Hardcore Bug hunters will know that discovery is key, there are the top domains, primary domains and quick to find … and possibly more reward due to their standing online and impact to user … I want to share steps I take when doing recon to find interesting potential entry points
Autonomous System numbers (ASN) …
ASN Number = lots of IP Addresses associated with a company
If we look up a companies ASN we will get a pretty accurate reflection of their online estate.
I use bgp.he.net to find companies ASN’s …
check out this nmap script
nmap --script targets-asn --script-args targets-asn.asn=17012 > paypal.asn2ip.cleanme.txt
Starting Nmap 7.00 ( https://nmap.org ) at 2016-01-15 07:38 GMT
Pre-scan script results:
| targets-asn:
| 17012
| 64.4.244.0/24
| 64.4.245.0/24
| 64.4.246.0/24
| 64.4.247.0/24
| 64.4.248.0/24
| 64.4.249.0/24
| 64.4.248.0/22
| 66.211.169.0/24
| 66.211.168.0/22
| 173.0.80.0/22
| 173.0.84.0/24
| 173.0.84.0/22
| 173.0.88.0/24
| 173.0.88.0/22
| 173.0.92.0/24
| 173.0.93.0/24
| 173.0.94.0/24
| 173.0.95.0/24
|_ 173.0.80.0/20
wicked, clean up the output and save it with a meaningful name have a nice paypal.$date.target file
back to nmap…
there are a few things you can try from here if you want to go H.A.M then you might use the following:
nmap -p- -sV -iL paypal.target -oX paypal.allports.xml this will scan all tcp ports on all addresses in the paypal.target file you just prepared it will give you as much information about the services it finds as it can and save them to a nice xml file it will take a while, if you have an external box i’d recommend throwing it in a screen session and learning Mandarin while it scans, if you want to take the approach of common ports (rather than an absolute view of what IS open (at the time of scanning) you can ditch the -p- flag and replace it with -p80,443,8080 and what other ports you might care about … for example:
nmap -p80,443,8443,8080,8088,8010 -sV -iL paypal.target -oX paypal.common.web.ports.xml --open or what not
This will only return you open ports on IP Addresses, you will have to use your geekbrain to figure out what domains are associated with what IP addresses if that’s important, but it’s probably not.
more nMap discovery options: https://nmap.org/nsedoc/categories/discovery.html
Once we have the ASN we have obtained a reasonably informed list of the $targets online landscape. cool. once you have listed all your open ports you can see what might be worth moving to the next layer of discovery, such as Dirbuster/goBuster spidering and those web layer phases before you attHack
https://nmap.org/download.html
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
etc…