Reconnaissance Quick Reference Guide

Digital Dumpster Diving

GITHUB RECON EXAMPLES JAVASCRIPT FILE EXAMPLES

• “company.com” “dev”
• “dev.company.com”
• “company.com” API_key
• “company.com” password

For Further Information Visit: • “api.company.com” authorization

WWW.HACKERONE.COM | WWW.HACKER101.COM Tools

• gitrob • git-secrets
• git-all-secrets • repo-supervisor  Process
• truffleHog • Do it manually? Look for:
ADDITIONAL NOTES SECTION: • (hidden) • …and definitely
 endpoints more bugs
• Leaked cloud
instances
and their
secret_keys
DIGITAL DUMPSTER DIVING EXAMPLES

1 2

• Looked up the “umbrella” company name

• Combine “umbrella_company” + asset_name +

“password”, and found below code:
“server”: {
“host”: “dedXXXX.PATTERN.PROVIDER.com”,
“port”: 21,
“user”: “some_username”,
“password”: “definitely_ftp_passwords”
}

• Got access to umbrella_company’s FTP server →

$10,000 Bounty

NOTES SECTION: Recon Cheat Sheet

A Reference Guide for Our Newest Hackers

WWW.HACKERONE.COM
 Reconnaissance Quick Reference Guide

Asset Discovery OSINT Vendor Services

BRUTE FORCE Tools ACQUISITIONS AWS RECON PROCESS

Different permutations, • sublist3r
• Big programs (Facebook, Google, Verizon Media, etc.)
Different environment, e.g. • enumall
• Look for S3 buckets on Google (site:s3.
dashboard.dev.site.com vs • massdns • Acquired assets usually in scope after 6 months amazonaws.com + inurl:company_name) |
Find different dashboard-dev.site.com • altdns AWS instances (site:amazonaws.com -s3)
Brute force Brute force • brutesubs
environments (.dev,
domain again • dns-parallel-prober • Repeat on Github!
.corp, .stage, uat, etc.) WHOIS ← Automate
Google Dork: site.com • dnscan
 your work
+inurl:dev -cdn • knockpy
• tko-subs • ARIN (Canada, United States, some Caribbean nations) |
• HostileSubBruteforce RIPE NCC (Europe, Russia, Middle East, Central Asia) | Create aliases to cut down your work
APNIC (Asia-Pacific region) | LACNIC (Latin America,
CERTIFICATE TRANSPARENCY TOOLS some Caribbean nations) | AFRINIC (Africa) certspotter() { Automate the tasks you perform for each target
curl - s https: //certspotter.com/api/v0/certs\?domain\=$1 | jq ‘.
[].dns_names[]’ | sed ‘s/\”//g’ | sed ‘s/\*\.//g’ | sort -u | grep $1 >
• Search Yahoo, or any other large program. Shodan helps here, too
~/$1/$1.txt
Shodan Certspotter }
Censys Crt.sh
dirbruteforce() {
cd / tools / dirsearch
Look for SSL certificates:
Example: 443.https.
Search by hostname. Filter
for: Ports: 8443, 8080, etc |
Great API |
Easy to automate | Make a
Great API and web interface |
Allows using a wild card | You
Content Discovery cat~/$1/$1.txt |
while read line;
do python3 dirsearch.py - e. - u” https: //$line”; done
tls.certificate. parsed. Title: “Dashboard [Jenkins]” bash alias → Automate → Win may get different results from
}
extensions.subject_alt_name. | Product:Tomcat Hostname: differents sources CONTENT DISCOVERY PROCESS screenshot() {
somecorp.com | Org: evilcorp | python~/tools/webscreenshot / webscreenshot.py - o. / $1 / screenshots /
dns_names:snapchat.com
ssl: Google Tools }
-i~/$1/$1.txt--timeout = 10 - m

• dirbuster recon() {
Look for interesting Always keep certspotter $1
Screenshot open ports • gograbber
Port scan • Files an archive of dirbruteforce $1
(default: 80, 443)
• Directories your report • gobuster screenshot $1
CERTIFICATE TRANSPARENCY EXAMPLES • dirsearch
}

CONTENT DISCOVERY EXAMPLES AWS RECON EXAMPLES

Vulnerabilities found with Shodan Vulnerabilities found with Censys
1 2
Search Query: hostname:host.com port:15672 AUGUST 22, 2017

“Secure your jenkins • Nmap common ports (3868,3366,8443,8080,9443,

• You see an open port on 8443
instance or hackers 9091,3000,8000,5900,8081,6000,10000,8181,3306,
Search Query: hostname:host.com • Directory brute force 5000,4000,8888,5432,15672,9999,161,4044,7077,
will force you to!
title:Dashboard [Jenkins] • /admin/ returns 403 4040,9000,8089,443,7447,7080,8880,8983,5673,7443)
(Snapchat’s $5,000
• You brute force for more files/dirs on /admin/ • Take screenshots (webscreenshot.py)
vulnerability)”
• /admin/users.php returns 200 • Directory/File brute force
• Repeat on other domains, ports, folders, etc. • Robots.txt sometimes does this for you ¯\ _(ツ)_ /¯

NOTES SECTION: NOTES SECTION: NOTES SECTION: