Checklist Madyyelf

Table of Contents

1 Recon

1.1 Passiu (OSSINT)

1.1.1 ASN

  1. Cercar amb un Whois l'empresa registrant del domini i verificar que coincideix amb el objectiu.
  2. Amb el nom de l'empresa registrant, cercar-la a Hurricane Electric BGP si és americana o RIPE a Europa.

1.1.2 Subdominis

[ ] Amass de OWASP
./amass enum -d <domini> -o <dominis.log> / Actiu - ./amass enum -v -src -ip -brute -min-for-recursive 2 -d <objectiu>
[ ] Sublist3r
python sublist3r.py -d <objectiu> / Actiu - python sublist3r.py -v -b -d <objectiu> -o <dominis.log>
[ ] Subdomain take over XYZ
Vulnerabilitat on un subdomini apunta a un lloc desaparegut i es pot aconseguir.
[ ] SubZY
Eina per cercar take overs. subzy --targets <llista_dominis.txt>
[ ] AssetFinder
assetfinder <domini>

1.1.3 Google

[ ] Google Alerts
Crear una alerta per a cada domini de manera que qualsevol pàgina nova / funcionalitat sigui notificada.
[ ] Google Dorks
Cerca a Google jugant amb els dorks típics (site, filetype, link, *, ..) buscant webs potencialment vulnerables.

1.2 Actiu

  • [ ] NMap
  • [ ] GoBuster : Fuzzer directoris i arxius. gobuster dir -u http://192.168.1.46:8000 -w /usr/share/wordlists/dirb/common.txt -x .php,.txt,.sh,.js,.html -o ~/ClimbingOS_goBuster.log

2 Web Hunting

  • [ ] Httprobe: Verifica si un domini conté un servei web. cat <dominis.log> | httprobe > <webs.log>
  • [ ] Hakrawler: Crawler web. while read url;do hakrawler -url $url -depth 5 -plain -scope subs -insecure >> <urls.log>; done < <webs.log>
  • [ ] Aquatone: Captura imatges de les webs. cat <urls.log> | aquatone
  • [ ] edFinder: Cercar End Points. python3 edFinder.py -f <urls.log> -o <endPoints.log>
  • [ ] Arjun: HTTP parameter discovery. python3 arjun.py --urls <urls.log> --get --stable -o <hidden_params.json>

2.1 XSS

  • [ ] XSSreflection: Cercar parametres reflectits. python3 XSSreflection.py -f <endPoints.log> -o <reflectet.log> -r True.
  • [ ] XSSfinder: Llançar payloads a paràmetres reflectits. python3 XSSfinder.py -f <reflectet.log> -o <xss.log> -m patataman -p <payloads.lst>

2.2 SQLi

2.3 URL Redirect

3 Automatització

3.1 Interlace

Implementació de la Checklist amb interlace.

mkdir ./_target_
_blocker_
python3 ~/einesBH/recon/osint/Sublist3r/sublist3r.py -b -v -d _target_ -o ./_target_/sublist3r.log
amass enum -d _target_ -o ./_target_/amass.log
_blocker_
_block:domains_
cat ./_target_/sublist3r.log >>  ./_target_/domains.tmp
cat ./_target_/amass.log >>  ./_target_/domains.tmp
cat ./_target_/domains.tmp | sort | uniq > ./_target_/domains.log
rm ./_target_/domains.tmp
while read sub;do grep -v $sub ./_target_/domains.log > ./_target_/domains.tmp && mv ./_target_/domains.tmp ./_target_/domains.log; done < outscope.cfg
_block:domains_
_blocker_
_block:WEB_
cat ./_target_/domains.log | httprobe > ./_target_/webs.log
while read url;do hakrawler -url $url -depth 5 -plain -scope subs -insecure >> ./_target_/urls.log; done < ./_target_/webs.log
while read sub;do grep -v $sub ./_target_/urls.log > ./_target_/urls.tmp && mv ./_target_/urls.tmp ./_target_/urls.log; done < outscope.cfg
rm ./_target_/urls.tmp
mv ./_target_/urls.log ./_target_/urls.tmp
cat urls.tmp | sort | uniq > ./_target_/urls.log
_block:WEB_
_blocker_
cat ./_target_/urls.log | ~/einesBH/recon/osint/Aquatone/aquatone
python3 ~/desenvolupament/XSSFinder/edFinder.py -f ./_target_/urls.log -o ./_target_/end_points.log
python3 ~/einesBH/recon/Arjun/arjun.py --urls ./_target_/urls.log --get --stable -o ./_target_/hiddenParameters.log.json
_blocker_
cd _target_;cat ./_target_/end_points.log | ~/einesBH/recon/osint/Aquatone/aquatone
_blocker_
_block:XSS_
python3 ~/desenvolupament/XSSFinder/XSSreflection.py -f ./_target_/end_points.log -o ./_target_/reflected.tmp
cat ./_target_/reflected.tmp | sort | uniq > ./_target_/reflected.log
_block:XSS_
_block:SQLi_
_block:SQLi_

Date: \today

Author: Raul Gimenez Herrada

Created: 2020-08-09 dg. 10:57

Validate