Active Method

Infrastructure Identification

Subdomain Enumeration

Zone Transfers

Is a method how a secondary DNS server (in a master-slave setup) receives information from the primary DNS server in order update its records.

Type

Description

DNS Zone Transfer Misconfiguration

Attackers might exploit this in order to gain copy of the DNS records and obtain information

Enumeration techniques

1. Hacker Target
Tool Type: Web based
URL: https://hackertarget.com/zone-transfer/

2. Nslookup
Tool Type: Local

Step 1: Identify Nameservers
nslookup -type=NS <target domain>

Step 2: Test for ANY and AXFR zone transfer
nslookup -type=any -query=AXFR <target domain> <nameserver>

3. Gobuster
Tool Type: Local
Complementary tool/scripts/libraries: SecLists

Tip: if there's a pattern on the domain, you may opt to use pattern matching


gobuster dns -q -r <DNS server> -d <target domain> -w <wordlist> -p <pattern file> -o <filename output>

Virtual Hosts

Types of Virtual Hosting

IP-based - Host can have multiple network interfaces allowing servers or virtual servers running on the host bind to one or more IP addresses.
Name-based - Uses domain as method to identify which service/application was requested

Virtual Host Enumeration

1. Curl

Example usage: curl -s <target web server>

Using curl to do web fuzzzing (using SecList for example)
cat <namelist> | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://10.129.42.195 -H "HOST: ${vhost}.inlanefreight.htb" | grep "Content-Length: ";done

2. ffuf
Github: https://github.com/ffuf/ffuf

Example Usage: ffuf -w <list> -u <target> -H "HOST: FUZZ.<target>" -fs <filter response in size>

Crawling

Web Crawling

Crawling websites are considered a systematic or automatic process of exploring.

Crawling Tools

1. ZAP
2. BurpSuite
3. ffuf

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS

PreviousPassive Method NextPage 1

Last updated 2 years ago