Hacking programs
Tools
- Wordlists
- Spyhunt
- httpX
- feroxbuster
- Wappalyzer
- Snov.io
- ParamSpider
- Nuclei
Recon Methodology
Subdomain enumeration
python3 spyhunt.py -s DOMAIN --save subdomains.txt
Probe subdomains to find valid ones
python3 spyhunt.py -p subdomains.txt
Enumerate subdomains to check for status codes, web servers, etc
cat subdomains.txt | httpx -sc -td -ip
# search for the 200,302 Status code
Start fuzzing subdomains that you find interesting
- Basics:
dirsearch -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -x 404,403,500,429,301,302
feroxbuster -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt -C 404,403,429,400,401,405,302
feroxbuster -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -C 404,403,429,400,401,405,302
gobuster dir -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt -b 403,404 -n
- For api endpoints:
dirsearch -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common-api-endpoints-mazen160.txt -x 404,403,500,429,301,302
dirsearch -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -x 404,403,500,429,301,302
- More info in dirsearch ๐
- More info in Gobuster ๐ฆ
Using Nmap to find additional open ports on the system
nmap -sV -sC -p- --min-rate 5000 -T4 DOMAIN -Pn > scan.txt
More commands in Nmap ๐๏ธโ๐จ๏ธ
Checking we technologies using Wappalyzer and Snov.io
Just use them
Check the website for any user input (for injections)
paramspider -d DOMAIN
# Now search for the saved URLs the program outputed
nuclei -l /path/to/results/DOMAIN.txt -tags lfi,rfi,sqli
Extract Javascript files to find hidden endpoints
python3 spyhunt.py -j https://DOMAIN
Use The Wayback Machine and others to find old links that might be exposing endpoints
python3 spyhunt.py -w htps://DOMAIN > old_endpoints.txt
For manual check: more info in OSINT ๐ป
Now you are able to check for basic vulnerabilities like information disclosure, any type of injections and more :D
Gather information with BurpSuite or ZAP
Search for anything interesting capturing requests
- More info on BurpSuite ๐
- More info on ZAP ๐ฆ