Recon, the gathering of information about your target, is becoming more and more important! π§
Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others π
[1οΈβ£] DNS
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups π
Often, you have a huge list of IP addresses π
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! π
[2οΈβ£] Amass
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. πΈ
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! π
Let's find them! π
[3οΈβ£] @nmap
Nmap stands for "Network Mapper" and that's precisely what it does.
This 25-year-old tool is FAR from outdated!
Let's use Nmap to find out what's actually running on those endless machines you've enumerated so far! π
[4οΈβ£] VHostScan
This Python scanner by @codingo_ is an excellent tool for finding virtual hosts! π¨βπ»
What's that? Unlike subdomains, vhosts allow multiple applications to be hosted on a single server. π₯
This slightly esoteric feature means not many hunters are looking for this! π
[5οΈβ£] Httprobe
All this recon has given us many subdomains, but what now? π€·ββοΈ
This tool by @TomNomNom will help us find all the web servers running on these subdomains! π
[6οΈβ£] Waybackurls
Another tool by @TomNomNom can help us continue.
Instead of opting for active directory fuzzing, let's use the power of history to see what we can find on a target's website!
This tool uses the @waybackmachine to find new endpoints passively! π
[7οΈβ£] S3enum
This Go tool by @koenrh automates AWS S3 bucket enumeration.
Using this tool, you may be able to find the next big misconfiguration or overly permissive S3 bucket! π
[8οΈβ£] EyeWitness
If you're overwhelmed with endpoints, that's okay!
Let's bring some order to this madness using this tool by @FortyNorthSec πͺ
It allows you to organize endpoints depending on their return value quickly. Screenshots of the page are a bonus! πΌ
[9οΈβ£] Relative URL extractor
JavaScript files are recon goldmines! They sometimes reference very interesting relative URLs that you need to know about! π§
But manually going through 1000s of JS files, no! πͺ
Use this great tool by @jobertabma π
[1οΈβ£0οΈβ£] TruffleHog
If you're lucky, you may have found a git repository during your recon! π
Let's use this tool by @trufflesec to dig into it and uncover all secrets the repo has to hold! π
[1οΈβ£1οΈβ£] Arjun
Let's talk about enumerating GET parameters!
If you were thinking of brute-forcing thousands of them, then check out Arjun by @s0md3v π
It can check for thousands of GET params in under 50 requests! π€―
[1οΈβ£2οΈβ£] Wappalyzer
One last trick we'll give you is fingerprinting everything you find using @Wappalyzer π
This way, you know what you're dealing with and what exploit might or might not work! πͺ
𧡠And that's a wrap!
Note that there are alternatives to the tools we've showcased here, and looking around for something you like is highly recommended! π
Be sure to like this tweet and follow @intigriti if you want more of these threads! π
π΄LIVE MENTOR SESSION (starting now): @zseano
will answer your questions for the next 4 hours!
π¬ Comment with your question! π
@Devil79830787 wants to know: "How can a complete noob (non-techie) enter the world of bug bounty(or hacking) in 2021. Top resources techniques and where to start and how to start advices"
@zseano@waters_ro asked: "Whatβs the bug youβll never forget and why?"
π΄LIVE MENTOR SESSION: @Agarri_FR will answer your questions for the next 4 hours!
π¬ Comment with your question! π
Question from @aroly:
"What are the features you look at when searching for SSRF ? The places where you look first ?"
Question from @aroly:
"What do you try with external blind SSRF ? For example you can trigger a GET to the URL of the HTTP "Referer" header but that's it... What do you do in such situation ?"