During an external penetration test or a bug bounty campaign it is important to complete a search-based reconnaissance first.
- Use Wayback Machine with waybackurls and ParamSpider to find previously discovered endpoints and parameters.
- Use Google dorks to find application's subdomains, like
*.example.comand*.*.example.com. - Use Google dorks to find interesting parameters, based on the type of vulnerability you want to find. See the next paragraph.
- At this point, you can try to fuzz URL paths using dictionaries. Don't forget to brute those directories which are listed in
robots.txtfirst. If you see an IIS server, use ShortName-Scanner. - Search for possible leakages in file share services:
site:pastebin.com | site:s3.amazonaws.com | site:drive.google.com | site:onedrive.live | site:dl.dropbox.com | site:digitaloceanspaces.com | site:trello.comandsite:docs.google.com inurl:"/d/". Also check VK files. It also can be helpful in a fishing campaign. - If you found internal domain name, search for it in the GitHub to find possible credential leakage. Perform a subdomain bruteforce in order to find more internal domains and IP addresses.
- At the point when you decided that you found enough subdomains, worth trying to find dangling CNAME records in order to try any takeovers.
- If a quick view on the subdomains list shows you that too many hostnames point to a single IP address and it is not a wildcard domain, use IP history service against this address. I bet that you just have found a reverse proxy host.
-
Notice: Google can ignore several operators if he thinks that you need too much, so use 2-5 at once
ext:txt | ext:sql | ext:cnf | ext:config | ext:log | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:htpasswd | ext:htaccess
intext:"Index of" & "Parent directory"
inurl:"=http" | inurl:"%3dhttp" | inurl:"%3d%2f"
inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:state= | inurl:dest= | inurl:callback= | inurl:open= | inurl:show= | inurl:view=
inurl:"include="" | inurl:"dir=" | inurl:"detail=" | inurl:"file=" | inurl:"folder=" | inurl:"inc=" | inurl:"page=" | inurl:"doc=" | inurl:"document=" | inurl:"folder=" | inurl:"path=" | inurl:"style="