Web Scanners

Tips

• query ASN via whois:
  • whois -H -h whois.cymru.com " -v $IP"
• reverse ip to dns lookup:
  • https://api.hackertarget.com/reverseiplookup/?q=$IP
• List of OpenSource WebScanners

(Port) Scanner

• nmap

  • Common Ports of web applications including non standards:
    • 80,81,82,83,84,85,86,88,90,300,443,444,591,593,631,832,981,1010,1311,1935,2052,2053,2069,2078,2079,2080,2082,2083,2086,2087,2095,2222,2480,3000,3004,3128,3333,3434,4000,4100,4243,4431,4433,4443,4567,4711,4712,4993,5000,5104,5108,5280,5800,6543,7000,7001,7071,7080,7081,7394,7443,7474,7547,8000,8001,8008,8010,8014,8042,8069,8080,8081,8082,8084,8085,8087,8088,8089,8090,8091,8099,8118,8123,8172,8222,8243,8280,8281,8333,8383,8443,8500,8834,8880,8888,8983,9000,9001,9002,9003,9009,9043,9060,9080,9090,9091,9200,9443,9800,9981,9998,9999,10000,10125,10443,12443,16080,18091,18092,20000,20720,28017

• httpx

  • https://github.com/projectdiscovery/httpx
    • Supports: URL, Title, Status Code, Content Length, TLS Certificate, CSP Header, Location Header, Web Server, Web Socket, Response Time
  • httpx -l $TARGETS -p $PORTS -o $OUTPUT

• frogy

  • https://github.com/iamthefrogy/frogy/
  • Using the combination of different subdomain enumeration tools and logic this script tries to identify more subdomains and root domains in recon.

• OWASP Amass

  • https://github.com/OWASP/Amass
  • In-depth Attack Surface Mapping and Asset Discovery

Dir-Bruteforcing

• dirb (slow, included with kali)
  • dirb http://$IP/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o $OUTPUT
• gobuster (fast, not within kali)
  • apt install gobuster
  • gobuster dir --url http://$IP/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o $OUTPUT
• ffuf (fastest, not within kali)
  • apt install ffuf
  • ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -o $OUTPUT

host.io

Requires account.

https://host.io/

curl https://host.io/api/full/facebook.com?token=$TOKEN

ipinfo.io

• https://ipinfo.io/
• https://ipinfo.io/tools/map

curl http://ipinfo.io/1.1.1.1

Shodan

https://shodan.io

Useful syntax

https://thedarksource.com/shodan-cheat-sheet/

Get available filter values grouped: https://www.shodan.io/search/facet?query=asn%3AAS15169&facet=screenshot.label

The vuln query is only allowed for academic and paying customers, but one can use the facet view to get the results (more or less) anyway:

• https://www.shodan.io/search/facet?query=asn%3AAS15169&facet=vuln
• https://www.shodan.io/search/facet?query=vuln%3Acve-2020-1927&facet=ip

• TODO: writing a script that does a cross-join over these two results gives exact results

• query by ASN: asn:AS123456

• query by product: product:mysql
• results only with screenshot: has_screenshot:"1"
• domains with same favicon: http.favicon.hash:-1776962843 (favicons map)

available filters (at least): asn, bitcoin.ip, bitcoin.ip_count, bitcoin.port, bitcoin.user_agent, bitcoin.version, city, cloud.provider, cloud.region, cloud.service, country, cpe, device, domain, has_screenshot, hash, http.component, http.component_category, http.favicon.hash, http.html_hash, http.robots_hash, http.status, http.title, http.waf, ip, isp, link, mongodb.database.name, ntp.ip, ntp.ip_count, ntp.more, ntp.port, org, os, port, postal, product, redis.key, region, rsync.module, screenshot.label, snmp.contact, snmp.location, snmp.name, ssh.cipher, ssh.fingerprint, ssh.hassh, ssh.mac, ssh.type, ssl.alpn, ssl.cert.alg, ssl.cert.expired, ssl.cert.extension, ssl.cert.fingerprint, ssl.cert.issuer.cn, ssl.cert.pubkey.bits, ssl.cert.pubkey.type, ssl.cert.serial, ssl.cert.subject.cn, ssl.chain_count, ssl.cipher.bits, ssl.cipher.name, ssl.cipher.version, ssl.ja3s, ssl.jarm, ssl.version, state, tag, telnet.do, telnet.dont, telnet.option, telnet.will, telnet.wont, uptime, version, vuln, vuln.verified

