Enumeration

censys.io

domain enumeration:

Find subs, view cnames for cloud info

subfinder - run with apis

dnsx - DNSx is a project discovery tool to work with DNS wordlists

puredns

amass

Cloud Service Provider Mapping

Many of the cloud service providers will use public lists of their IP addresses, IP Ranges, and BGP ASN numbers.

To locate the AWS IP address ranges, go to: − http://l.adaptsec.com/39LEQAN

Azure uses a different URL: − https://l.adaptsec.com/3jkTKkK

Edge

Edge is a tool from Jason Ostrom found on GitHub (www.github.com/iknowjason/edge). Edge allows you to map an IP Address to a cloud service provider. Edge can then let you know the following:

• Does the IP Address fall into one of the cloud service provider ranges?

• What CSP Service does this IP Address fall into?

• What Region Geographically or what data center does this IP Address belong to?

Masscan

Masscan developed by Robert Graham and found on GitHub (https://github.com/robertdavidgraham/masscan). Sends SYN packets asynchronously like other projects such as ZMap, unicornscan, scanrand. Similar syntax to Nmap but has several differences including IP addresses only.

masscan <ip/range> -p <port>

// Some code

// Some code

Naabu

Naabu is a portscanner, similar to Masscan and Nmap. So why would reNgine use it instead of something we have chosen. First, Naabu fists nicely into a very modular asset pipeline. Its design is to slot in with other Project Discovery tools. Second, the system is highly portable. reNgine is mainly made of stateless containers, and this binary fits that model very nicely with very few dependencies for compilation. Finally, Naabu is different than massscan and Nmap in that it will output not IP addresses and Ports but Hostnames and Ports. This is helpful when taking the output and pushing it to other tools that work better with the hostname than the IP.

DNS Bruteforce a hostname: www.target.com.

• Take the DNS Name and pass it to Nmap.

• Run the command chain: naabu –silent www.target.com | httpx –silent | nuclei -.

• The above command chain will instead take the output of naabu (www.target.com:80, www.target.com:443) and pass it to httpx; httpx will test if the URL responds via HTTP or HTTPS and send that output to nuclei (http://www.target.com:80, https://www.target.com:443).

• We can also use it to send the URLs to a screenshot tool. Much handier for webservers that may only respond to a host header

Nuclei

Nuclei is another Project Discovery tool. It is a high-speed Go based scanner originally designed to scan websites. It has many features that go beyond the original design and, in many ways, is competitive with commercial scanners. There are many subtle features about Nuclei that only show up when you dig into the power of the toolchain.

Gowitness

Sensepost released a tool called Gowitness, you can find it on GitHub https://github.com/sensepost/gowitness. Beyond that gowitness also supports delivering the results via a built-in web server. The gowitness system can serve up a centralized database of findings. You can view this list in Gallery view, which is displayed in the slide, or Table view. One of the other ways to search is to toggle "Enable Perception Sorting" to sort the output by the sites with the most density.

reNgine

UI version pipelining the above tools roughly, doesnt show raw results though.

reNgine 127 • There are a few Open-Source projects that have sprung up over the years to help close the commercial gap • reNgine, Created by Yogesh Ojha and found on GitHub: − https://github.com/yogeshojha/rengine • reNgine is a wrapper around many of the tools found in our asset collection pipeline • PRO: Provides a UI for our toolsets • CON: Doesn't provide us the raw results