I shouldn't have to say this but if you're stupid you should read it. Don't mess with websites and devices you don't own. Using any of this information could get you into some serious trouble or jail time... be safe, play safe.
On this page, we're going to look at information I've gathered to help myself, and hopefully others, find information about a target bounty that you're working on. All of this is just simple notes from HackTheBox Academy's Bug Bounty program, I urge you to take the full course - it's worth the $$.
What's great about this is it's also a great set of resources to see what you or your companies footprint looks like out there. Here's what we'll cover:
HIGH LEVEL RECON
WHOIS - exactly the question - this will tell us about the company and there registration on the internet
DNS - We'll take a look at a few tools to enumerate some DNS specific data that will increase our whois experience as well as outline the full width of the companies online presence.
CERTIFICATES - This is all open source as it's required to be public facing, let's use it!
AUTOMATION TOOLS - this is where we do some "script kiddy" stuff - using pre-built tools that gather a ton of information that we can hold for attack surface info.
DIGGING INTO INFRASTRUCTURE
SITE LEVEL EXAMINATION - Various tools from site headers, whatweb and aquatone to help us figure out what the site's running.
HIGH LEVEL RECON
WHOIS
whois facebook.com
Organization: | Meta Platforms, Inc |
Locations: | 1601 Willow Rd, Menlo Park CA 94025 |
Domain Email: | domain@fb.com |
Phone number: | 1-650-543-4800 |
Registrar: | RegistrarSafe, LLC |
Other Domains: | fb.com |
DNSSEC: | unsigned |
Name Servers: | A.NS.FACEBOOK.COM |
| B.NS.FACEBOOK.COM |
| C.NS.FACEBOOK.COM |
| D.NS.FACEBOOK.COM |
Once we have our records from the DNS work below, we can return to our whois and validate if they're the owners by doing a whois to see who actually owns the IP's that company is using.
whois 157.240.18.35
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#
NetRange: 157.240.0.0 - 157.240.255.255
CIDR: 157.240.0.0/16
NetName: THEFA-3
NetHandle: NET-157-240-0-0-1
Parent: NET157 (NET-157-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Facebook, Inc. (THEFA-3)
RegDate: 2015-05-14
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/157.240.0.0
OrgName: Facebook, Inc.
OrgId: THEFA-3
Address: 1601 Willow Rd.
City: Menlo Park
StateProv: CA
PostalCode: 94025
Country: US
RegDate: 2004-08-11
Updated: 2012-04-17
Ref: https://rdap.arin.net/registry/entity/THEFA-3
OrgTechHandle: OPERA82-ARIN
OrgTechName: Operations
OrgTechPhone: +1-650-543-4800
OrgTechEmail: noc@fb.com
OrgTechRef: https://rdap.arin.net/registry/entity/OPERA82-ARIN
OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName: Operations
OrgAbusePhone: +1-650-543-4800
OrgAbuseEmail: noc@fb.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/OPERA82-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#
DNS
NSLOOKUP and DIG
nslookup facebook.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: facebook.com
Address: 157.240.249.35
Name: facebook.com
Address: 2a03:2880:f175:81:face:b00c:0:25de
Specifiy a name server with @[Name Server/IP]
dig facebook.com @1.1.1.1
; <<>> DiG 9.18.1-1-Debian <<>> facebook.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59531
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;facebook.com. IN A
;; ANSWER SECTION:
facebook.com. 5 IN A 157.240.249.35
;; Query time: 7 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Aug 09 20:45:48 EDT 2022
;; MSG SIZE rcvd: 57
IN = Internet
Querying A records for a subdomain
nslookup -query=A www.facebook.com
Non-authoritative answer:
www.facebook.com canonical name = star-mini.c10r.facebook.com.
Name: star-mini.c10r.facebook.com
Address: 157.240.249.35
or using dig:
dig a www.facebook.com @1.1.1.1
Querying PTR Records for an IP
The PTR record is a mapping between an IP address and a hostname. 'Reverse' zones are those that have PTR records.
nslookup -query=PTR 157.240.249.35
Non-authoritative answer:
35.249.240.157.in-addr.arpa name = edge-star-mini-shv-01-ord5.facebook.com.
Authoritative answers can be found from:
or with dig, specifying a DNS lookup server:
dig -x 157.240.249.35 @1.1.1.1
Query ANY exiting records
These may not worked as there's an RFC8482 that allows companies to turn the responses off for security or other reasons
The plus side to doing an ANY, you can see which records are available to fingerprint further (TXT, A, MX)
dig any google.com @8.8.8.8
; <<>> DiG 9.18.1-1-Debian <<>> any google.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10774
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN ANY
;; ANSWER SECTION:
google.com. 300 IN A 142.251.33.174
google.com. 300 IN AAAA 2607:f8b0:400b:80c::200e
google.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"
google.com. 21600 IN CAA 0 issue "pki.goog"
google.com. 21600 IN NS ns3.google.com.
google.com. 3600 IN TXT "MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
google.com. 3600 IN TXT "apple-domain-verification=30afIBcvSuDV2PLX"
google.com. 21600 IN NS ns4.google.com.
