Skip to content

Instantly share code, notes, and snippets.

View ehsahil's full-sized avatar

Sahil Ahamad ehsahil

View GitHub Profile
### Keybase proof
I hereby claim:
* I am ehsahil on github.
* I am ehsahil (https://keybase.io/ehsahil) on keybase.
* I have a public key ASAX_QruRWe-ErPVC5AN0Mz185L-jxM8rZ1HBmpwFrCiOAo
To claim this, I am signing this object:
#Tools based on a resolver.rb by @melvinsh
#Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
require 'socket'
require 'colorize'
begin
domain = ARGV[0]
rescue
puts "Usage: ruby subdomain.rb domain"
exit
@ehsahil
ehsahil / recon.rb
Last active December 28, 2022 06:02
#Tool based on a resolver.rb by @melvinsh
#Original Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
require 'socket'
require 'colorize'
begin
file = File.open(ARGV[0], "r")
rescue
puts "Usage: ruby recon.rb wordlist"
#Finding subdomains via Nmap.
nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst
nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub10000.lst
nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub100000.lst
nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.lst
require 'socket'
require 'colorize'
begin
file = File.open(ARGV[0], "r")
rescue
puts "Usage: ruby resolve.rb filename (where filename contains a list of domains)"
exit
end
1. Listing AWS bucket content. (Testing for list permission)
Sahils-MacBook-Pro:~ sahil$ aws s3 ls s3://bucket
2. Writing on AWS Bucket. (Testing for write Permission)
Sahils-MacBook-Pro:~ sahil$ aws s3 cp test.txt s3://bucket (Copying test.txt into the bucket with no public file read permission)
Sahils-MacBook-Pro:~ sahil$ aws s3 mv test.txt s3://bucket (Moving test.txt into the bucket with no public file read permission)
Copy test.txt file into the aws s3 bucket with public file read permission.
Basics Filters:
1. City
Example City:New Delhi.
2. Country
Example: Country:INDIA
3. Port
Example:Ports: 8443, 8080, 8180 etc
“Hackme.tld” API_key
“Hackme.tld” secret_key
“Hackme.tld” aws_key
“Hackme.tld” Password 
“Hackme.tld” FTP
“Hackme.tld” login
“Hackme.tld” github_token
“Hackme.tld” http:// & https://  
“Hackme.tld” amazonaws
“Hackme.tld” digitaloceanspaces
-Commands
443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:domain.com
“hackme.tld” + internal
“hackme.tld” + sandbox
“hackme.tld” + Staging
@ehsahil
ehsahil / recon-points.txt
Last active May 1, 2020 20:07
recon-points.txt
Tips from @jobertabma, co-founder of HackerOne -- https://twitter.com/jobertabma/status/998769037445230592
0x00: I visit the product and marketing pages and read up what the products do. I identify how the product it exposed to the end user. This will give me an idea what the initial attack surface looks like, what data they're protecting, how users interact with each other, and what the learning curve looks like. I sign up for any number of accounts that is required to test the features. This will give me insight into the individual features. I do some light fingerprinting of the frameworks they use.I've even talked to engineers, product managers, and executives before even looking at something.
0x01: I prioritize based on features and then weakness type. I generally set a goal for myself to go after particular information, e.g. for an email provider I might ask myself: "I want to get access to someone's emails." Because I know what their features do, I can make an educated guess which features process ema