Cybersecurity

User Tools

Site Tools

Trace: 03_how_internet_works
tbhm:02_discovery

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
tbhm:02_discovery [2026/05/14 09:59] – integrate zseano methodology drewtbhm:02_discovery [2026/05/14 10:11] (current) – merge bbc ch5 recon techniques drew
Line 65: Line 65:
  
   * [[zseano:recon|Full Zseano Recon Guide]]   * [[zseano:recon|Full Zseano Recon Guide]]
 +
 +
 +====== BBC Ch 5: Recon -- Expanded Techniques ======
 +
 +//Merged from Bug Bounty Bootcamp Ch 5 by Vickie Li//
 +
 +===== Manually Walking the Application =====
 +
 +Before any tools, manually browse every feature:
 +  * Click every link, use every function (payments, uploads, events, admin)
 +  * Create accounts at every privilege level
 +  * Note all data entry points -- these are your attack surface
 +
 +===== Google Dorking =====
 +
 +| Operator | Example | Use |
 +|---|---|---|
 +| `site:` | `site:*.example.com` | All subdomains |
 +| `inurl:` | `inurl:app/kibana` | URL pattern |
 +| `intitle:` | `intitle:"index of"` | Directory listings |
 +| `filetype:` | `filetype:log` | File extension |
 +| `-` | `"how to hack" -php` | Exclude term |
 +
 +<code>
 +site:s3.amazonaws.com COMPANY_NAME
 +site:example.com ext:php
 +site:example.com ext:txt password
 +site:example.com inurl:app/kibana
 +</code>
 +
 +Check the **Google Hacking Database (GHDB)** at exploit-db.com/google-hacking-database for community-built dorks.
 +
 +===== WHOIS, IPs, and ASNs =====
 +
 +<code>
 +whois facebook.com                          # registrant info
 +nslookup facebook.com                       # domain to IP
 +whois 157.240.2.35                          # IP ownership + NetRange
 +whois -h whois.cymru.com 157.240.2.35       # IP to ASN
 +</code>
 +
 +If the org has a dedicated ASN (own IP block), all IPs in the range belong to them.
 +
 +**Reverse WHOIS:** search ViewDNS.info by org name/email to find all domains owned by the same entity.
 +
 +===== Certificate Parsing =====
 +
 +<code>
 +curl "https://crt.sh/?q=example.com&output=json" | jq -r '.[].name_value'
 +</code>
 +
 +Returns all hostnames in the cert's Subject Alternative Name field -- reveals subdomains across all services.
 +
 +===== Subdomain Enumeration =====
 +
 +<code>
 +sublist3r -d example.com
 +gobuster dns -d example.com -w /path/to/wordlist.txt
 +amass enum -d example.com
 +sort -u wordlist1.txt wordlist2.txt > combined.txt
 +</code>
 +
 +Pattern-based: if you find `1.example.com` and `3.example.com`, try `2.example.com`. Use **Altdns** to generate permutations automatically. Run enumeration recursively on discovered subdomains.
 +
 +===== Service and Port Enumeration =====
 +
 +<code>
 +nmap example.com -sV               # open ports + version detection
 +</code>
 +
 +Passive alternatives: **Shodan**, **Censys**, **Project Sonar** -- query without touching the target.
 +
 +Non-standard ports (8080, 8443, 3000, 8888) often host admin panels, dev services, or debug interfaces.
 +
 +===== Directory Brute-Forcing =====
 +
 +<code>
 +./dirsearch.py -u example.com -e php
 +gobuster dir -u https://example.com -w wordlist.txt
 +</code>
 +
 +  * 200: accessible -- check the content
 +  * 403: exists but protected -- attempt bypass (HTTP method, path normalization, header injection)
 +  * 404: doesn't exist
 +
 +Screenshot all found pages with **EyeWitness** for fast visual triage.
 +
 +===== Spidering =====
 +
 +OWASP ZAP: Tools > Spider. Feed a starting URL; ZAP recursively visits all linked pages and builds a site map. Good for finding hidden endpoints not linked from the main nav.
