Enumerating Domains, Files, and Resources
In this section we'll try to make use of different kinds of recon technique to do domain enumeration. Finding subdomains of a website can land us in surprising places. I remember a talk by Israeli security researcher, Nir Goldshlager, in which he performed a subdomain enumeration scan on a Google service, out of the bunch of subdomains he found there was one which ran a web application with a publicly disclosed local file inclusion vulnerability. Nir then used this to gain a shell on Google's server. Nir's intention wasn't evil, he reported this vulnerability responsibly to Google's security team.
Let us now learn some information gathering techniques. We'll use both active and passive methods.
The following recon tools will be discussed:
- Fierce
- theHarvester
- SubBrute
- CeWL – Custom Word List Generator
- DirBuster
- WhatWeb
- Maltego
The following websites will be used for passive enumeration:
- Wolfram Alpha
- Shodan
- DNSdumpster
- Reverse...