Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page
  • Discover IP Space
  • Finding ASNs
  • ARIN & RIPE
  • Shodan
  • TLDs, Acquisitions & Relations
  • Acquisitions
  • Related
  • Subdomain Enumeration
  • Amass Enum
  • Findomain
  • crtsh script
  • Assetfinder
  • subbrute.py
  • HTTPROBE
  • Fingerprinting
  • Wappalyzer
  • whatweb
  • Masscan & Nmap
  • WayBack Enumeration
  • Content Discovery
  • Gobuster
  • otxurls
  • waybackurls

Was this helpful?

  1. Web App Pentesting

Recon

PreviousStack 2NextAuthentication (Portswigger Academy)

Last updated 4 years ago

Was this helpful?

Discover IP Space

Finding ASNs

Here we can see all domains and respective IP adresses hypothetically in scope.

whois

We can use the whois command to find the CIDR notation for tesla.com (the actual domain).

whois -h whois.cymru.com $(dig +short tesla.com)

Running this whois command with a dig command within it will help us make sure that we find the exact IP address of tesla.com.

We need to be wary that we dont actually get the ASN for things like VPS (DigitalOcean, AWS, etc)

Finding subdomains in ASNs using amass

amass intel -org tesla

With this command we can get the ASN, and then we can do a intel command with ASN specified that will give us every single subdomain in that range.

amass intel -asn 394161

ARIN & RIPE

Shodan

Shodan may bring in some false positives since it will show every organization with "Tesla" in its name.

TLDs, Acquisitions & Relations

The diagram above displays how to find different brands and top level domains.

The first we can do is find different acquisitions, where we can see whether there is an attack surface that many other people may not have discovered. Keeping an eye on acquisitions is great, but usually acquisitions are not in scope until 6 months after the acquisition.

After that we can look at related domains. This can be related in things like analytics, whois information, dorks, etc.

Acquisitions

Wikipedia

We can search for Tesla.inc on wikipedia and look for subsidiaries.

Crunchbase

If it is an open scope, we have all this acquisitions to attack which increases the attack surface significantly.

Owler

AcquiredBy

Related

ReverseWhois

We can perform a reversewhois with amass and the -d specifyinf the domain we want to search for, and the -whois flag to specify we are doing a reversewhois check.

amass intel -d tesla.com -whois

In green we can see the different domains related to tesla.com.

BuiltWith

Google Dorks

This wont increase the attack surface, but will show us different places with information about the company and that the company acknowledges as source of information about itself.

Subdomain Enumeration

This tools will return a lot of the same subdomains, so we need to clean the results at the end.

Amass Enum

amass enum -d teslamotors.com

Findomain

./findomain-linux -t teslamotors.com

crtsh script

python3 crtsh_enum.py teslamotors.com

Assetfinder

./assetfinder --subs-only teslamotors.com

subbrute.py

HTTPROBE

Probe for live targets

cat results.txt | httprobe -c 100 > alive.txt

Fingerprinting

Wappalyzer

whatweb

Masscan & Nmap

Find Ports

sudo masscan -p1-65535 $(dig +short tesla.com) --rate 10000

Scan those ports

sudo nmap -sV -p <ports from masscan> tesla.com

WayBack Enumeration

Content Discovery

Gobuster

otxurls

waybackurls

https://bgp.he.net/
https://www.crunchbase.com/
BugCrowd University diagram
WebupdatesRIPE Network Coordination Centre
Whois-RWS
BuiltWithBuiltWith
Logo
AcquiredBy | Definitive list of bootstrapped acquisitionsAcquiredBy
https://www.owler.com/company/www.owler.com
Logo
Wayback Machine
Logo
Logo