 +
 +===== S3 Buckets =====
 +
 +<code>
 +aws s3 ls s3://BUCKET_NAME/
 +aws s3 cp s3://BUCKET_NAME/FILE /tmp/
 +
 +# Write test (clean up after):
 +aws s3 cp testfile s3://BUCKET_NAME/
 +aws s3 rm s3://BUCKET_NAME/testfile
 +</code>
 +
 +Tools: **lazys3**, **GrayhatWarfare** (buckets.grayhatwarfare.com), **Bucket Stream**
 +
 +Exposed buckets can contain credentials, source code, logs, user data. Write access = critical severity.
 +
 +===== GitHub Recon =====
 +
 +<code>
 +# Search code for secrets
 +# GitHub code search: org:COMPANY_NAME password
 +# or
 +trufflehog git https://github.com/COMPANY/REPO
 +gitrob analyze COMPANY_NAME
 +</code>
 +
 +Look at:
 +  * Issues and Commits sections for unresolved bugs and security patches
 +  * Config files for credentials, bucket URLs, internal endpoints
 +  * Outdated dependencies -- cross-reference with CVE database
 +  * Blame and History for recently removed secrets
 +
 +Validate credentials: **KeyHacks** (github.com/streaak/keyhacks)
 +
 +===== OSINT =====
 +
 +  * **Job listings** -- reveal tech stack; "Experience with Flask, EC2, RDS" tells you exactly what they run
 +  * **LinkedIn** -- employee skills = company tech; engineers' blogs and StackOverflow answers leak architecture details
 +  * **Pastebin** -- search the org name; engineers sometimes paste source code or server logs
 +  * **SlideShare** -- conference slides often reveal internal architecture
 +  * **Wayback Machine** + **waybackurls** -- extract all archived URLs; find old endpoints and forgotten subdomains
 +
 +===== Tech Stack Fingerprinting =====
 +
 +<code>
 +curl -I https://example.com
 +# Server: Apache/2.0.6 (Ubuntu)
 +# X-Powered-By: PHP/5.0.1
 +# X-Generator: Drupal 8
 +# Set-Cookie: PHPSESSID=...        <- PHP
 +# Set-Cookie: JSESSIONID=...       <- Java/Tomcat
 +</code>
 +
 +  * View source: search for "powered by", "built with", "running"
 +  * File extensions in URLs: `.php`, `.asp`, `.cfm`, `.jsp`
 +  * Directories: `/jinja2/` = Django, `/phpmyadmin/` = PHP+MySQL
 +  * Browser extension: **Wappalyzer** | Website: **BuiltWith.com** | **StackShare.io**
 +  * **Retire.js** for outdated JavaScript libraries
 +
 +Once you have the version, check CVE database (cve.mitre.org) for public exploits.
 +
 +===== Recon Bash Script =====
 +
 +<code bash>
 +#!/bin/bash
 +# ./recon.sh -m [nmap-only|dirsearch-only|crt-only] domain1 domain2
 +
 +PATH_TO_DIRSEARCH="/path/to/dirsearch"
 +
 +nmap_scan()      { nmap $DOMAIN > $DIRECTORY/nmap; }
 +dirsearch_scan() { $PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch; }
 +crt_scan()       { curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt; }
 +
 +while getopts "m:" OPTION; do
 +    case $OPTION in
 +        m) MODE=$OPTARG ;;
 +    esac
 +done
 +
 +for i in "${@:$OPTIND:$#}"; do
 +    DOMAIN=$i
 +    DIRECTORY=${DOMAIN}_recon
 +    mkdir -p $DIRECTORY
 +
 +    case $MODE in
 +        nmap-only)      nmap_scan ;;
 +        dirsearch-only) dirsearch_scan ;;
 +        crt-only)       crt_scan ;;
 +        *)              nmap_scan; dirsearch_scan; crt_scan ;;
 +    esac
 +
 +    TODAY=$(date)
 +    echo "Scan: $DOMAIN -- $TODAY" > $DIRECTORY/report
 +    [ -f $DIRECTORY/nmap ]      && grep -E "^\s*\S+\s+\S+\s+\S*$" $DIRECTORY/nmap >> $DIRECTORY/report
 +    [ -f $DIRECTORY/dirsearch ] && cat $DIRECTORY/dirsearch >> $DIRECTORY/report
 +    [ -f $DIRECTORY/crt ]       && jq -r '.[] | .name_value' $DIRECTORY/crt >> $DIRECTORY/report
 +done
 +</code>
  
tbhm/02_discovery.txt · Last modified: by drew
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki