notnci/recon.md Secret

## recon.md

      
    Raw
  

              recon.md
            
          
    1. prereqs


shodan cli with an account and api key instructions here
nrich
httpx for quick scanning of live webhosts
one of my lovely bash aliases: alias grip='grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"'
golang (dont forget sudo and your GOPATH)

2. finding your dork


shodan is our point for dorking in this example. google for some baseline shodan dorks, or find your own

some good tags include: http.favicon.hash, http.component, product, org, hostname, asn, hostname, cloud.region
use the ui to your advantage, shodan facets are a really useful tool


3. downloading and preparing your data


once you've found your desired dork, you can use the cli to download it to your machine for parsing and scanning

cloud.region:"us-east-1" 200 product:"Elastic"
shodan download $file_name 'query'

example: shodan download elastic_us_east 'cloud.region:"us-east-1" 200 product:"Elastic"' --limit 9999


now use shodan's builtin parsing to extract the important data fields

shodan parse --fields $field_1,$field_2 $file_name.json.gz | tee $file_name_parsed.out

example: shodan parse --fields ip_str,port elastic_us_east.json.gz | tee elastic_us_east_parsed.out


the data is not yet ready to be processed by httpx so let's do a bit of modification with awk
cat $file_name_parsed.out | awk '{print $1":"$2}'
this turns our data from "ip  port" to "ip:port" which can be passed directly into httpx or saved into a file
cat $file_name_parsed.out | awk '{print $1":"$2}' | httpx -silent -o $file_name_httpx.out
example: cat elastic_us_east_parsed.out | awk '{print $1":"$2}' | httpx -silent -o elastic_us_east_httpx.out


4. doing only legal things


disclaimer: i'm not suggesting you should, or even are legally allowed to scan an entire cloud space for vulns. you will face repercussions if you do.
with that out of the way, i think you can see we're building up to a lovely one liner

this part isn't mandatory as your recon is realistically done here. there are infinitely many ways you can proceed from here.

use httpx -td for tech detection, you can use aquatone to grab screenshots, you can nuclei -as to automatically scan with templates for detected fingerprints


for our case, we will hypothetically scan with nuclei

cat $file_name_httpx.out | nuclei -as -silent -o $file_name_nuclei.out

you can also filter out informational findings by appending grep -v info
example: cat elastic_us_east_httpx.out | nuclei -as -silent -o elastic_us_east_nuclei.out | grep -v info


some time has passed and you have your nuclei output in the format below

[1969-4-20] [1337] [lol] [info] https://127.0.0.1:420/69.html


for the next step of hypothetical attribution that you already knew about before scanning, we need to turn the IPs into their hostnames

we extract the vulnerable path (the last element) with cat $file_name_nuclei.out | awk -F " " '{print $6}' | tee $file_name_paths.out
next we use that alias from earlier to only grab the IPs cat $file_name_paths.out | grip | uniq -u | tee $file_name_vuln_ips.out
we can then use nrich cat $file_name_vuln_ips.out | nrich - | tee $file_name_nrich.out


5. what you've been waiting for


shodan download testing 'cloud.region:"us-east-1" 200 product:"Elastic" port:8001'; shodan parse --fields ip_str,port testing.json.gz | tee testing_parsed.out | awk '{print$1":"$2}' | httpx -silent -o testing_httpx.out | nuclei -as -silent -o testing_nuclei.out; cat testing_nuclei.out

cat testing_nuclei.out | awk -F " " '{print $6}' | grip | uniq -u | tee testing_vuln_ips.out | nrich - | tee testing_nrich.out


6. unlimited bashing power


shodan download testing 'cloud.region:"us-east-1" 200 product:"Elastic" port:8001'; shodan parse --fields ip_str,port testing.json.gz | tee testing_parsed.out | awk '{print$1":"$2}' | httpx -silent -o testing_httpx.out | nuclei -as -silent -o testing_nuclei.out; cat testing_nuclei.out | awk -F " " '{print $6}' | grip | uniq -u | tee testing_vuln_ips.out | nrich - | tee testing_nrich.out