MindMap Attack Surface Tools Resources v1.2

Transcript

1. Attack Surface Tools & Resources v1.2 Recon Organization Name Footer

   Trademark Copyright intext: "© Copyright, XYZ1212 Company, 2020" intext: "© Copyright, XYZ1212 Company, 2020" -xyz1212.com Contact Page IP Space Range ASN-Lookup https://bgp.he.net  asnlookup.com  Acquisitions & Investments https://www.crunchbase.com  https://aleph.occrp.org Root Domains Reverse Whois https://www.whoxy.com/reverse-whois cert-knock.sh https://raw.githubusercontent.com/mr-rizwan- syed/chomtesh/main/core/cert-knock.sh Certificate Transparency crt.sh  subfinder -d domain.com | tlsx -san  cat subdomains.txt | tlsx -cn  CloudRecon scrape  Google Dork site: *.domain.com -www Search Engine Dorking Google Dorking GooFuzz  Bing Dorking https://www.lopseg.com.br/osint Cloud Cloud Assets https://kaeferjaeger.gay/?dir=sni-ip-ranges  cat *.txt | grep "\.domain\.com" CloudRecon scrape  Misconfigured Buckets https://buckets.grayhatwarfare.com  S3Scanner  GIT Recon https://grep.app  Tools Gitleaks  Trufflehog  Technology Fingerprinting Social Media Job Posting Employee Posts Technologies BuiltWith Tech Relationship (Related Domains) Ads & Analytics code Whatruns Wappalyzer WebAnalyze  webanalyze -host https://target.com -crawl 2 HttpX Tech  Internet Wide Search Engines https://shodan.io Shosubgo (subdomains) https://search.censys.io  https://leakix.net  https://hunter.how/ Karma_V2 karma_v2 -d domain.com --limit -1 -deep  Chomte.sh Shodan Module  ProjectDiscovery-Uncover  Breached Credentials dehashed.com  Subdomain Passive Subfinder subfinder -d domain.com subfinder -dL subdomains.txt Active DNS Bruteforcing AlterX & DNSx  SSL Certificate: Subject Alternate Names cat subdomains.txt | tlsx -san | grep domain.com Exposed URLs exposed by Shortener services https://shorteners.grayhatwarfare.com/  API Postman https://www.postman.com/search?q=uber  https://github.com/cosad3s/postleaks  Swagger https://app.swaggerhub.com/search?query=uber  https://github.com/UndeadSec/SwaggerSpy  Breach Credentials Dehashed.com https://github.com/mr-rizwan-syed/Dehashed  Enumeration Subdomain Takeover https://github.com/EdOverflow/can-i-take-over-xyz  Nuclei - subdomain takeover  nuclei -t ~/nuclei-templates/http/takeovers/ onedrive_user_enum NTLM Endpoints OWA servers Skype for Business Autodiscover servers / Lync servers ADFS servers Content Discovery Based on tech Assetnote-wordlists for Fuzzing IIS / MSF / Azure httparchive_aspx_asp_cfm_svc_ashx_asmx_..txt  PHP + CGI httparchive_php...txt  httparchive_cgi_pl_...txt  General API httparchive_apiroutes...txt  swagger-wordlist.txt  SecLists/tree/master/Discovery/Web-Content/api/  Java httparchive_jsp_jspa_do_action...txt  Generic httparchive_directories_1m...txt  RAFT  Robots Disallowed https://github.com/six2dez/OneListForAll  jhaddix/content_discovery_all.txt  Mobile Endpoints URL APKLeaks  mobile-nuclei-templates  Historical gau  wordlistgen  xnl-h4ck3r/waymore  Custom Scavenger [Burp Ext]  Recursive 401 Status Code Spidering Katana Burp 1.7 GoSpider  Javascript xnl-h4ck3r/xnlLinkFinder  GAP [Burp Extension]  Bypass 403 nomore403  Version Control System SVN Exposure GIT Exposure Port Scanning naabu  rustscan Smap  HTTP Probing projectdiscovery - httpx  Finding CVE & MisConfig Open Ports & Services Default Creds on Services Service level exploits CVEMap  Web Hosting Software Default Creds Web Server Misconfigurations Web Exploits Active Scanning Application Framework Application: Custom Code or COTS Application Libraries (Usually Javascript) Integrations Template based scanning Nuclei Application Analysis Parameter Heatmap Upload Functions Integrations (from 3rd party) xss Self Uploads XML based (Docs / PDF) SSRF / XXS / XXE Image xss / shell name binary header metadata Where is data stored S3 Permissions Content Types APIs Account Section Errors Paths or URLs as values @_r12w4n Github: mr-rizwan-syed