Main goal
For now, our primary goal is to get as many web applications as we can. Scanning or Network-based stuff will be probably in future posts.
Techniques
In this series:
Phase 1.1
- Getting the data from passive (third party) sources
Obstacles along the way:
- Third-party APIs sometimes crash the app 😔
Later
Phase 1.2
Brute-forcing and more
Phase 2
Once we’ve got them, we can check those that respond to at least something (like A, CNAME, or TXT records) on running web servers (running on HTTP or HTTPS).
Phase 3
- Get all of those results, and watch for the new ones
- Permutate the new results on the subsequent execution
Abstraction
Will dive more into each segment of the workflow. For now, let’s divide them into more general parts.
- Passive + Brute-Force
- Chaos (?!)
- Permutations
- Web Servers
- Helpers (?!)
And before we start, this is just an idea of the recon on the subdomains and not something standardized. So we want to hear you help us further this research and encourage you to comment, share, or roast how bad we are and how this should be done the other way.
Passive + Brute-Force
It all starts with a string on the inputs tab.
Amass
Not much to talk about Amass as it is widely used. We will connect it to the domain parameter and activate the passive mode scan.
In comparison to the other tools, Amass is not really great for resolving a wide range of subdomains, and it is a bit slow when encountered with a wild beast of a wordlist.
/bin/amass enum -d uber.com -passive -o out/amass-1/output.txt
Subfinder
Another one is making the passive third-party subdomain discovery. Connecting the exact string was a piece of cake.
Haktrails
This one was tricky, ccc Luke Stephens (@hakluke); — (and thanks for a quick fix!).
Haktrails needs a file with a list of domains as a parameter.
Converting the string to file is done with string-to-file (echo “string” | tee out/output.txt) and Haktrails will get it as stdin input.
Inputs & Outputs — Files and Folders
Besides string, and boolean, files and folders can be used as inputs.
File&Folder Input behaviour:
- Their content resides in in folder (except for strings and booleans, which are passed through the command line)
File&Folder Output behaviour:
- Their content resides in out folder.
- When connected to the input, their content is copied from the source node’s out/ folder to the destination nodes in/node_id/ folder.
Script Nodes
Script nodes are similar to the tool nodes, where command becomes a bash script (only bash for now!), and messy greps become aliases.
Aight! Let’s merge them all together as we have already learned how to use scripts, and we have our passive sources! One of the best things for that is recursively-cat-all script which finds all the files in the in folder, cat them, and redirects them to the out/output.txt — a file output port.
find in -type f -exec cat {} + | tee out/output.txt
If you know all the tools and configurations needed (with parameters that are finally human-readable!), this workflow could be made in 79 seconds! (5x faster in the gif below) (and you could hop on a demo if you don’t believe it!)🚀
Let’s save the new version and execute it. Clicking on recursively-cat-all shows us our results!
In the next phase, Phase 1.2, we will cover brute-forcing!
Stay tuned and check out https://trickest.com and follow us on https://twitter.com/trick3st or here!
References:
