Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Domain & Subdomain Enumeration
  • Subdomain Takeover

Was this helpful?

  1. Tools

DNS

PreviousOSINTNextWEB

Last updated 2 years ago

Was this helpful?

Domain & Subdomain Enumeration

: Take a list of domains and probe for working http and https servers.

go get -u github.com/tomnomnom/httprobe

â–¶ cat recon/example/domains.txt
example.com
example.edu
example.net
â–¶ cat recon/example/domains.txt | httprobe
http://example.com
http://example.net
http://example.edu
https://example.com
https://example.edu
https://example.net

: A simple shell script to display or notify the user via email about domain status and expiry date.

domain-check-2 -d google.com
domain-check-2 -f domain-list.txt

Output:

Domain                              Registrar                                      Status   Expires     Days Left
----------------------------------- ---------------------------------------------- -------- ----------- ---------
nixcraft.com                        GoDaddy.com, LLC                               Valid    10-may-2023   2022 
google.org                          MarkMonitor Inc.                               Valid    20-oct-2018   359  
google.net                          MarkMonitor Inc.                               Valid    15-mar-2018   140  
google.info                         MarkMonitor Inc.                               Valid    31-jul-2018   278  
cyberciti.biz                       GoDaddy.com, Inc.                              Valid    30-jun-2024   2439 
google.in                           MarkMonitor Inc. (R84-AFIN)                    Valid    14-Feb-2018   111  
google.co.in                        MarkMonitor Inc. (R84-AFIN)                    Valid    23-Jun-2018   240  
google.us                           MarkMonitor, Inc.                              Valid    18-apr-2018   174  
google.uk                           Markmonitor Inc.                               Valid    11-Jun-2018   228  
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
PS C:\Users\IEUser\Desktop > cat .\ips.txt | .\aquatone.exe -chrome-path "C:\Users\IEUser\Desktop\chrome-win\chrome.exe" -out "C:\Users\IEUser\Desktop\output\"
amass enum -d domain.org
amass intel -active -addr 192.168.x.x -p 80,443,8080"

Importing Amass Results into Maltego:

amass viz -maltego

Import the CSV file with the correct Connectivity Table settings:

VHostScan -t example.com --ssl
echo -e 'a.example.com\b.example.com' | VHostScan -t localhost -w ./wordlists/wordlist.txt
cat bank.htb | VHostScan -t 10.10.10.29
ruby scan.rb --ip=127.0.0.1 --host=domain
gobuster dns -d google.com -w ~/wordlists/subdomains.txt
resolver.txt
8.8.8.8
8.8.4.4
1.1.1.1

sudo pip3 install aiodnsbrute
aiodnsbrute yahoo.com -w /tmp/11m_sub_wordlist.txt -o csv -t 100000 -r resolver.txt
./sudomy -d localhost -dP -eP -rS -cF -pS -tO -gW --httpx --dnsprobe  -aI webanalyze -sS
./sudomy -d localhost --bruteforce

Subdomain Takeover

subjack -w ~/tmp/subdomains.txt -c fingerprints.json -t 100 -timeout 30 -o results.txt -ssl
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
go get github.com/Ice3man543/SubOver
./SubOver -l subdomains.txt
go run subover.go -l ~/Downloads/subdomains -v
tko-subs -domains ~/Downloads/subdomains.txt
massdns -r lists/resolvers.txt -t MX /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_MX.txt
massdns -r lists/resolvers.txt -t CNAME /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_CNAME.txt

Options:
[A, AAAA, PTR, CNAME, MX]

NtHiM -t https://example.example.com
NtHiM -f hostnames.txt

Interact.sh - an alternative to burp collaborator ;)

: Enumerate and check domains for Azure tenants.

: Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns.

: Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT.

: Aquatone is a tool for visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. To use it on Windows OS, you shoud download this version of . Once downloaded, aquatone must be executed with full paths to take the screenshots:

: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

: A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 ().

: This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address.

: Gobuster is a tool used to brute-force: URIs, DNS subdomains, Virtual Host names and Open AWS S3 buckets.

: A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously.

: A subdomain enumeration tool to collect subdomains and analyzing domains performing advanced automated reconnaissance (framework). This tool can also be used for OSINT (Open-source intelligence) activities.

: Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems.

All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers.

: A Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.

: Subover is a Hostile Subdomain Takeover tool originally written in python but rewritten from scratch in Golang.

: Takeover by CNAME entry.

MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.

: A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired.

A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired.

: puredns is a bash and python application that uses massdns to accurately perform DNS bruteforcing and mass resolving.

: Now, the Host is Mine! - Super Fast Sub-domain Takeover Detection!

: Shredos 64 bit for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure.

httprobe
domain-check-2
letItGo
altdns
Sublist3r
aquatone
chromium
amass
VHostScan
slidedeck
virtual-host-discovery
gobuster
aiodnsbrute
Sudomy
Legion
red_hawk:
subjack
SubOver
tko-subs
massdns:
autoSubTakeover
autoSubTakeover:
puredns
NtHiM
shredos.x86_64
LogoGitHub - GoVanguard/legion: Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems.GitHub
LogoGitHub - Tuhinshubhra/RED_HAWK: All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testersGitHub
Logohttps://interact.projectdiscovery.io/#/
LogoGitHub - PartialVolume/shredos.x86_64: Shredos Disk Eraser 64 bit for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure/wipeGitHub