tbhm:03_mapping
Table of Contents
Mapping
Mapping Tips:
- Google
Smart Directory Brute Forcing
- RAFT lists (included in Seclists)
- SVN Digger (included in Seclists)
- Git Digger
- Platform Identification:
- Wapplyzer (Chrome)
- Builtwith (Chrome)
- retire.js (cmd-line or Burp)
- Check CVE's
- Auxiliary
- WPScan
- CMSmap
Directory Bruteforce Workflow
After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control.
Example:
GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce here now]
Mapping/Vuln Discovery using OSINT
Find previous/existing problem:
- Xssed.com
- Reddit XSS - /r/xss
- Punkspider
- xss.cx
- xssposed.org
- twitter searching
Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass
New Project: Maps
New OSINT/Mapping project
- 250+ bounty programs
- Crawl
- DNS info + bruteforce
- Bounty metadata (links, rewards, scope)
- API → Intrigue
Using the Maps Project: Crawling
Using + Ruby + Anemone + JSON + Grep
$cat test_target_json.txt | grep redirect https://test_target/redirect/?url=http://twitter.com https://test_target/redirect/?url=http://facebook.com/... https://test_target/redirect/?url=http://pinterest.com/...
New Tool: Intrigue
OSINT framework, simple to integrate. Features like:
- DNS Subdomain Brute force
- Web Spider
- Nmap Scan
- etc
tbhm/03_mapping.txt · Last modified: by drew