whois
- whois
dns
- digging dns
dig <ip> <type>
- subdomain bruteforcing
- dnsenum
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
- dnsenum
- dns zone transfers
- zone transfer domain
dig axfr @nsztm1.digi.ninja zonetransfer.me - zone transfer ip
dig axfr inlanefreight.htb @10.129.63.9
- zone transfer domain
- virtual hosts
- multiple application, same ip
- vhost fuzzing or hosts file to discover non-public subdomains
- types of vhost include
name-based(using http header),ip based,port based - tools include
gobuster,Feroxbuster,ffuf - gobuster
sudo gobuster vhost -u http://inlanefreight.htb:55676/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 --append-domain - PLEASE add the IP into
sudo nano /etc/hostsfirst!
- ct logs
- ct logs
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
- ct logs
fingerprinting
- fingerprinting
- waf
pip3 install git+https://github.com/EnableSecurity/wafw00f,wafw00f inlanefreight.com - nikto scanner
sudo apt update && sudo apt install -y perl,git clone https://github.com/sullo/nikto,cd nikto/program,chmod +x ./nikto.pl - nikto usage
nikto -h inlanefreight.com -Tuning b - PLEASE add the IP into
sudo nano /etc/hostsfirst! (including subdomains)
- waf
crawling
- crawling
- robots.txt
- .well-known uris
- creepy crawlies
- scrapy
pip3 install scrapy - scrapy spider ReconSpider
wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip - usage
python3 ReconSpider.py http://inlanefreight.com
- scrapy
search engine discovery
- search engine discovery
web archives
- web archives
- wayback machine
automating recon
- automating recon
skills assessment
- test
sudo sh -c 'echo "94.237.61.84 inlanefreight.htb" >> /etc/hosts'- fuzz
ffuf -u http://web1337.inlanefreight.htb:46881/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt:FUZZ -e .html -v