Recon

Aquatone

Aquatone is a very neat tool that I love to use during external penetration testing. It is very easy to use and install. Requires Google Chrome or Chromium. As stated in the official GitHub repo

Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

• Check both HTTP and HTTPS

• Use Chromium instead of Chrome

cat scope.txt | aquatone -out /home/amandine/Desktop/monClient-Aquatone --chrome-path /snap/bin/chromium

Not supported anymore

Gowitness

Very nice tool that can be used to take screenshots of web applications and generate a report. Unlike Aquatone, Gowtiness supports CIDR notation which can be very useful. We can specify a range of IPs address and the tool will screen and take screenshot if a website is found on port 80, 443, 8080, 8443 (by default). By default, the tool put screenshots in the screenshots directory.

A Docker image exists for this tool.

Scripting language: Golang

# To Scan IP range
gowitness scan --cidr 192.168.0.0/24 --threads 20

# Generate Reports and serve on port 7171
gowitness report serve

# Generate Reports HTML files
gowitness report export -f <report_name> -P <screenshots_files> 

Information in document metadata

FOCA is a great tool to find information in a variety of documents metadata. For example, we might check for AD internal username pattern, type and version of software in use, etc. Knowing about the pattern could be used to craft a list of potential usernames with information collected from others publicly known sources.

The biggest downside of FOCA is that it required specific version of Microsoft SQL Server installed on your computer for this tool to work. We can install a version of MSSQL quickly using this link.

GitHub - ElevenPaths/FOCA: Tool to find metadata and hidden information in the documents.GitHub

FOCA GitHub repo

gau

From the GitHub repo:

getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's waybackurls.

GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.GitHub

gau GitHub repository

Shodan

Shodan is a very powerful search engine we can use to find external exposed assets. It worth to pay for the 5$ membership access.

We can search by subnet with the search term net: 10.10.10./20. Here are listed some examples of Shodan Queries.

Shodan Queries	Purpose
hostname:"targetname.com"	Using hostname will perform a basic Shodan search for your target’s domain name. This should be combined with the following queries to get results specific to your target.
"content-type: application/json"	APIs should have their content-type set to JSON or XML. This query will filter results that respond with JSON.
"content-type: application/xml"	This query will filter results that respond with XML.
"200 OK"	You can add "200 OK" to your search queries to get results that have had successful requests. However, if an API does not accept the format of Shodan’s request, it will likely issue a 300 or 400 response.
"wp-json"	This will search for web applications using the WordPress API.

Source: APISec University

Uses a list of IP address with Shodan

for i in $(cat ip-addresses.txt);do shodan host $i;done

TruffleHogs

Tool to find leaked secret in public Github repo.

GitHub - trufflesecurity/trufflehog: Find credentials all over the placeGitHub

docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=target-name

AssetNotes Wordlist

Assetnote Wordlists

Masscan

masscan -iL ip-list.txt --rate 1000 -p 1-65535 | tee masscan.output