(OSINT) Passive Enumeration
export TARGET=
#Information Gathering by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json' | jq .
#Subdomain enumeration by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json'| jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u > subdomainlist
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist);do host $i | grep "has address" | cut -d" " -f1,4;done
#Manual DNS enumeration
Intrusionz3r0X@htb[/htb]$ openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "facebook.com:443" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u
#Extract the host from dns
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*"); do host $i | grep "has address" | sort -u | cut -d " " -f1,4;done
#Grep for IPs
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*");do host $i | grep "has address" | cut -d" " -f4 >> ip-addresses.txt;done
#Initializating Shodan tool
Intrusionz3r0X@htb[/htb]$ shodan init <api-key>
# Scan using Shodan
Intrusionz3r0X@htb[/htb]$ for i in $(cat ip-addresses.txt);do shodan host $i;done
#Fetch all the URLs that the Wayback Machine knows about for a domain
Intrusionz3r0X@htb[/htb]$ waybackurls -dates https://facebook.com > waybackurls.txtAutomating Passive Subdomain Enumeration
Intrusionz3r0X@htb[/htb]$ cat sources.txt
baidu
bufferoverun
crtsh
hackertarget
otx
projectdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye
Intrusionz3r0X@htb[/htb]$ export TARGET="compucloud.com.mx"
Intrusionz3r0X@htb[/htb]$ cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}_${TARGET}";done
Intrusionz3r0X@htb[/htb]$ cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "${TARGET}_theHarvester.txt"
Passive Enumeration Resources:
Finding information about Cloud Providers
Google Search for AWS resources
Google Search for Azure
Target Website - Source Code
Finding information about the company
Use LinkedIn to find information about the technology, infrastructure, programming languages, or software the company is using.
Required Skills/Knowledge/Experience:
* 3-10+ years of experience on professional software development projects.
« An active US Government TS/SCI Security Clearance (current SSBI) or eligibility to obtain TS/SCI within nine months.
« Bachelor's degree in computer science/computer engineering with an engineering/math focus or another equivalent field of discipline.
« Experience with one or more object-oriented languages (e.g., Java, C#, C++).
« Experience with one or more scripting languages (e.g., Python, Ruby, PHP, Perl).
« Experience using SQL databases (e.g., PostgreSQL, MySQL, SQL Server, Oracle).
« Experience using ORM frameworks (e.g., SQLAIchemy, Hibernate, Entity Framework).
« Experience using Web frameworks (e.g., Flask, Django, Spring, ASP.NET MVC).
« Proficient with unit testing and test frameworks (e.g., pytest, JUnit, NUnit, xUnit).
« Service-Oriented Architecture (SOA)/microservices & RESTful API design/implementation.
« Familiar and comfortable with Agile Development Processes.
« Familiar and comfortable with Continuous Integration environments.
« Experience with version control systems (e.g., Git, SVN, Mercurial, Perforce).
Desired Skills/Knowledge/ Experience:
« CompTIA Security+ certification (or equivalent).
« Experience with Atlassian suite (Confluence, Jira, Bitbucket).
« Algorithm Development (e.g., Image Processing algorithms).
« Software security.
« Containerization and container orchestration (Docker, Kubernetes, etc.)
« Redis.
« NumPy.Github