跳至主要内容

Recon

/robots.txt
/404
/.well-known/security.txt
/images/
/admin
ffuf -u https://hackycorp.com/FUZZ -w /path/to/your/common.txt -c -v
- SecLists /Discovery/Web-Content/common.txt
- fuff README

-u URL，FUZZ 會被替換成要掃描的 path
-w Wordlist
-c Colorize output
-v Verbose output

curl -H "Host: non-exist-host" http://hackycorp.com
curl -H "Host: non-exist-host" https://hackycorp.com
openssl s_client -connect hackycorp.com:443 -servername hackycorp.com < /dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
ffuf -w /path/to/your/subdomains-top1million-5000.txt -u https://hackycorp.com -H "Host: FUZZ.hackycorp.com" -c -v -fs 107
- SecLists /Discovery/DNS/subdomains-top1million-5000.txt

-fs filter size (not equal to)

dig -t TXT key.z.hackycorp.com
dig -t SOA z.hackycorp.com
dig AXFR z.hackycorp.com @z.hackycorp.com
dig -t NS z.hackycorp.com
dig AXFR int @z.hackycorp.com
dig chaos txt VERSION.BIND @z.hackycorp.com
AWS S3
- brew install awscli
- aws configure
- "Security credentials > Create access key"
- aws s3 ls s3://assets.hackycorp.com
- aws s3 ls s3://assets.hackycorp.com/key2.txt
- aws s3 cp s3://assets.hackycorp.com/key2.txt key2.txt