Transcription from jhaddix talk.
- Check scope of the bug bounty program
- (If it corresponds) get acquisitions from Crunchbase
- Manually get IP blocks and ASN ids from bgp.he.net
- Do ASN recon using:
- ASN lookup: `python asnlookup.py -o {{orgname}}
- Metabigor:
echo "tesla" | metabigor net --org -v
- From the obtained ASNs, check them using Amass (check also metabigor for this):
amass intel -asn {{asnid}}
- Do reverse whois:
- whoxy.com: Lets you query who has owned a certain domain name in the past. It also contains other domains owned by the same companies (API key needed)
- Use domlink to automate queries to whoxy.com (API key needed)
- Use Builtwith to get technologies and also other related domains/subdomains through shared tracking codes that are occasionally reused
- Use Google to search for the copyright sentence:
"Twitch Interactive, Inc" inurl:twitch
- Search the domain on Shodan
- Find subdomains:
- Find subdomains -> feed them back to the beginning of the workflow. Iterative process.
- Linked discovery:
- Check all links on the page to get new domains/subdomains
- When new domains/subdomains are found, also add them to the spider list and repeat
- Spiders to use: hakrawler and gospider
- Similar tool: subdomainizer, get subdomains from javascript, also cloud info, potentially leaked keys.
- Just for subdomains use subscraper. It supports recursion.
- Subdomain scraping:
- Using Google:
- First search for
site:twitch.tv
. Thensite:twitch.tv -www.twitch.tv
. Thensite:twitch.tv -www.twitch.tv -dev.twitch.tv
, iteratively adding the ones you've found
- First search for
- Using amass, subfinder, github-subdomains, :
amass enum -d twitch.tv
subfinder -d twitch.tv -v
- github-subdomains:
github-subdomains -d twitch.tv
(rate limited, 5 iterations with a sleep of 6 seconds, and then wait 10 seconds) - shosubgo:
shosubgo
:go run main.go -d twitch.tv -s
- Scan cloud ranges and check if certificates match your target (masscan, nmap) Some bash scripting required
- Using Google:
- Subdomain bruting
- It's important to use multiple DNS servers simultaneously
- massdns
- Also amass uses 8 dns servers by default and also allows to set extra ones using the -rf flag
amass enum -brute -d twitch.tv -src
(-src gets from where the subdomains are coming from)amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
- shuffledns is based on massdns and has similar usage
- Check all.txt from jhaddix
- Port scanning
- Do port scanning using masscan (just works with IPs, not domains) to detect open ports as it's really fast. Then, feed those ports into nmap to scan those open ports
masscan -p1-65535 -iL $ipfile --maxrate 1800 -oG output.txt
dnmasscan
has a similar use but it accepts domain names as targets
- Do port scanning using masscan (just works with IPs, not domains) to detect open ports as it's really fast. Then, feed those ports into nmap to scan those open ports
- Service scanning
- Use
brutespray
to bruteforce credentials taking as an input the -oG output of masscan
- Use
- Github dorking: https://gist.github.com/jhaddix/77253cea49bf4bd4bfd5d384a37ce7a4
- Screenshot taking: aquatone, HTTPScreenshot, Eyewitness
- Subdomain takeover: if a subdomain is pointing to another service's tool, like heroku or a aws s3 bucket, and they don't exist anymore, it would be possible to register them for the users to think it's the actual site while it's not. https://github.com/edoverflow/can-i-take-over-xyz
- Tools to help automation/Frameworks:
- Codingo's Interlace Glue tools together. Help add threading to tools don't have the functionality.
- What are their subdomains?
- What ports are open?
- Is this ip running a web server?
- Has this site changed?
- Is this a sensitive site?
- What urls are in their js?
- Which of these share analytics code?
- What domains do they own?
- Which certs are about to expire?
- What are all the links on this site?
- What are this customer's asns?
- What ips are in their asns?
- Which ips are running web servers?
- What stack is this site running?
- Which of these sites is running wordpress?
- Which of these sites is running drupal?
- Who works at this company?
- Do they have personal github accounts?
- Do those have sensitive content?
- Do those accounts have content related to work?
- Do they have any s3 buckets that are open?
- Are they serving databases?
- Are they open or bruteforceable?