Skip to content

Latest commit

 

History

History
88 lines (61 loc) · 3.55 KB

24. Web Application Enumeration - Revisited.md

File metadata and controls

88 lines (61 loc) · 3.55 KB

Web Application Enumeration, Revisited

Installing Go

To install Go. All we need to do is run pimpmykali with ./pimpmykali.sh, and select option 3.

Finding Subdomains with Assetfinder

  • Install Assetfinder: go install github.com/tomnomnom/assetfinder@latest
  • Find subdomains for a domain: assetfinder tesla.com
  • Save the output to a file: assetfinder tesla.com >> tesla-subs.txt
  • Check the number of subdomains found: cat tesla-subs.txt| wc -l gives 659
  • Find subdomains without the parent domain in the results: assetfinder --subs-only tesla.com

Automating the Filtering

  • Create a script file: gedit run.sh
  • Add the following script to run.sh:
#!/bin/bash

url=$1

if [ ! -d "$url" ];then
				mkdir $url
fi

if  [ ! -d "$url/recon" ];then
				mkdir $url/recon
fi

echo "[+] Harvesting subdomains with assetfinder...."
assetfinder $url >> $url/recon/assets.txt
cat $url/recon/assets.txt | grep $1 >> $url/recon/final.txt
rm $url/recon/assets.txt
  • Make the script executable: chmod +x run.sh
  • Run the script: ./run.sh tesla.com
  • Navigate to the results directory and view the final subdomain list: cd tesla.com/recon & nano final.txt

Finding Subdomains with Amass

Combining tools is a great way to ensure no subdomains are missed.

  • Install Amass: go install -v github.com/owasp-amass/amass/v4/...@master
  • Find subdomains for a domain: amass enum -d tesla.com (takes longer)
  • Update the run.sh script:
echo "[+] Harvesting subdomains with Amass...."
amass enum -d $url >> $url/recon/amass.txt
sort -u $url/recon/amass.txt >> $url/recon/final.txt
rm $url/recon/amass.txt

Finding Alive Domains with Httprobe

  • Install Httprobe: go install github.com/tomnomnom/httprobe@latest
  • Find alive subdomains for a domain: cat tesla.com/recon/final.txt | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443'
  • Update the run.sh script (see the final file):
echo "[+] Probing for alive domains...."
cat $url/recon/final.txt | sort -u | httprobe -s -p https:443  | sed 's/https\?:\/\///' | tr -d ':443' >> $url/recon/alive.txt
  • Run the script: ./run.sh tesla.com
  • Filter what interests you (e.g., dev, admin, test, stag): cat tesla.com/recon/alive.txt | grep dev

Screenshotting Websites with GoWitness

GoWitness is a tool that automates taking screenshots of websites. This is particularly useful as it saves you from manually copying the IP of every domain and pasting it into a browser to see what the site looks like.

  • Install GoWitness: go install github.com/sensepost/gowitness@latest
  • Take a simple screenshot: gowitness single https://www.google.com
  • Check the screenshot: cd screenshots, then ls. You should see a PNG screenshot of the website.

Automating the Enumeration Process

  • sumrecon: A tool designed to automate various aspects of recon.
  • TCM's Modified Script: This script enhances the automation process by adding functionality for subdomain takeover detection, open port scanning, and scraping wayback data for parameters and code files.

Additional Resources