• XSS.stack #1 – первый литературный журнал от юзеров форума

how to find vulnerable sites / networks with shodan or google dorks?

Отслеживать
Syngate

Syngate

HDD-drive
Пользователь
Регистрация
02.01.2024
Сообщения
44
Реакции
8
hello guys i am noob in pentesting i was wondering how u guys find vulnerable sites for specific CVE on shodan or google dorks? do you use special script to auto scan multiple sites and ips or do you manually test one by one ? also which cve or vulnerability is easiest to find and exploit for begginer ? any tips greatly apprciated!
 
Syngate сказал(а):
hello guys i am noob in pentesting i was wondering how u guys find vulnerable sites for specific CVE on shodan or google dorks? do you use special script to auto scan multiple sites and ips or do you manually test one by one ? also which cve or vulnerability is easiest to find and exploit for begginer ? any tips greatly apprciated!
Well the question is also a bit too general, honestly, but I'll still try to answer it the best way I can without spoon-feeding you too much.
The thing is not so much how to find a vulnerable host, but how to find a certain vulnerability on a host.
If you use search engines like shodan/censys/zoomeye, you will only find what others have already found and if you are lucky you will find a virgin vulnerable host.
The most important factor, in my opinion, is having a very good worflow in the area of reconnaissance.
Because to find a CVE doesn't take much, there are vulnmon, exploitdb, vulners and etc.

However, to find vulnerable hosts there are plenty of methods including:
- Using external search engines such as Shodan (not recommended).
- Using automated software to do the skid (Osmedeus, ReconFTW and the like, always not recommended)
- Using software for Vulnerability Assessment such as Nessus, OpenVAS, Qualys and etc.)
- Use software to do vulnerability research such as Nuclei.

But nothing will ever overcome a person who thinks and acts in context, i.e. you have to be willing, start browsing the various ASNs / IP Ranges / Subdomains (depends on what you want to achieve and how) and check maybe by hand + automatic.
I say even by hand because it takes very little for these scanners to generate false positives, just see what they base their vulnerability identification on, unless they try to actually exploit it.
In addition to what has been said (One note, using massscan won't help you, at most it will help you analyze many hosts and see which ports are actually open, but it won't even tell you the service that is on it or a possible fingerprint).

For recon I recommend these:
- Amass
- HTTPX
- Subfinder
- Manual search on shodan / censys / zoomeye and the like and learn how to create your own dork

And for analysis:
- Nessus / OpenVAS
- Cores
- Acunetix / Invicti / Burp Suite / ZAProxy (for the web side, but Burp is best for the manual side)

In addition to all the advice you've been given, it's a factor of experience, trial and error, and failure.
With time, study and dedication you will come to find your "method" and your "way."
I would add that reading many writeups of other vulnerabilities will also help you as you get to find other vulnerabilities from recon to the vulnerability itself.

I hope I have been comprehensive and apologize for possible grammatical errors because I am using the translator.
 
spr1ngtr4p сказал(а):
Well the question is also a bit too general, honestly, but I'll still try to answer it the best way I can without spoon-feeding you too much.
The thing is not so much how to find a vulnerable host, but how to find a certain vulnerability on a host.
If you use search engines like shodan/censys/zoomeye, you will only find what others have already found and if you are lucky you will find a virgin vulnerable host.
The most important factor, in my opinion, is having a very good worflow in the area of reconnaissance.
Because to find a CVE doesn't take much, there are vulnmon, exploitdb, vulners and etc.

However, to find vulnerable hosts there are plenty of methods including:
- Using external search engines such as Shodan (not recommended).
- Using automated software to do the skid (Osmedeus, ReconFTW and the like, always not recommended)
- Using software for Vulnerability Assessment such as Nessus, OpenVAS, Qualys and etc.)
- Use software to do vulnerability research such as Nuclei.

But nothing will ever overcome a person who thinks and acts in context, i.e. you have to be willing, start browsing the various ASNs / IP Ranges / Subdomains (depends on what you want to achieve and how) and check maybe by hand + automatic.
I say even by hand because it takes very little for these scanners to generate false positives, just see what they base their vulnerability identification on, unless they try to actually exploit it.
In addition to what has been said (One note, using massscan won't help you, at most it will help you analyze many hosts and see which ports are actually open, but it won't even tell you the service that is on it or a possible fingerprint).

For recon I recommend these:
- Amass
- HTTPX
- Subfinder
- Manual search on shodan / censys / zoomeye and the like and learn how to create your own dork

And for analysis:
- Nessus / OpenVAS
- Cores
- Acunetix / Invicti / Burp Suite / ZAProxy (for the web side, but Burp is best for the manual side)

In addition to all the advice you've been given, it's a factor of experience, trial and error, and failure.
With time, study and dedication you will come to find your "method" and your "way."
I would add that reading many writeups of other vulnerabilities will also help you as you get to find other vulnerabilities from recon to the vulnerability itself.

I hope I have been comprehensive and apologize for possible grammatical errors because I am using the translator.
Спасибо!
Thank you taking time for epxlaining, I appreciate it.
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх