Last modified: 2023-02-13
Basic reconnaisance flows.
We need to find the other companies which are owned by the target company.
An autonomous system number (ASN) is a collection of connected IP routing prefixes under the control of network operators. It is assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA).
Border Gateway Protocol (BGP) is used to notify the routing policy to the other AS or routers.
We can also find IP ranges belonging to the ASN.
whois is used to find information about the registered users of the domain.
Archived Web Pages
Wayback Machine is an online tool that archives a lot of websites.
You need only the ping scan (skip port scan) by adding the option "-sP".
# /24 - 255.255.255.0 nmap -sP <target-ip>/24 -T2 # /16 - 255.255.0.0 nmap -sP <target-ip>/16 -T2 # /8 - 255.0.0.0 nmap -sP <target-ip>/8 -T2
See Port Scan for details.
See also Subdomain Discovery, DNS Pentesting.
For example, input “site:facebook.com” in the search form. We should see a list of subdomains for the facebook.com.
For example, input “facebook.com” in the search form of the URL section. We shoud see a list of subdomains for the facebook.com in the “RELATIONS” section.
It allows an adversary to claim and take control of the victim's subdomain.
Nuclei is a vulnerability scanner based on simple YAML based DSL.
You can search vulnerabilites written in Exploit-DB by using "searhsploit".
If you found vulnerabilities of target, copy them to current directory.
searchsploit -m windows/remote/42031.py # or searchsploit -m 42031
Exploit-DB is a database of exploits.
Find the exploit and download it. For example:
wget https://www.exploit-db.com/raw/42966 -O exploit.py
Format the exploit code for UNIX.
dos2unix exploit.py # Manual converting sed -i 's/\r//' example.py