same favicon icon hash

is a tool that look for domains related with a main domain and subdomains of them, pretty amazing.

Check for some . Maybe some company is using some a domain but they lost the ownership. Just register it (if cheap enough) and let know the company.

If you find any domain with an IP different from the ones you already found in the assets discovery, you should perform a basic vulnerability scan (using Nessus or OpenVAS) and some with nmap/masscan/shodan. Depending on which services are running you can find in this book some tricks to "attack" them. Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful.

The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities:

A really good place to search for subdomains is .

The most used tools are , , , , , , . I would recommend to start using them configuring the API keys, and then start testing other tools or possibilities.

Another possibly interesting tool is . It fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.

This project offers for free all the subdomains related to bug-bounty programs. You can access this data also using or even access the scope used by this project

You could also find subdomains scrapping the web pages and parsing them (including JS files) searching for subdomains using or .

Quickly find subdomains using API (from ):

http.html:”

Let's try to find new subdomains brute-forcing DNS servers using possible subdomain names. The most recommended tools for this are , , and . The first one is faster but more prone to errors (you should always check for false positives) and the second one is more reliable (always use gobuster).

For massdns you will need to pass as argument the file will all the possible well formed subdomains you want to bruteforce and list of DNS resolvers to use. Some projects that use massdns as base and provides better results by checking massdns results are and .

Note how these tools require a list of IPs of public DNSs. If these public DNSs are malfunctioning (DNS poisoning for example) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from and use to filter them.

You can find some VHosts in IPs using

Once you have finished looking for subdomains you can use , and to generate possible permutations of the discovered subdomains and use again massdns and gobuster to search new domains.

While looking for subdomains keep an eye to see if it is pointing to any type of bucket, and in that case . Also, as at this point you will know all the domains inside the scope, try to .

You can monitor if new subdomains of a domain are created by monitoring the Certificate Transparency Logs does.

Check for possible . If the subdomain is pointing to some S3 bucket, .

If you find any subdomain with an IP different from the ones you already found in the assets discovery, you should perform a basic vulnerability scan (using Nessus or OpenVAS) and some with nmap/masscan/shodan. Depending on which services are running you can find in this book some tricks to "attack" them. Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful.

A fast method to discover ports open related to web servers using . Another friendly tool to look for web servers is and . You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionaly, you can indicate to try other ports:

To perform the proposed idea you can use , , , **[shutter]() **or .

Just with some specific keywords identifying the company it's possible to enumerate possible cloud assets belonging to them with tools like , or .

Then, it's time for the real Bug Bounty hunt! In this methodology I'm not going to talk about how to scan hosts (you can see a ), how to use tools like Nessus or OpenVas to perform a vuln scan or how to look for vulnerabilities in the services open (this book already contains tons of information about possible vulnerabilities on a lot of common services). But, don't forget that if the scope allows it, you should give it a try.

You can also search for leaked secrets in all open repository platforms using:

Anyway, the majority of the vulnerabilities found by bug hunters resides inside web applications, so at this point I would like to talk about a web application testing methodology, and you can .

********

********

********

**** **- A little old and not updated

All free courses of (like )

Support Hacktricks through github sponsors
💬
telegram group
🐦
@carlospolopm
https://github.com/carlospolop/hacktricks
https://www.crunchbase.com/
https://bgp.he.net/
AFRINIC
Arin
APNIC
LACNIC
RIPE NCC
http://asnlookup.com/
http://ipv4info.com/
http://ptrarchive.com/
https://viewdns.info/reversewhois/
https://domaineye.com/reverse-whois
https://www.reversewhois.io/
https://www.whoxy.com/
http://reversewhois.domaintools.com/
https://drs.whoisxmlapi.com/reverse-whois-search
https://www.domainiq.com/
DomLink
amass
BuiltWith
Sitesleuth
Publicwww
SpyOnWeb
favihash.py
@m4ll0k2
Assetfinder
https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
https://crt.sh/
Amass
subfinder
findomain
OneForAll
assetfinder
Sudomy
Crobat
gau
chaos.projectdiscovery.io
chaospy
https://github.com/projectdiscovery/chaos-public-program-list
SubDomainizer
subscraper
RapidDNS
link
https://dev-int-bigcompanycdn.com”
massdns
gobuster
aiodnsbrute
shuffledns
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
https://github.com/pentester-io/commonspeak
shuffledns
puredns
https://public-dns.info/nameservers-all.txt
dnsvalidator
HostHunter
dnsgen
altdns
gotator
check the permissions
brute force possible bucket names and check the permissions
sublert
EyeWitness
HttpScreenshot
Aquatone
https://shutter-project.org/downloads/
webscreenshot
cloud_enum
CloudScraper
cloudlist
guide for that here
Github Leaked Secrets
https://searchcode.com/?q=auth_key
Pentesting Web Methodology
find this information here
https://github.com/yogeshojha/rengine
https://github.com/j3ssie/Osmedeus
https://github.com/six2dez/reconftw
https://github.com/hackerspider1/EchoPwn
@Jhaddix
The Bug Hunter's Methodology v4.0 - Recon Edition
https://github.com/x90skysn3k/brutespray
check the permissions
httprobe
fprobe
domain takeover
subdomain takeovers
port scans
port scan
port scan
masscan can be found here