From e4ede596930a1aa1dabf793b9faae2f8cc51c897 Mon Sep 17 00:00:00 2001 From: TheTechromancer Date: Thu, 9 Mar 2023 17:16:03 -0500 Subject: [PATCH 1/3] Added BBOT (https://github.com/blacklanternsecurity/bbot) to subdomain-enumeration.md --- .../subdomain-enumeration.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/content/information-gathering/subdomain-enumeration.md b/content/information-gathering/subdomain-enumeration.md index b455086..667f28b 100644 --- a/content/information-gathering/subdomain-enumeration.md +++ b/content/information-gathering/subdomain-enumeration.md @@ -39,6 +39,31 @@ of the same organization. ## Tools +#### BBOT [^bbot] + +- Includes DNS brute-forcing with massdns + smart mutations +- Automatic (recursive) PTR,A,AAAA,MX,TXT,NS,SOA,SRV,CNAME lookups +- Returns a summary of ASNs at the end of the scan + +```sh +# subdomains +bbot -t tesla.com -f subdomain-enum + +# subdomains (passive only) +bbot -t tesla.com -f subdomain-enum -rf passive + +# subdomains + port scan + web screenshots +bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o . +``` +{{
}} +- API keys go in ~/.config/bbot/secrets.yaml +- `-f subdomain-enum`: Enable subdomain enumeration +- `-rf passive`: Only enable passive modules +- `-m`: Enable individual modules +- `-n`: Name your scan (default: random name) +- `-o`: Choose your output directory +{{
}} + #### Amass [^amass] ```sh amass enum -passive -d {{< param "war.rdomain" >}} -o results.txt @@ -320,3 +345,4 @@ curl -I -s -L https://www.maxrodrigo.com | grep -iE 'Content-Security|CSP' [^dnsrecon]: darkoperator. “GitHub - Darkoperator/Dnsrecon: DNS Enumeration Script.” GitHub, https://github.com/darkoperator/dnsrecon. [^sublist3r]: aboul3la. “GitHub - Aboul3la/Sublist3r: Fast Subdomains Enumeration Tool for Penetration Testers.” GitHub, https://github.com/aboul3la/Sublist3r. [^amass]: “GitHub - OWASP/Amass: In-Depth Attack Surface Mapping and Asset Discovery.” GitHub, https://github.com/OWASP/Amass. +[^bbot]: “GitHub - blacklanternsecurity/bbot: OSINT automation for hackers.” GitHub, https://github.com/blacklanternsecurity/bbot. From 3ea6583f4017d04632b0655b35a2a73220536356 Mon Sep 17 00:00:00 2001 From: TheTechromancer Date: Thu, 9 Mar 2023 17:29:24 -0500 Subject: [PATCH 2/3] updated with custom massdns options --- .../subdomain-enumeration.md | 30 ++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/content/information-gathering/subdomain-enumeration.md b/content/information-gathering/subdomain-enumeration.md index 667f28b..394f2d8 100644 --- a/content/information-gathering/subdomain-enumeration.md +++ b/content/information-gathering/subdomain-enumeration.md @@ -40,11 +40,6 @@ of the same organization. ## Tools #### BBOT [^bbot] - -- Includes DNS brute-forcing with massdns + smart mutations -- Automatic (recursive) PTR,A,AAAA,MX,TXT,NS,SOA,SRV,CNAME lookups -- Returns a summary of ASNs at the end of the scan - ```sh # subdomains bbot -t tesla.com -f subdomain-enum @@ -56,12 +51,13 @@ bbot -t tesla.com -f subdomain-enum -rf passive bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o . ``` {{
}} -- API keys go in ~/.config/bbot/secrets.yaml -- `-f subdomain-enum`: Enable subdomain enumeration -- `-rf passive`: Only enable passive modules -- `-m`: Enable individual modules -- `-n`: Name your scan (default: random name) -- `-o`: Choose your output directory +- `-t`: Target domain(s). +- `-f`: Enable modules with these flags. +- `-rf passive`: Only enable passive modules. +- `-m`: Enable individual modules. +- `-n`: Name your scan (default: random name). +- `-o`: Choose your output directory. +- API keys go in ~/.config/bbot/secrets.yaml. {{
}} #### Amass [^amass] @@ -192,6 +188,18 @@ Useful Wordlists: - Daniel Miessler's [DNS Discovery](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS). - [Commonspeak2](https://github.com/assetnote/commonspeak2-wordlists) +#### BBOT [^bbot] +Note: BBOT's massdns module uses smart mutations based on previously found subdomains +```sh +bbot -t tesla.com -m massdns -c modules.massdns.wordlist=./all.txt modules.massdns.max_resolvers=1000 +``` +{{
}} +- `-t`: Target domain(s). +- `-f`: Enables modules with these flags. +- `-c modules.massdns.wordlist`: Massdns custom wordlist (can be either local file or URL) (default: `subdomains-top1million-5000.txt`) +- `-c modules.massdns.max_resolvers`: Massdns resolvers (default: 500) +{{
}} + #### Amass [^amass] ```sh amass enum -brute -w subdomains.txt -d {{< param "war.rdomain" >}} -o results.txt From c7b82f47e44497d348b0f36a7364d392daa7090c Mon Sep 17 00:00:00 2001 From: TheTechromancer Date: Fri, 10 Mar 2023 16:40:49 -0500 Subject: [PATCH 3/3] update BBOT massdns section --- content/information-gathering/subdomain-enumeration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/information-gathering/subdomain-enumeration.md b/content/information-gathering/subdomain-enumeration.md index 394f2d8..cb99afb 100644 --- a/content/information-gathering/subdomain-enumeration.md +++ b/content/information-gathering/subdomain-enumeration.md @@ -189,7 +189,7 @@ Useful Wordlists: - [Commonspeak2](https://github.com/assetnote/commonspeak2-wordlists) #### BBOT [^bbot] -Note: BBOT's massdns module uses smart mutations based on previously found subdomains +Note: BBOT's massdns module automatically pulls an [up-to-date list of the latest public resolvers](https://github.com/blacklanternsecurity/public-dns-servers). It also brute-forces recursively based on mutations from the subdomains it finds. Run with `-f subdomain-enum` for best results. ```sh bbot -t tesla.com -m massdns -c modules.massdns.wordlist=./all.txt modules.massdns.max_resolvers=1000 ```