Scribd Logo
Upload

Welcome to Scribd!

  • 2019 Recon Cheat Sheet

    Uploaded by

    vivek verma
    7 views2 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views2 pages

    2019 Recon Cheat Sheet

    Uploaded by

    vivek verma

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Reconnaissance Quick Reference Guide

    Digital Dumpster Diving

    GITHUB RECON EXAMPLES JAVASCRIPT FILE EXAMPLES

    • “company.com” “dev”
    • “dev.company.com”
    • “company.com” API_key
    • “company.com” password

    For Further Information Visit: • “api.company.com” authorization

    WWW.HACKERONE.COM | WWW.HACKER101.COM Tools


    • gitrob • git-secrets
    • git-all-secrets • repo-supervisor  Process
    • truffleHog • Do it manually? Look for:
    ADDITIONAL NOTES SECTION: • (hidden) • …and definitely
     endpoints more bugs
    • Leaked cloud
    instances
    and their
    secret_keys
    DIGITAL DUMPSTER DIVING EXAMPLES

    1 2

    • Looked up the “umbrella” company name

    • Combine “umbrella_company” + asset_name +


    “password”, and found below code:
    “server”: {
    “host”: “dedXXXX.PATTERN.PROVIDER.com”,
    “port”: 21,
    “user”: “some_username”,
    “password”: “definitely_ftp_passwords”
    }

    • Got access to umbrella_company’s FTP server →


    $10,000 Bounty

    NOTES SECTION: Recon Cheat Sheet


    A Reference Guide for Our Newest Hackers

    WWW.HACKERONE.COM
    Reconnaissance Quick Reference Guide

    Asset Discovery OSINT Vendor Services

    BRUTE FORCE Tools ACQUISITIONS AWS RECON PROCESS


    Different permutations, • sublist3r
    • Big programs (Facebook, Google, Verizon Media, etc.)
    Different environment, e.g. • enumall
    • Look for S3 buckets on Google (site:s3.
    dashboard.dev.site.com vs • massdns • Acquired assets usually in scope after 6 months amazonaws.com + inurl:company_name) |
    Find different dashboard-dev.site.com • altdns AWS instances (site:amazonaws.com -s3)
    Brute force Brute force • brutesubs
    environments (.dev,
    domain again • dns-parallel-prober • Repeat on Github!
    .corp, .stage, uat, etc.) WHOIS ← Automate
    Google Dork: site.com • dnscan
     your work
    +inurl:dev -cdn • knockpy
    • tko-subs • ARIN (Canada, United States, some Caribbean nations) |
    • HostileSubBruteforce RIPE NCC (Europe, Russia, Middle East, Central Asia) | Create aliases to cut down your work
    APNIC (Asia-Pacific region) | LACNIC (Latin America,
    CERTIFICATE TRANSPARENCY TOOLS some Caribbean nations) | AFRINIC (Africa) certspotter() { Automate the tasks you perform for each target
    curl - s https: //certspotter.com/api/v0/certs\?domain\=$1 | jq ‘.
    [].dns_names[]’ | sed ‘s/\”//g’ | sed ‘s/\*\.//g’ | sort -u | grep $1 >
    • Search Yahoo, or any other large program. Shodan helps here, too
    ~/$1/$1.txt
    Shodan Certspotter }
    Censys Crt.sh
    dirbruteforce() {
    cd / tools / dirsearch
    Look for SSL certificates:
    Example: 443.https.
    Search by hostname. Filter
    for: Ports: 8443, 8080, etc |
    Great API |
    Easy to automate | Make a
    Great API and web interface |
    Allows using a wild card | You
    Content Discovery cat~/$1/$1.txt |
    while read line;
    do python3 dirsearch.py - e. - u” https: //$line”; done
    tls.certificate. parsed. Title: “Dashboard [Jenkins]” bash alias → Automate → Win may get different results from
    }
    extensions.subject_alt_name. | Product:Tomcat Hostname: differents sources CONTENT DISCOVERY PROCESS screenshot() {
    somecorp.com | Org: evilcorp | python~/tools/webscreenshot / webscreenshot.py - o. / $1 / screenshots /
    dns_names:snapchat.com
    ssl: Google Tools }
    -i~/$1/$1.txt--timeout = 10 - m

    • dirbuster recon() {
    Look for interesting Always keep certspotter $1
    Screenshot open ports • gograbber
    Port scan • Files an archive of dirbruteforce $1
    (default: 80, 443)
    • Directories your report • gobuster screenshot $1
    CERTIFICATE TRANSPARENCY EXAMPLES • dirsearch
    }

    CONTENT DISCOVERY EXAMPLES AWS RECON EXAMPLES


    Vulnerabilities found with Shodan Vulnerabilities found with Censys
    1 2
    Search Query: hostname:host.com port:15672 AUGUST 22, 2017

    “Secure your jenkins • Nmap common ports (3868,3366,8443,8080,9443,


    • You see an open port on 8443
    instance or hackers 9091,3000,8000,5900,8081,6000,10000,8181,3306,
    Search Query: hostname:host.com • Directory brute force 5000,4000,8888,5432,15672,9999,161,4044,7077,
    will force you to!
    title:Dashboard [Jenkins] • /admin/ returns 403 4040,9000,8089,443,7447,7080,8880,8983,5673,7443)
    (Snapchat’s $5,000
    • You brute force for more files/dirs on /admin/ • Take screenshots (webscreenshot.py)
    vulnerability)”
    • /admin/users.php returns 200 • Directory/File brute force
    • Repeat on other domains, ports, folders, etc. • Robots.txt sometimes does this for you ¯\ _(ツ)_ /¯

    NOTES SECTION: NOTES SECTION: NOTES SECTION:

    You might also like