General Enumeration stuff
Overview
OSINT
| Resource | Examples |
|---|---|
| ASN / IP registrars | IANA, ARIN for searching the Americas, RIPE for searching in Europe, BGP Toolkit |
| Domain Registrars & DNS | Domaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well-known DNS servers, such as 8.8.8.8 |
| Social Media | Searching LinkedIn, Twitter, Facebook, your region’s major social media sites, news articles, and any relevant info you can find about the organization |
| Public-Facing Company Websites | Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the “About Us” and “Contact Us” pages can also be gold mines |
| Cloud & Dev Storage Spaces | GitHub, AWS S3 buckets & Azure Blob storage containers, Google searches using “Dorks” |
| Breach Data Sources | HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication |
AD Enumeration
- Kerbrute
root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txtkerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_userskerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txtkerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 users2.txt Welcome1
- BloodHound
- AD ACL Enumeration
- Enumerating AD DNS RECORDS TOOL
adidnsdump -u DOMAIN\\user ldap://DC-IP- flag
-rresuelve registros desconocidos
- flag
Detailed User Enumeration
- LinkedIn to username
- Any script that combines the firstname and lastname
- firstname.lastname
- firstnamelastname
- lastname.firstname
- lastnamefirstname
- lastname
- firstname
- initialFirstName.lastname
- etc
- Script One
- Script two
Cloud services
DNS
vhost enum
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://domain:port/ -H 'Host: FUZZ.domain' -fs 986
http POST fuzzing
ffuf -w /ust/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://domain:PORT/something.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx