- Get ASN of target
- Get IP ranges
- Masscan all the ranges (common web ports)
- Double check to verify hosts alive
- Generate URL list
- Bruteforce all the URLs
- Take a ☕ and wait for juicy results
python asnlookup.py -o Organization
// for example Yahoo
sudo masscan --open --banners -iL ips.txt -p80,443,8089,8081,8080,8443 -oX results.txt
cat results.txt | grep portid | grep '"80"' | cut -d"=" -f3 | sed "s/\"//g" | sed "s/addrtype//g" | cut -d" " -f1 | httprobe >> alive.txt
cat results.txt | grep portid | grep '"443"' | cut -d"=" -f3 | sed "s/\"//g" | sed "s/addrtype//g" | cut -d" " -f1 | httprobe >> alive.txt
cat results.txt | grep portid | grep '"8089"' | cut -d"=" -f3 | sed "s/\"//g" | sed "s/addrtype//g" | cut -d" " -f1 | xargs -I{} -n 1 echo "{}:8089" | httprobe >> alive.txt
cat results.txt | grep portid | grep '"8081"' | cut -d"=" -f3 | sed "s/\"//g" | sed "s/addrtype//g" | cut -d" " -f1 | xargs -I{} -n 1 echo "{}:8081" | httprobe >> alive.txt
cat results.txt | grep portid | grep '"8443"' | cut -d"=" -f3 | sed "s/\"//g" | sed "s/addrtype//g" | cut -d" " -f1 | xargs -I{} -n 1 echo "{}:8443" | httprobe >> alive.txt
cat alive.txt | aquatone
cat aquatone_urls.txt | xargs -P1 -I{} -n 1 python3 ~/tools/dirsearch/dirsearch.py -r -b -w ~/tools/SecLists/Discovery/Web-Content/Logins.fuzz.txt -t 40 -e html --timeout=3 -u {}
- asnlookup
- masscan
- httprobe
- dirsearch