Differences

This shows you the differences between two versions of the page.

--- tbhm:02_discovery [2026/05/14 09:18] – TBHM import drew
+++ tbhm:02_discovery [2026/05/14 10:11] (current) – merge bbc ch5 recon techniques drew
@@ Line 1: / Line 1: @@
-# Discovery
+====== Discovery ======
-## Find the road less traveled
+===== Find the road less traveled =====
-This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most likely be heavily assessed.
+This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most liekly be heavily assessed.
-- ^.acme.com scope is your friend
+  * ^.acme.com scope is your friend
-- Find domains via Google (and others!)
+  * Find domains via Google (and others!)
-  - Can be automated well via recon-ng and other tools.
+  * Can be automated well via recon-ng and other tools.
-- Port scan for obscure web servers or services (on all domains)
+  * Port scan for obscure web servers or services (on all domains)
-- Find acquisitions and the bounty acquisition rules
+  * Find acquisitions and the bounty acquisition rules
-  - Google has a 6 month rule
+  * Google has a 6 month rule
-- Functionality changes or re-designs
+  * Functionality changes or re-designs
-- Mobile websites
+  * Mobile websites
-- New mobile app versions
+  * New mobile app versions
-- Searching parent company by trademark or privacy policy
+  * Searching parent company by trademark or privacy policy
-## Tool: Recon-ng script (enumall.sh)
+===== Tool: Recon-ng script (enumall.sh) =====
 https://github.com/jhaddix/domain
-## LMGTFY: Let Me GOOGLE That For You
+===== LMGTFY: Let Me GOOGLE That For You =====
 site:paypal.com -www.paypal.com -www.sandbox
-## List of Mergers and Acquisitions:
+===== List of Mergers and Acquisitions: =====
 https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook
-## Port Scanning
+===== Port Scanning =====
 Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win:
-- separate webapps
+  * separate webapps
-- extraneous services
+  * extraneous services
-- Facebook had Jenkins Script console with no auth
+  * Facebook had Jenkins Script console with no auth
-- IIS.net had rdp open vulnerable to MS12_020
+  * IIS.net had rdp open vulnerable to MS12_020
-```
+''nmap -sS -A -PN -p- --script=http-title dontscanme.bro''
-nmap -sS -A -PN -p- --script=http-title dontscanme.bro
-```
 (syn scan, OS + service fingerprint, no ping, all ports, http titles)
+===== Zseano Recon Pipeline =====
+<code bash>
+# Full subdomain pipeline
+amass enum -brute -active -d target.com -o amass.txt
+subfinder -d target.com >> amass.txt
+cat amass.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
+cat amass.txt | dnsgen - | httprobe >> online.txt
+cat online.txt | aquatone
+# Historical URLs
+gau target.com | sort -u > gau.txt
+waybackurls target.com | sort -u >> gau.txt
+</code>
+**Google dorks:**
+<code>
+site:target.com inurl:& -movies
+site:target.com ext:php | ext:aspx | ext:jsp | ext:bak | ext:xml
+</code>
+**GitHub/Shodan:** search ''"target.com"'' + ''api_key'', ''password'', ''secret''
+**Subdomain keywords to prioritize:** ''dev'', ''qa'', ''staging'', ''admin'', ''internal'', ''api''
+  * [[zseano:recon|Full Zseano Recon Guide]]
+====== BBC Ch 5: Recon -- Expanded Techniques ======
+//Merged from Bug Bounty Bootcamp Ch 5 by Vickie Li//
+===== Manually Walking the Application =====
+Before any tools, manually browse every feature:
+  * Click every link, use every function (payments, uploads, events, admin)
+  * Create accounts at every privilege level
+  * Note all data entry points -- these are your attack surface
+===== Google Dorking =====
+| Operator | Example | Use |
+|---|---|---|
+| `site:` | `site:*.example.com` | All subdomains |
+| `inurl:` | `inurl:app/kibana` | URL pattern |
+| `intitle:` | `intitle:"index of"` | Directory listings |
+| `filetype:` | `filetype:log` | File extension |
+| `-` | `"how to hack" -php` | Exclude term |
+<code>
+site:s3.amazonaws.com COMPANY_NAME
+site:example.com ext:php
+site:example.com ext:txt password
+site:example.com inurl:app/kibana
+</code>
+Check the **Google Hacking Database (GHDB)** at exploit-db.com/google-hacking-database for community-built dorks.
+===== WHOIS, IPs, and ASNs =====
+<code>
+whois facebook.com                          # registrant info
+nslookup facebook.com                       # domain to IP
+whois 157.240.2.35                          # IP ownership + NetRange
+whois -h whois.cymru.com 157.240.2.35       # IP to ASN
+</code>
+If the org has a dedicated ASN (own IP block), all IPs in the range belong to them.
+**Reverse WHOIS:** search ViewDNS.info by org name/email to find all domains owned by the same entity.
+===== Certificate Parsing =====
+<code>
+curl "https://crt.sh/?q=example.com&output=json" | jq -r '.[].name_value'
+</code>
+Returns all hostnames in the cert's Subject Alternative Name field -- reveals subdomains across all services.
