Information Gathering&scanning for sensitive information[ Reloaded ]

Whois Lookup

whois target.tld
whois $domain | grep "Registrant Email" | egrep -ho "[[:graph:]]+@[[:graph:]]+"

Horizontal domain correlation/acquisitions

whois $domain | grep "Registrant Email" | egrep -ho "[[:graph:]]+@[[:graph:]]+"

Subdomain enumeration

Passive enumeration

agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36"
curl -s -A $agent "*.$domain&start=10" | grep -Po '((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+' | grep $domain | sort -u curl -s -A $agent "*.$domain&start=20" | grep -Po '((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+' | grep $domain | sort -u curl -s -A $agent "*.$domain&start=30" | grep -Po '((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+' | grep $domain | sort -u curl -s -A $agent "*.$domain&start=40" | grep -Po '((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+' | grep $domain | sort -u
shodan init your_api_key #set your api key on client 
shodan domain domain.tld
curl -s "" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
curl -s "" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
curl "" -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+"
curl -s "" | jq .[].dns_names | tr -d '[]"\n ' | tr ',' '\n'
sed -ne 's/^\( *\)Subject:/\1/p;/X509v3 Subject Alternative Name/{N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\1\2\n\1/;ta;p;q; }' < <(openssl x509 -noout -text -in <(openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' \-connect ) ) | grep -Po '((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+'
wget Login into cloudflare "Add site" to your account Provide the target domain as a site you want to add# Wait for cloudflare to dig through DNS data and display the resultspython target.tld
go get -u #download the assetfinderassetfinder --subs-only domain.tld # enumerates the subdomain
download -d domain.tld --silent
download from [ ]  findomain -t target.tld -q

Active enumeration

cat passive-subs.txt perm.txt | sort -u | tee -a all-sub.txt
massdns -r resolvers.txt -t AAAA -w result.txt all-sub.txt
goaltdns -h -w all.txt | massdns -r resolvers.txt -t A -w results.txt -
nmap --script dns-brute --script-args,dns-brute.threads=6

ASN Lookup
whois -h

Target Visualize/Web-Screenshot

[download-eyewitness] ./EyeWitness -f subdomains.txt --web
[download-webscreenshot] pip3 install webscreenshot webscreenshot -i subdomains.txt

Crawling & Collecting Pagelinks

Javascript Files Crawling/Sensitive data extracting from js

gospider -s --js --quiet
echo | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
gau target.tld | grep "\\.js" | uniq | sort -u waybackurls targets.tld | grep "\\.js" | uniq | sort
cat subdomains | getJS --complete
[see-the-list] cat file.js | grep API_REGEX
cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u
cat file.js | ./extract.rb

Parameter discovery

[download-arjun] pip3 install arjun arjun -i subdomains.txt -m GET -oT param.txt #for multiple targetarjun -u -m GET -oT param.txt #for single target [-m ] parameter method 
[-oT] text format output # you can see more options on arjun -h

Subdomain Cname extraction

dig CNAME +short
cat subdomains.txt | xargs -P10 -n1 dig CNAME +short

Domain/Subdomain Version and technology detection

[install-wappalyzer] npm i -g wappalyzer 
wappalyzer #single domain
cat subdomain.txt | xargs -P1 -n1 wappalyzer | tee -a result

Sensitive information discovery

cat subdomains | xargs -P1 -n1 ffuf -w backup.txt -mc 200,403 -u 
site:target.tld ext:doc | ext:docx | ext:odt | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
site:target.tld intitle:index.of
site:target.tld ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:env html:"db_uname:" port:"80" http.status:200 # this will find us a asset of with db_uname: with it with staus response code 200http.html:/dana-na/"" # this will find us Pulse VPN with possible CVE-2019-11510html:"horde_login"""  # this will find us Horde Webamil with possible CVE 2018-19518We can Repet the second 2 process also with product filter Ex:product:"Pulse Secure"""http.html:"* The wp-config.php creation script uses this file" # this will find us open wp-config.php file with possible sensitive credential



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store