Share this page!

Maik Ro Profile picture
Twitter logo
Oct 20 21 tweets 10 min read
Day 4⃣6⃣

Let us find some... no ALL the subdomains of our Bug Bounty Target:
Yesterday, we learned how to perform Reconnaissance, if you have not seen the thread - look no further:

and today we define our methodology further - we go the next step:
Subdomain enumeration, as if our lives depend on it!
One more thing.

This might be a very big list in the end...
It is intimidating to see so many possible subdomains and hacking targets.

I am here with you, you just need to start.

Step by step we will get there.

LETZ GO.
From yesterday we have a list of domains

Now we have many possibilities to find subdomains - they can be separated into three categories:

1. manual search
2. automated search
3. Brute force

I would suggest to do it in this order

Why?!
This way you can always stop once you have 1,2,10.. however many you feel comfortable with to hack on!

OK 1. manual search - remember 2 days ago?

google dorking is the most important skill!

you can use this query:
site:target.com -www.target.com
Next you can check the ssl certificates with search engines:

crt.sh/?q=mytarget.com
&
developers.facebook.com/tools/ct/

& also rapid7's DNS dataset (big!)
opendata.rapid7.com/sonar.fdns_v2/
and some more search engines for DNS aggregate data:

dnsdumpster.com
&
searchdns.netcraft.com
one hint: MAKE SURE to check the scope - sometimes the company provides a list of allowed subdomains

hint2: use github search, sometimes there is a list of subdomains already
2. Automated Subdomain enumeration

A lot of tools can be combined, but first we look at what we already have.

HTML + JavaScript.

API calls and other requests often are looking for endpoints on subdomains - juicy targets.
Here are the 4 tools I use when searching for subdomains in source code:

1. github.com/hakluke/hakraw… by @hakluke
2. github.com/jaeles-project…
3. github.com/nsonaniya2010/…
4. github.com/m8sec/subscrap…
Make sure to also use waybackurls (github.com/tomnomnom/wayb…) from @TomNomNom

waybackurls mytarget.com | awk -F"[/:]" '{print $4}' | sort -u | uniq

this will neatly output unique subdomains

OR you use another tool
github.com/tomnomnom/unfu…
which makes this query:

waybackurls mytarget.com | unfurl -u domains

SHORT AND SWEET.

You can also use shodan to find subdomains using: github.com/incogbyte/shos…

OR
github.com/gwen001/github…

(better run this multiple times with delay as @Jhaddix suggests)
Also remember how a while ago I presented some cool technique on how Bug Hunters scrape cloud IP ranges to get more subdomains?

Now is the time to use it.

Here is the thread:
And last but not least the three classics:

subfinder & amass & sublist3r
github.com/OWASP/Amass
github.com/projectdiscove…
github.com/aboul3la/Subli…

They also integrate well with our last section:

3. brute forcing subdomains
One thing to note - brute forcing subdomains is not always a good idea.
You can be blocked and that is a pain in the behind, especially if you hack twitch

Some companies also have rate limits in their programs so make sure to properly read the program details BEFORE going brrrr
We start with amass:

amass enum -brute -d mytarget.com

Next up is shuffleDNS - a wrapper around massDNS github.com/projectdiscove…

shuffledns -d mytarget.com -r resolvers.txt

this needs a resolver.txt which you e.g. can find here: raw.githubusercontent.com/blechschmidt/m…
for the brute force wordlist you can use many many sources, two of my favorites are:

@Jhaddix all.txt - gist.github.com/jhaddix/86a06c…
&
wordlists.assetnote.io
The last thing you can try is permutation scanning - you take all the subdomains you found and mutate them.

e.g. dev.mytarget.com could also be dev-old.mytarget.com or dev01.mytarget.com

this can be achieved by using amass (AGAIN?!!!!)
OR!

github.com/infosec-au/alt…

Now you have a very very very long list of subdomains.

Tomorrow we automagically look at those and see what we can do with them.
If this tweet provided value to you feel free to click the follow button @maikroservice

every day I post a thread about cyber security topics

October - Bug Bounty
November - Blue Team
December - Job Hunting / Career advice
@threadreaderapp unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Maik Ro

Maik Ro Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @maikroservice

Maik Ro Profile picture
Oct 22
Day 4⃣8⃣

How to automate Bug Bounty / Hacking Recon for Beginners:
First things first - there are a gazillion frameworks out there that you can use and based on your needs might work very well.

This thread is the quick and dirty version of those frameworks at best

BUT - YOU made it!

That is worth more than gold, because you learn something
How can you approach this task?

There are usually 4 steps in project management:

1. define a goal - what does success look like?
2. status quo analysis - where are we right now?
3. milestones - how do we make sure we are on track?
4. timeline - when is this done finally!?
Read 30 tweets
Maik Ro Profile picture
Oct 21
Day 4⃣7⃣

Recap on (y)our Bug Bounty Hacking Methodology:
Two days ago we started to gather information about our target company - we have IPs, ASN(s), domains, analytics IDs and more -

Yesterday we also found all the subdomains -

Today we shall take a look at two things:
1. What do we do after subdomain enumeration

2. How to choose the proper starting point for your hacking activities
Read 17 tweets
Maik Ro Profile picture
Oct 19
Day 4⃣5⃣

Let us define a Bug Bounty methodology together

How to hack - step by step:
Offensive Ethical Hacking is divided in 5 stages typically:

1. Reconnaissance
2. Enumeration & Scanning
3. Exploitation / gaining Access
4. maintaining Access / Post Exploitation
5. clean-up
Which of those are interesting for Bug Bounty?

All of them

BUT typically maintaining access does not play a huge role and is often replaced by "Escalation" by professional Bug Hunter

They for example find a XSS and will try to chain & escalate the impact to maximize the bounty
Read 14 tweets
Maik Ro Profile picture
Oct 18
Day 4️⃣⃣4️⃣⃣

Young Padawans and seasoned Cyber Professionals alike - what is the most important skill in Cyber Security?

Let me tell you.
The number one problem that you have in Cyber Security because of its vastness is lack of knowledge.

You will never know everything, it is a constantly evolving field.

So how do you balance knowing with being ok not knowing?!

You use your most valuable skill.
Googling.

Being able to find information on the internet is the differentiator between:

Junior
Intermediate
Senior
Lead and above
Read 12 tweets
Maik Ro Profile picture
Oct 17
Day4⃣3⃣

How do hackers use @burpsuite to hack web applications

Let's learn something together
Ok - put your hacking hoodies on - Lets go.

First we install BurpSuite Community Edition - this is the free version of BurpSuite

Find it here: portswigger.net/burp/releases/…

Choose the version that fits your operating system, download and install.
Once that is done you will be greeted by something like this

Choose temporary project and "Next" -> "Use Burp Defaults" -> Start Burp
Read 20 tweets
Maik Ro Profile picture
Oct 16
Day 4⃣2⃣

How do hackers interact with Web applications?

Allow me to share.
We will have two iterations of todays thread -

1. everything done with @zaproxy
2. we do it all with @burpsuite
Let me introduce to you the best free tool you will ever use for hacking - @zaproxy
Some people will disagree & that's ok - I still love you 😍 @Alh4zr3d

Remember how yesterday we had to find all the input fields and all the URLs that had any - by using manual labor?!

NO MORE
Read 25 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(