During an external penetration test or a bug bounty campaign it is important to complete a search-based reconnaissance first.
- Use Wayback Machine with waybackurls and ParamSpider to find previously discovered endpoints and parameters.
- Use Google dorks to find application's subdomains, like
*.example.com
and*.*.example.com
. - Use Google dorks to find interesting parameters, based on the type of vulnerability you want to find. See the next paragraph.
- At this point, you can try to fuzz URL paths using dictionaries. Don't forget to brute those directories which are listed in
robots.txt
first. If you see an IIS server, use ShortName-Scanner. - Search for possible leakages in file share services:
site:pastebin.com | site:s3.amazonaws.com | site:drive.google.com | site:onedrive.live | site:dl.dropbox.com | site:digitaloceanspaces.com | site:trello.com
andsite:docs.google.com inurl:"/d/"
. Also check VK files. It also can be helpful in a fishing campaign. - If you found internal domain name, search for it in the GitHub to find possible credential leakage. Perform a subdomain bruteforce in order to find more internal domains and IP addresses.
- At the point when you decided that you found enough subdomains, worth trying to find dangling CNAME records in order to try any takeovers.
- If a quick view on the subdomains list shows you that too many hostnames point to a single IP address and it is not a wildcard domain, use IP history service against this address. I bet that you just have found a reverse proxy host.
-
Notice: Google can ignore several operators if he thinks that you need too much, so use 2-5 at once
ext:txt | ext:sql | ext:cnf | ext:config | ext:log | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:htpasswd | ext:htaccess
intext:"Index of" & "Parent directory"
inurl:"=http" | inurl:"%3dhttp" | inurl:"%3d%2f"
inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:state= | inurl:dest= | inurl:callback= | inurl:open= | inurl:show= | inurl:view=
inurl:"include="" | inurl:"dir=" | inurl:"detail=" | inurl:"file=" | inurl:"folder=" | inurl:"inc=" | inurl:"page=" | inurl:"doc=" | inurl:"document=" | inurl:"folder=" | inurl:"path=" | inurl:"style="