- Write down stuff, that might be interesting
- Think like a black hat hacker -> grab all dataa you can get
intitle:"api" site:example.com
inurl:"api/v1" site:example.com
intitle:json site:example.com
- search for api keys e.g.
api keys exposed
-> issue search exension:json {username}
-> repository search- search for naming of api keys, e.g.:
shodan_api_key
-> repos, issues, discussion - search for common headers
"authorization: Bearer"
- search for swagger file
filename:swagger.json
- generic search
- search for ports
port:{port}
example.com "content-type: application/json"
wp-json
for wordpress APIs
- use wayback machine to check for API docs
- here you might find old endpoints that are still available and are just remove from the docs
- scan defaults:
nmap -sC -sV <target_ip>
- decoy scan:
sudo nmap -sS -p {port} -D RND:{number of decoys} -e {interface} <target_ip>
e.g.sudo nmap -sS -p80 -D RND:20 -e eth0 scanme.nmap.org
- scan specific ports
nmap -sV <target_ip> -p {port}
- ping scan:
nmap -sn 192.168.1.0/24
- top 20 ports (replace 20 with any number):
nmap --top-ports 20 <target_ip>
- Getting the OS:
nmap -O <target_ip>
- Getting everyhting from target (OS, Version, Trace):
nmap -A <target_ip>
Tip: Use nmap -sC -sV <target_ip>
first and then a full scan nmap -p- <target_ip>
next.
Usage of nmap scripts (It is noisy):
Location: /usr/share/nmap/scripts
Usage:
- Run all test tagged as
default
:nmap --script default <target_ip>
- Run a single script:
nmap --script 'http-auth' <target_ip>
- Run all http scripts:
nmap --script 'http-*' <target_ip>
Common scripts:
banner
: Get service banners from the servicesssl-enum-ciphers
use with the-p 443
: Get the TLS version (It is noisy, slow it down if you want to be under the radar)http-methods
: Get allowed HTTP Methodshttp-enum
: Find folders on the target
nmap flag Description
sV
Attempts to determine the version of the services runningp
or -p- Port scan for port or scan all portsPn
Disable host discovery and just scan for open portsA
Enables OS and version detection, executes in-build scripts for further enumerationsC
Scan with the default nmap scriptsv
Verbose modesU
UDP port scansS
TCP SYN port scan
GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.
Usage: gobuster dir -u http://<ip/domain>:<port> -w <word list location>
Flags
-e
Print the full URLs in your console-u
The target URL-w
Path to your wordlist-U
and -P Username and Password for Basic Auth-p
Proxy to use for requests-c
Specify a cookie for simulating your auth
Scan with nikto to check for missconfigurations: nikto -h http://example.com
Check for missing headers, when it comes to APIs
- Manual Explorer
- Add URL
- Click Launch Browser
- Click on the shield icon next to the url and turn off "Enhanced Tracking Protection"
- Click on Continue to your target
- On the right site, start the attack mode
- Use the app all features of the app
- On the right site, start an active scan (ressource heavy)
- Go back to Zap
- On right site, right-click on the target folder -> Add new Context -> Ok
- Click on the small target icon in the top left corner, to have a better overview
To skip certain scans, click on the small health monitor icon in the middle next to the progress bar and disable scans you don't want. E.g. SOAP Action Spoofing, SOAP XML Injection, Script Active Scan Rules
Review the results under Alerts tab. Select the alert and check the request and response, if it is a valid alert.
- get sources with:
amass enum -list
- use it with:
amass enum -d <target_domain/ip> | grep api
(maybe get an api wordlist for this)
- root check:
gobuster dir -u <target>:<port> -w /usr/share/wordlists/dirbuster/<wordlist> --wildcard -b 200
- specific check
gobuster dir -u <target_domain>:<port>/<path> -w /usr/share/wordlists/dirbuster/<wordlist>
- use
-b <status_code>
to filter out unwanted results e.g. 401, 200, etc. - use
--wildcard
to scan all
- Network Manager to see where requests are going. Maybe filter by XHR
- Add the URL column, if not there
- search for
api
Tip: Import a request via cURL. Right click on a request in the network tab. Switch to Postman, click import -> Raw text and paste the cURL request in
spawn a better shell in python:
$ python -c 'import pty; pty.spawn("/bin/bash")'
On Linux systems, the environmental variables for a process can often be found by looking in /proc/self/environ
.
- Opting in
- Opting out
- use the companies domain as sign-up
- maybe change it later, if confirmation is required
- Use sandbox PayPal / Credit Cards
- On bigger company, try another country
- Invite Socket Account and try the link with another Socket account
- Always alter requests
- check tokens