google.com. 21600 IN NS ns2.google.com.
google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 466305570 900 900 1800 60
google.com. 3600 IN TXT "atlassian-domain-verification=5YjTmWmjI92ewqkx2oXmBaD60Td9zWon9r6eakvHX6B77zzkFQto8PQ9QsKnbf4I"
google.com. 3600 IN TXT "google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"
google.com. 21600 IN NS ns1.google.com.
google.com. 3600 IN TXT "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
google.com. 3600 IN TXT "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com. 3600 IN TXT "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com. 3600 IN TXT "webexdomainverification.8YX6G=6e6922db-e3e6-4a36-904e-a805c28087fa"
google.com. 3600 IN TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com. 300 IN MX 10 smtp.google.com.
google.com. 21600 IN HTTPS 1 . alpn="h2,h3"
google.com. 3600 IN TXT "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (TCP)
;; WHEN: Wed Aug 10 06:17:47 EDT 2022
;; MSG SIZE rcvd: 1046
or with NSLOOKUP
nslookup -query=ANY $TARGET
Querying TXT records
nslookup -query=TXT facebook.com
Non-authoritative answer:
facebook.com text = "google-site-verification=A2WZWCNQHrGV_TWwKh6KHY90tY0SHZo_RnyMJoDaG0s"
facebook.com text = "google-site-verification=wdH5DTJTc9AYNwVunSVFeK0hYDGUIEOGb-RReU6pJlY"
facebook.com text = "v=spf1 redirect=_spf.facebook.com"
facebook.com text = "google-site-verification=sK6uY9x7eaMoEMfn3OILqwTFYgaNp4llmguKI-C3_iA"
Authoritative answers can be found from:
or with dig
dig txt facebook.com @1.1.1.1
Querying MX records
nslookup -query=MX $TARGET
dig mx facebook.com @1.1.1.1
Using VIRUSTOTAL for subdomains
https://www.virustotal.com/gui/home/search then if you click on relations you can see subdomains
Project Sonar
by far the most in depth data I've seen come back. When running on facebook.com I was able to see all the subdomains for everything: Instagram, Facebook, Oculus, WhatsApp, etc... you may want to -O this curl statement.
https://sonar.omnisint.io/subdomains/{domain} - All subdomains
https://sonar.omnisint.io/tlds/{domain} - All tlds found
https://sonar.omnisint.io/all/{domain} - All results across all tlds
https://sonar.omnisint.io/reverse/{ip} - Reverse DNS lookup on IP
https://sonar.omnisint.io/reverse/{ip}/{mask} - Reverse DNS lookup of a CIDR range
Your best bet here is to use a curl statement. This is a JSON file and so you'll want to filter it like this:
curl -s https://sonar.omnisint.io/subdomains/$TARGET | jq -r '.[]' | sort -u
Using this high data return we can start to look at how they're naming their entries (eg. numerally) , other TLD's they may have as well as IP ranges.
NetCraft
Wayback Machine
old views of the websites for as long as they've been on the internet? This can help us view vulnerabilities that might have been there back in the day (say a wordpress addon) and weren't removed.
Wayback URLS
GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domain
Certificates
Looking up public information about certificates can help us with some domain information too.
Make it curl
curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u > "${TARGET}_crt.sh.txt"
using OpenSSL
openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "${TARGET}:${PORT}" | openssl x509 -noout -text -in - | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u
AUTOMATION TOOLS
TheHarvester
(emails, names, subdomains, IP addresses, and URLs)
Sublist3r
(subdomains via OSINT and Brute Force)
python sublist3r.py -v -b -d githubapp.com
DIGGING INTO INFRASTRUCTURE
Reading Request Headers
There's lots of tools for this (BurpSuite, ZAP or cURL), so use your favorite but what we're looking to do here is send a GET request to the domain we want to know about. What we're coping to capture is the type of server (Apache, Nginx, etc..) . Most sites hide a lot of this information but it's always good to give it a go.
WhatWeb
a nice tool but read the help file, IDS is something to watch out for.
Here we can see:
Country [UNITED STATES]
Plugins [HTML5]
Meta-Refresh-Redirect [/?_fb_noscript=1]
Password Fields [pass]
Script Language Type [application/ld+json,text/javascript]
Strict-Transport-Security [is non-secure forced?]
UncommonHeaders [list]
X-Frame-Options [Allow or Deny framed objects on the site]
X-XSS-Protection [Attempts to prevent cross-site scripting]
After the first one, it shows the header for the redirect with the same information.
Wappalyzer
This is a browser extension that does much of the same functions WhatWeb does.
Wafw00f
Fingerprints Web Application Firewalls
sudo apt install wafw00f -y
Aquatone
automatic and visual inspection of websites across many hosts by scanning a list of configurable ports, visiting the website with a headless Chrome browser, and taking and screenshot.
sudo apt install golang chromium-driver
download github.com/michenriksen/aquatone
Install in your PATH directory or run as a standalone with ./aquatone
provide it a list of the domains/sub-domains you have gathered and it will give you open ports, successful connects and screenshots of headers gathered.
Next Steps : DNS Zone Transfers to enumerate sub-domains
Comments