recon from my perspective and combining different methodlogies of security reasearchers such as jason haddix , nahamsec and more
Access playlist here : Recon Playlist
POCs playlist : Proof of concepts playlist
New playlists: AWS pentesting playlist
Increasing the target region:
site: *.hackerone.com
site: ..hackerone.com
sublist3r -d domain-name
dnsrecon -d hackerone.com -D ~/wordlists/subdomains.txt -t brt
software for organizing the work: xmind
usefull wordlist if needed (wordlist are already in kali linux seclists but if you need more then checkout): USEFUL WORDLIST
git clone https://github.com/tomnomnom/httprobe
git clone https://github.com/ffuf/ffuf
most used ffuz command :
ffuf -p 0.1 -t 1 -w ~/wordlists/content.txt -u https://www.website.com
ffuz command vary for different request such as requests containing parameters and cookies so from my opinion just brute force directries and use burp suit for another stuff but if you don't know to use burp then see the documentation from above link and hack!!!.
Resources and References
https://securitytrails.com/blog/github-dorks GitROB https://michenriksen.com/blog/gitrob-now-in-go/ News https://nakedsecurity.sophos.com/2019/03/25/thousands-of-coders- are-leaving-their-crown-jewels-exposed-on-github/ Github Bug Bounty Hunting https://gist.github.com/EdOverflow/922549f610b258f459b219a32f 92d10b Assetnote https://blog.assetnote.io/bug-bounty/2019/04/23/getting-access- zendesk-gcp/
see original repo here : GitDorker
see tutorial here : youtube_automated_github_recon_tutorial
google output sheet ably : reconSheetAbly
1 clone the repository
git clone https://github.com/obheda12/GitDorker.git
- move to GitDorker diretry
cd GitDorker
- installation steps
pip3 install -r requirements.txt
- use this command for more options
python3 GitDorker.py -h
-
generate personal access token githubAccount > settings > developer settings > personal access tokens
-
copy the tokens to a file say github_token_for_gitdoreker.txt
-
just run command
python3 GitDorker.py -q <give primary query here - say tesla.com> -tf github_token_for_gitdorker.txt -d dorks_file.txt -o output.csv
lazys3 (Nahamsec s3)
A Ruby script to bruteforce for AWS s3 buckets using different permutations. usage
ruby lazys3.rb <company>
full youtube video: https://youtu.be/zO06tfmnhZg
chrome extension (uDomainFlag) : https://chrome.google.com/webstore/detail/udomainflag/eklbfdpploakpkdakoielobggbhemlnm?hl=en
you can use technologies template to detect s3
for example using subfinder
subfinder -d target.com | httprobe -prefer-https | tee subdomain_1.txt
now use it in nuclei
nuclei -l subdomain_1.txt -t path-to-template -o output-file.txt
host target.com
s3 vulnerability: bucket listing ---> all public access
aws s3 ls s3://flaws.cloud --region us-west-2 --no-sign-request
---> access to aws users only aws should be configured command to set configuration:
aws configure
aws s3 ls s3://flaws.cloud --region us-west-2
tools for s3 crawl/enum : https://github.com/mxm0z/awesome-sec-s3
Bucket flaws: https://github.com/nikhil1232/Bucket-Flaws
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent