Written by Mostafa Tamam --> Red Team analyst || Bug Hunter
Connect with me:
Look at Program
- First, read the scope policy for this program
- Check site tools, versions, library, and what is website do, you should understand the service introduced by the website
- What CMS of the program (Version and Tools) It's important to note, however, CMS do much more than help manage the text and image content displayed on webpages.
Check CMS by :
- Finally in this step is learning tech you don't have, for example how to perform SQL injection without learning what is SQL query is, you should learn every service introduced by the website
Recon & Info Gathering
1. Perform Subdomain enumeration to your target, in my case gitlab.com is my target
This is a great tool to enumerate subdomains of websites using OSINT using many search engines such as Google, Yahoo, Bing, Baidu, and Ask.
$ python3 sublist3r.py -d gitlab.com -o /root/Desktop/subdomain
Subfinder also is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed.
$ subfinder -d gitlab.com -all -silent
DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host.
$ dmitry -wnse gitlab.com -o /root/Desktop/dmitry
Also, you can check virustotal website to get more information about your target and get more subdomain details
nslookup is a web based DNS client that queries DNS records for a given domain name. It allows you to view all the DNS records for a website
$ nslookup gitlab.com
sslscan is a great tool to enumeration of server signature algorithms, scanSSLv2 and SSLv3 protocol
$ sslscan gitlab.com:80 > /root/Desktop/sslscan.txt $ sslscan gitlab.com:80:6061 > /root/Desktop/sslscan.txt $ sslscan gitlab.com:80:443 > /root/Desktop/sslscan.txt
4. Check open/closed/filtered ports & DNS record & OS version by
If you don't know about Nmap close this methodology and go to your bed
$ nmap -sC -sV -p- -A -oN /root/Desktop/nmap gitlab.com
This is an Internet-scale port scanner, It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
$ masscan 22.214.171.124 --ports 0-10000
RustScan is a modern take on the port scanner. Sleek & fast. All while providing extensive extendability to you.
$ rustscan -T 1500 -b 500 126.96.36.199 -A -sC
Nikto is a web server scanner to get some information that may be useful for you
$ nikto -h gitlab.com
5. Bruteforce directory to get more possible API endpoint don't forget to follow this rule more paths = more files, parameters -> more vulnerability
Gobuster is a tool used to brute-force: URIs (directories and files) in websites, DNS subdomains (with wildcard support), Virtual Host names on target web servers.
$ gobuster dir -u https://gitlab.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o /root/Desktop/endpoint -x php,txt,js
This tool is great, i usually use it to search paths,links
$ cat EndJS.txt|xargs -n2 [email protected] bash -c "echo -e '\n[URL]: @\n'; python3 linkfinder.py -i @ -o cli" >> Endpoint.txt
TheHarvester is a tool for gathering e-mail accounts and subdomain names from public sources
$ theharvester -d gitlab.com -l 500 -b google
same thing in gobuster
$ dirb https://gitlab.com -X php,js,txt
It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
6. Screenshotting for server IPs, DNS record, Error message
HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites. The goal is for it to be both thorough and fast which can sometimes oppose each other.
$ ./httpscreenshot.py -i \<gnmapFile\> -p -w 40 -a -vH
7. Using a recon-ng tool to enumerate and get more information about target
Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line, you enter a shell like environment where you can configure options, perform recon and output results to different report types.
- Check this article to know about this tool : https://hackertarget.com/recon-ng-tutorial/
I'm recommend this tool you can crawl useful Endpoints and we can also do BLH discovery.
$ python3 JSFinder.py -u https://gitlab.com -d -j -ou /root/Desktop/Endpoint
$ gau gitlab.com |grep -iE '\.js'|grep -ivE '\.json'|sort -u >> GitLabJS.txt
9. Check Google dorks and Github resource
This is a tool by using google dorks for advanced searching in google and other google applications to find security holes in the configuration and computer code that used in the websites
$ python3 do-search.py
Google Dork Hacking Databases --> Check the link below
10. Happy Hacking
URLs For Tools
- wappalyzer: https://www.wappalyzer.com
- what CMS: https://whatcms.org/
- Sublist3r: https://github.com/aboul3la/Sublist3r
- Subfinder: https://github.com/projectdiscovery/subfinder
- dmitry: https://github.com/jaygreig86/dmitry
- VirusTotal: https://www.virustotal.com/gui/home/search
- nslookup: --> apt install dnsutils
- sslscan: https://github.com/rbsec/sslscan
- nmap: https://github.com/nmap/nmap
- masscan: https://github.com/robertdavidgraham/masscan
- rustscan: https://github.com/RustScan/RustScan
- nikto: https://github.com/sullo/nikto
- Gobuster: https://github.com/OJ/gobuster
- LinkFinder: https://github.com/GerbenJavado/LinkFinder
- TheHarvester: https://github.com/laramies/theHarvester
- dirb: https://github.com/v0re/dirb
- Seclist: https://github.com/danielmiessler/SecLists
- HttpScreenShot: https://github.com/breenmachine/httpscreenshot
- recon-ng: https://github.com/lanmaster53/recon-ng
- gau: https://github.com/lc/gau
- GHDB: https://www.exploit-db.com/google-hacking-database
- https://www.triaxiomsecurity.com/our-external-penetration-testing-methodology/ External Penetration Testing Methodology
- https://www.triaxiomsecurity.com/our-internal-penetration-testing-methodology/ Internal Penetration Testing Methodology
- https://github.com/arch3rPro/PentestTools All Pentest tool
- https://github.com/swisskyrepo/PayloadsAllTheThings All Payload and Tech to find vulnerability