+===== Subdomain Enumeration =====
+<code>
+sublist3r -d example.com
+gobuster dns -d example.com -w /path/to/wordlist.txt
+amass enum -d example.com
+sort -u wordlist1.txt wordlist2.txt > combined.txt
+</code>
+Pattern-based: if you find `1.example.com` and `3.example.com`, try `2.example.com`. Use **Altdns** to generate permutations automatically. Run enumeration recursively on discovered subdomains.
+===== Service and Port Enumeration =====
+<code>
+nmap example.com -sV               # open ports + version detection
+</code>
+Passive alternatives: **Shodan**, **Censys**, **Project Sonar** -- query without touching the target.
+Non-standard ports (8080, 8443, 3000, 8888) often host admin panels, dev services, or debug interfaces.
+===== Directory Brute-Forcing =====
+<code>
+./dirsearch.py -u example.com -e php
+gobuster dir -u https://example.com -w wordlist.txt
+</code>
+  * 200: accessible -- check the content
+  * 403: exists but protected -- attempt bypass (HTTP method, path normalization, header injection)
+  * 404: doesn't exist
+Screenshot all found pages with **EyeWitness** for fast visual triage.
+===== Spidering =====
+OWASP ZAP: Tools > Spider. Feed a starting URL; ZAP recursively visits all linked pages and builds a site map. Good for finding hidden endpoints not linked from the main nav.
+===== S3 Buckets =====
+<code>
+aws s3 ls s3://BUCKET_NAME/
+aws s3 cp s3://BUCKET_NAME/FILE /tmp/
+# Write test (clean up after):
+aws s3 cp testfile s3://BUCKET_NAME/
+aws s3 rm s3://BUCKET_NAME/testfile
+</code>
+Tools: **lazys3**, **GrayhatWarfare** (buckets.grayhatwarfare.com), **Bucket Stream**
+Exposed buckets can contain credentials, source code, logs, user data. Write access = critical severity.
+===== GitHub Recon =====
+<code>
+# Search code for secrets
+# GitHub code search: org:COMPANY_NAME password
+# or
+trufflehog git https://github.com/COMPANY/REPO
+gitrob analyze COMPANY_NAME
+</code>
+Look at:
+  * Issues and Commits sections for unresolved bugs and security patches
+  * Config files for credentials, bucket URLs, internal endpoints
+  * Outdated dependencies -- cross-reference with CVE database
+  * Blame and History for recently removed secrets
+Validate credentials: **KeyHacks** (github.com/streaak/keyhacks)
+===== OSINT =====
+  * **Job listings** -- reveal tech stack; "Experience with Flask, EC2, RDS" tells you exactly what they run
+  * **LinkedIn** -- employee skills = company tech; engineers' blogs and StackOverflow answers leak architecture details
+  * **Pastebin** -- search the org name; engineers sometimes paste source code or server logs
+  * **SlideShare** -- conference slides often reveal internal architecture
+  * **Wayback Machine** + **waybackurls** -- extract all archived URLs; find old endpoints and forgotten subdomains
+===== Tech Stack Fingerprinting =====
+<code>
+curl -I https://example.com
+# Server: Apache/2.0.6 (Ubuntu)
+# X-Powered-By: PHP/5.0.1
+# X-Generator: Drupal 8
+# Set-Cookie: PHPSESSID=...        <- PHP
+# Set-Cookie: JSESSIONID=...       <- Java/Tomcat
+</code>
+  * View source: search for "powered by", "built with", "running"
+  * File extensions in URLs: `.php`, `.asp`, `.cfm`, `.jsp`
+  * Directories: `/jinja2/` = Django, `/phpmyadmin/` = PHP+MySQL
+  * Browser extension: **Wappalyzer** | Website: **BuiltWith.com** | **StackShare.io**
+  * **Retire.js** for outdated JavaScript libraries
+Once you have the version, check CVE database (cve.mitre.org) for public exploits.
+===== Recon Bash Script =====
+<code bash>
+#!/bin/bash
+# ./recon.sh -m [nmap-only|dirsearch-only|crt-only] domain1 domain2
+PATH_TO_DIRSEARCH="/path/to/dirsearch"
+nmap_scan()      { nmap $DOMAIN > $DIRECTORY/nmap; }
+dirsearch_scan() { $PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch; }
+crt_scan()       { curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt; }
+while getopts "m:" OPTION; do
+    case $OPTION in
+        m) MODE=$OPTARG ;;
+    esac
+done
+for i in "${@:$OPTIND:$#}"; do
+    DOMAIN=$i
+    DIRECTORY=${DOMAIN}_recon
+    mkdir -p $DIRECTORY
+    case $MODE in
+        nmap-only)      nmap_scan ;;
+        dirsearch-only) dirsearch_scan ;;
+        crt-only)       crt_scan ;;
+        *)              nmap_scan; dirsearch_scan; crt_scan ;;
+    esac
+    TODAY=$(date)
+    echo "Scan: $DOMAIN -- $TODAY" > $DIRECTORY/report
+    [ -f $DIRECTORY/nmap ]      && grep -E "^\s*\S+\s+\S+\s+\S*$" $DIRECTORY/nmap >> $DIRECTORY/report
+    [ -f $DIRECTORY/dirsearch ] && cat $DIRECTORY/dirsearch >> $DIRECTORY/report
+    [ -f $DIRECTORY/crt ]       && jq -r '.[] | .name_value' $DIRECTORY/crt >> $DIRECTORY/report
+done
+</code>