Active Information Gathering

Active Infrastructure Identification

Active Subdomain Enumeration

ZoneTransfers

Link.

1. Identifying Nameservers

nslookup -type=NS zonetransfer.me

Perform the Zone transfer using -type=any and -query=AXFR parameters

2. Testing for ANY and AXFR Zone Transfer

nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja

Gobuster

export TARGET="facebook.com"

export NS="d.ns.facebook.com"

export WORDLIST="numbers.txt"

gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Found: lert-api-shv-01-sin6.facebook.com
Found: atlas-pp-shv-01-sin6.facebook.com
Found: atlas-pp-shv-02-sin6.facebook.com
Found: atlas-pp-shv-03-sin6.facebook.com
Found: lert-api-shv-03-sin6.facebook.com
Found: lert-api-shv-02-sin6.facebook.com
Found: lert-api-shv-04-sin6.facebook.com
Found: atlas-pp-shv-04-sin6.facebook.com

Virtual Hosts

FFUF

ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612

/opt/useful/SecLists/Discovery/DNS/namelist.txt

Crawling

ZAP

FFUF

We can use ffuf to discover files and folders that we cannot spot by simply browsing the website. All we need to do is launch ffuf with a list of folders names and instruct it to look recursively through them.

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

Sensitive Information Disclosure

Last updated 9 months ago