Dorks

Google Dorks

intext:"© 2018 Sony Electronics Inc. All rights reserved"

site:"sony.com.*"

site:.s3.amazonaws.com "Sony"

site:target.com intext:login intext:username intext:password

site:.com ext:ppt intext:password site:.com filetype:xls inurl:"email.xls"

c:\Users site:.target.com filetype:pdf c:\Users site:.target.com

allintext:username filetype:log inurl:/proc/self/cwd "index of" "database.sql.zip" site:target.com inurl:admin "@gmail.com" inurl:zoom.us/j and intext:scheduled for allintitle: restricted filetype:doc site:gov intitle:"Index of" wp-admin inurl:Dashboard.jspa intext:"Atlassian Jira Project Management Software"

Shodan Dorks

Find open web-dir listing: http.title:"Index of /"

Citrix - Find Citrix Gateway. Example: title:"citrix gateway"

Wifi Passwords - Helps to find the cleartext wifi passwords in Shodan. Example: html:"def_wirelesspassword"

Surveillance Cams - With username admin and password. Example: NETSurveillance uc-httpd

Fuel Pumps connected to internet - No auth required to access CLI terminal. Example: "privileged command" GET

Windows RDP Password - But may contain secondary windows auth. Example: "\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Mongo DB servers - It may give info about mongo db servers and dashboard. Example: "MongoDB Server Information" port:27017 -authentication

FTP servers allowing anonymous access - Complete Anon access. Example: "220" "230 Login successful." port:21

Jenkins - Jenkins Unrestricted Dashboard. Example: x-jenkins 200

Hacked routers - Routers which got compromised. Example: hacked-router-help-sos

Open ATM - May allow for ATM Access availability. Example: NCR Port:"161"

Telnet Access - NO password required for telnet access. Example: port:23 console gateway

Misconfigured Wordpress Sites - The wp-config.php if accessed can give out the database credentials. Example: http.html:"* The wp-config.php creation script uses this file"

Hiring - Find sites hiring. Example: "X-Recruiting:"

Android Root Bridge - Find android root bridges with port 5555. Example: "Android Debug Bridge" "Device" port:5555

Etherium Miners - Shows the miners running ETH. Example: "ETH - Total speed"

Tesla Powerpack charging Status - Helps to find the charging status of tesla powerpack. Example: http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

"authentication disabled" "RFB 003.008"

"in-tank inventory" port:10001

P372 "ANPR enabled"

mikrotik streetlight

"[2J[H Encartele Confidential"

Siemens Industrial Automation 🔎 → "Siemens, SIMATIC" port:161

Siemens HVAC Controllers 🔎 → "Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers 🔎 → "HID VertX" port:4070

Railroad Management 🔎 → "log off" "select the appropriate"

"MongoDB Server Information" port:27017 -authentication

"Set-Cookie: mongo-express=" "200 OK"

"Citrix Applications:" port:1604

http.title:"- Polycom" "Server: lighttpd"

SMB (Samba) File Shares 🔎 → Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers: 🔎 → "Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files: 🔎 → "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

"X-Plex-Protocol" "200 OK" port:32400

"Serial Number:" "Built:" "Server: HP HTTP"

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers 🔎 → Apple TVs, HomePods, etc. "\x08_airplay" port:5353

Chromecasts / Smart TVs 🔎 → "Chromecast:" port:8008

Crestron Smart Home Controllers 🔎 → "Model: PYNG-HUB"

OctoPrint 3D Printer Controllers 🔎 → title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

port:5901 authentication disabled