diff --git a/Methodology and Resources/Subdomains Enumeration.md b/Methodology and Resources/Subdomains Enumeration.md index c19f72eb..f530b8fb 100644 --- a/Methodology and Resources/Subdomains Enumeration.md +++ b/Methodology and Resources/Subdomains Enumeration.md @@ -8,11 +8,12 @@ * GoogleDorks * EyeWitness * Sublist3r - * Aquatone * Subfinder + * Aquatone (Ruby and Go versions) * AltDNS * MassDNS * Subdomain take over + * tko-subs * HostileSubBruteForcer * SubOver @@ -33,6 +34,17 @@ git clone https://github.com/danielmiessler/SecLists.git knockpy domain.com -w subdomains-top1mil-110000.txt ``` +Using EyeWitness and Nmap scans from the KnockPy and enumall scans + +```bash +git clone https://github.com/ChrisTruncer/EyeWitness.git +./setup/setup.sh +./EyeWitness.py -f filename -t optionaltimeout --open (Optional) +./EyeWitness -f urls.txt --web +./EyeWitness -x urls.xml -t 8 --headless +./EyeWitness -f rdp.txt --rdp +``` + ### Using Google Dorks and Google Transparency Report You need to include subdomains ;) @@ -47,17 +59,6 @@ site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf site:*.*.domain.com ``` -### EyeWitness and Nmap scans from the KnockPy and enumall scans - -```bash -git clone https://github.com/ChrisTruncer/EyeWitness.git -./setup/setup.sh -./EyeWitness.py -f filename -t optionaltimeout --open (Optional) -./EyeWitness -f urls.txt --web -./EyeWitness -x urls.xml -t 8 --headless -./EyeWitness -f rdp.txt --rdp -``` - ### Using Sublist3r ```bash @@ -73,7 +74,18 @@ python sublist3r.py -e google,yahoo,virustotal -d example.com python sublist3r.py -b -d example.com ``` -### Using Aquatone +### Using Subfinder + +```powershell +go get github.com/subfinder/subfinder +./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY' +./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD" +./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET" +./Subfinder/subfinder --set-config SecurityTrailsKey='KEY' +./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt +``` + +### Using Aquatone - old version (Ruby) ```powershell gem install aquatone @@ -102,15 +114,16 @@ docker pull txt3rob/aquatone-docker docker run -it txt3rob/aquatone-docker aq example.com ``` -### Using Subfinder +### Using Aquatone - new version (Go) ```powershell -go get github.com/subfinder/subfinder -./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY' -./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD" -./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET" -./Subfinder/subfinder --set-config SecurityTrailsKey='KEY' -./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt +# Subfinder version +./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1 +cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1 + +# Amass version +./Amass/amass -active -brute -o /tmp/hosts.txt -d $1 +cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1 ``` ### Using AltDNS @@ -135,6 +148,13 @@ cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/res Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records. +### Using tko-subs + +```powershell +go get github.com/anshumanbh/tko-subs +./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv +``` + ### Using HostileSubBruteForcer ```bash diff --git a/Open redirect/README.md b/Open redirect/README.md index 056968d6..d2d6512b 100644 --- a/Open redirect/README.md +++ b/Open redirect/README.md @@ -1,6 +1,6 @@ # Open URL Redirection -Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. +> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. ## Fuzzing @@ -57,6 +57,12 @@ Using null byte "%00" to bypass blacklist filter //google%00.com ``` +Using parameter pollution + +```powershell +?next=whitelisted.com&next=google.com +``` + Using "@" character, browser will redirect to anything after the "@" ```powershell @@ -88,8 +94,39 @@ XSS from javascript:// wrapper http://www.example.com/redirect.php?url=javascript:prompt(1) ``` +## Common injection parameters + +```powershell +/{payload} +?next={payload} +?url={payload} +?target={payload} +?rurl={payload} +?dest={payload} +?destination={payload} +?redir={payload} +?redirect_uri={payload} +?redirect_url={payload} +?redirect={payload} +/redirect/{payload} +/cgi-bin/redirect.cgi?{payload} +/out/{payload} +/out?{payload} +?view={payload} +/login?to={payload} +?image_url={payload} +?go={payload} +?return={payload} +?returnTo={payload} +?return_to={payload} +?checkout_url={payload} +?continue={payload} +?return_path={payload} +``` + ## Thanks to * filedescriptor * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) +* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)