Full width home advertisement

Post Page Advertisement [Top]

Enumerating an application plays an important role in penetration testing. In this step we will gather more information about the target using various tools and methods. Here in this tutorial i will discuss about some advanced tools which can help in automating this task. All the tools mentioned in this article is Open Source and is available at Github to download.



1) Sublist3r





 Lets start with enumerating Sub-Domains. Sub- Domains can be enumerated using active and passive scans. Brute-forcing using a word-list is a kind of active scanning while enumerating using results from search engine and such other online services is passive. SubLister is a passive scanning tool coded in python which use Open Source Intelligence to give us the results.

Sublist3r uses search engines like Google, Baidu, Yahoo etc and also services like Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS to search for sub-domains. Sublist3r now comes with subbrute, which is an active scanner which can enumerate sub-domains by brute-forcing.


Sublist3r currently supports python version 2 and 3 . You have to install the required python modules and requirements for proper working. Check the GitHub repository for the configuration.

Clone Sublist3r using : git clone https://github.com/aboul3la/Sublist3r.git



2) GoBuster


GoBuster is a tool coded in GO Programming Language which can be used to Bruteforce Directories, Files and

and SubDomains. It uses a given Wordlist to bruteforce. Compared to other such Bruteforcing techniques GoBUster is much faster.

IN URI Mode it will bruteforce for files and directories and in DNS mode it will brute-force for subdomains.

Make sure you have GO Language installed !

Normal sample run goes like this:
 $ gobuster -m dns -w subdomains.txt -u samplesite.com  
 Gobuster v1.4.1       OJ Reeves (@TheColonial)  
 =====================================================  
 [+] Mode     : dns  
 [+] Url/Domain  : samplesite.com  
 [+] Threads   : 10  
 [+] Wordlist   : subdomains.txt  
 =====================================================  
 Found: m.samplesite.com  
 Found: admin.samplesite.com  
 Found: mobile.samplesite.com  
 Found: www.samplesite.com  
 Found: search.samplesite.com  
 Found: chrome.samplesite.com  
 Found: ns1.samplesite.com  
 Found: store.samplesite.com  
 Found: wap.samplesite.com  
 Found: support.samplesite.com  
 Found: directory.samplesite.com  
 Found: translate.samplesite.com  
 Found: news.samplesite.com  
 Found: music.samplesite.com  
 Found: mail.samplesite.com  
 Found: blog.samplesite.com  
 Found: cse.samplesite.com  
 Found: local.samplesite.com  
 =====================================================  

3) dirsearch

 

dirsearch is a command line tool made to bruteforce directories and files.  As compared to the tool DirBuster from OWASP dirsearch is faster and feature rich. The main features of dirsearch are
  • Multithreaded
  • Keep alive connections
  • Support for multiple extensions (-e|--extensions asp,php)
  • Reporting (plain text, JSON)
  • Heuristically detects invalid web pages
  • Recursive brute forcing
  • HTTP proxy support
  • User agent randomization
  • Batch processing
  • Request delaying



4) webscreenshot 

webscreenshot is a tool used to screenshot a list of website. It is based on url-to-image phantom js script. It is very useful when we have a big list of websites (Say an output of Dirsearch and GoBuster)and we have to visit each pages to see whats in the link. The webscreenshot upon getting an input containing all the links, will screenshot all those links and will save it as image files. It will reduce our efforts of manually visiting all those links to view the page, instead one can view the screenshot of all the given pages.


The easiest way to setup webscreenshot is by 

pip install screenshot

 

 5) Snip3r

Snip3r is a tool which combines together results from multiple Open Source information gathering tools to give us a perfect recon report. 

Features of Sniper
  • Collects basic recon (ie. whois, ping, DNS, etc.)
  •  Launches Google hacking queries against a target domain
  •  Enumerates open ports via NMap port scanning
  •  Brute forces sub-domains, gathers DNS info and checks for zone transfers
  •  Checks for sub-domain hijacking
  •  Runs targeted NMap scripts against open ports
  •  Runs targeted Metasploit scan and exploit modules
  •  Scans all web applications for common vulnerabilities
  •  Brute forces ALL open services
  •  Test for anonymous FTP access
  •  Runs WPScan, Arachni and Nikto for all web services
  •  Enumerates NFS shares
  •  Test for anonymous LDAP access
  •  Enumerate SSL/TLS ciphers, protocols and vulnerabilities
  •  Enumerate SNMP community strings, services and users
  •  List SMB users and shares, check for NULL sessions and       exploit MS08-067
  •  Exploit vulnerable JBoss, Java RMI and Tomcat servers
  •  Tests for open X11 servers
  •  Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
  •  Performs high level enumeration of multiple hosts and subnets
  •  Integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  •  Gathers screenshots of all web sites
  •  Create individual workspaces to store all scan output

6) aws_pwn & AwsBucketDump 

 

aws_pwn and AWSBucketDump are tools which is used in Amazon s3 bucket penetration testing. This tools can be used to bruteforce the bucket name and also will help us in finding ACL Configuration issues and thereby s3 Bucket takeover .

The prerequisites of AwsBuckDump are,

Non-Standard Python Libraries:
  • xmltodict
  • requests
  • argparse

Usage :


 usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]  
 optional arguments:  
  -h, --help  show this help message and exit  
  -D      Download files. This requires significant diskspace  
  -d      If set to 1 or True, create directories for each host w/ results  
  -t THREADS  number of threads  
  -l HOSTLIST  
  -g GREPWORDS Provide a wordlist to grep for  
  -m MAXSIZE  Maximum file size to download.  
  python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1  

  7) Aquatone

Aquatone is a set of tools which can enumerate subdomains by different methods. After enumerating the list of subdomains it will then scan for hosts for common web ports and http headers.

Aquatone can perform both passive and active scans. 
It can be installed by 

 $ gem install aquatone  

To enumerate the subdomains of a given subdomain, you can fire up Aquatone by using the command

 $ aquatone-discover --domain example.com  

Where example.com is the website which is to be scanned .



8) 003Recon 

 

003Recon is an easy to setup tool which can be used to Enumerate subdomains of a given domain. Once after enumerating the subdomains it will then perform scan's for CRLF and CORS Misconfiguration. 
This tool can be used to automates scans for :

  1. Subdomain Takeover Vulnerabilities 
  2. Open Vulnerable Ports 
  3. CRLF injection
  4. Can extract javascript files 
  5. Will check if the given website is a wordpress website and if it is a wordpress website it will scan for vulnerabilities using WpScan
  6. Will check for open redirects 

9) git-all-secrets

git-all-secret is powerful tool which can be used to scan the Git Repo of an organization or a person for hidden password , Access Tokens etc from their code. Developers accidentally make such mistakes while uploading code to their repository. And many recent hacks was a result of such mistakes . 

Git-All-Secrets is powered by two separate tools named truffleHog and RepoSupervisor


10) LinkFinder

LinkFinder is a tool which can be used to analyze Javascript files. There will be many hidden links in Javascript files. This tool will discover endpoints and their parameters from a given Javascript file. 

Usage:

 python linkfinder.py -i https://example.com/1.js -o results.html  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Bottom Ad [Post Page]

| by Colorlib