(OSINT) Passive Enumeration
export TARGET=
#Information Gathering by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json' | jq .
#Subdomain enumeration by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json'| jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u > subdomainlist
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist);do host $i | grep "has address" | cut -d" " -f1,4;done
#Manual DNS enumeration
Intrusionz3r0X@htb[/htb]$ openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "facebook.com:443" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u
#Extract the host from dns
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*"); do host $i | grep "has address" | sort -u | cut -d " " -f1,4;done
#Grep for IPs
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*");do host $i | grep "has address" | cut -d" " -f4 >> ip-addresses.txt;done
#Initializating Shodan tool
Intrusionz3r0X@htb[/htb]$ shodan init <api-key>
# Scan using Shodan
Intrusionz3r0X@htb[/htb]$ for i in $(cat ip-addresses.txt);do shodan host $i;done
#Fetch all the URLs that the Wayback Machine knows about for a domain
Intrusionz3r0X@htb[/htb]$ waybackurls -dates https://facebook.com > waybackurls.txt
Automating Passive Subdomain Enumeration
Intrusionz3r0X@htb[/htb]$ cat sources.txt
baidu
bufferoverun
crtsh
hackertarget
otx
projectdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye
Intrusionz3r0X@htb[/htb]$ export TARGET="compucloud.com.mx"
Intrusionz3r0X@htb[/htb]$ cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}_${TARGET}";done
Intrusionz3r0X@htb[/htb]$ cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "${TARGET}_theHarvester.txt"
Passive Enumeration Resources:
Netcraft | Leader in Phishing Detection, Cybercrime Disruption and Website Takedown
https://github.com/tomnomnom/waybackurls
Finding information about Cloud Providers
Google Search for AWS resources
Google Search for Azure
Target Website - Source Code
Domain DNS Record and WHOIS Information
Public Buckets by GrayhatWarfare
Finding information about the company
Use LinkedIn to find information about the technology, infrastructure, programming languages, or software the company is using.
Required Skills/Knowledge/Experience:
* 3-10+ years of experience on professional software development projects.
« An active US Government TS/SCI Security Clearance (current SSBI) or eligibility to obtain TS/SCI within nine months.
« Bachelor's degree in computer science/computer engineering with an engineering/math focus or another equivalent field of discipline.
« Experience with one or more object-oriented languages (e.g., Java, C#, C++).
« Experience with one or more scripting languages (e.g., Python, Ruby, PHP, Perl).
« Experience using SQL databases (e.g., PostgreSQL, MySQL, SQL Server, Oracle).
« Experience using ORM frameworks (e.g., SQLAIchemy, Hibernate, Entity Framework).
« Experience using Web frameworks (e.g., Flask, Django, Spring, ASP.NET MVC).
« Proficient with unit testing and test frameworks (e.g., pytest, JUnit, NUnit, xUnit).
« Service-Oriented Architecture (SOA)/microservices & RESTful API design/implementation.
« Familiar and comfortable with Agile Development Processes.
« Familiar and comfortable with Continuous Integration environments.
« Experience with version control systems (e.g., Git, SVN, Mercurial, Perforce).
Desired Skills/Knowledge/ Experience:
« CompTIA Security+ certification (or equivalent).
« Experience with Atlassian suite (Confluence, Jira, Bitbucket).
« Algorithm Development (e.g., Image Processing algorithms).
« Software security.
« Containerization and container orchestration (Docker, Kubernetes, etc.)
« Redis.
« NumPy.
Github