DNS

Domain Name System

Quick

dig axfr the-domain.tld @<ip> #try zone transfer

Homoglyph & Homograph attack

When doing phishing campaign, it can be useful to have a very resembling domain name. By encoding your domain name into weird resembling characters/symbols, you might be able to create a very similar looking domain name and maybe even bypass Spam/phishing, but most importantly it will look something like: facebooκ.com VS f4ceb00k.xyz xn--faceboo-9nf.com VS f4ceb00k.xyz As an hyperlink, displayed on the browser, it is looking very similar but once clicked, you can tell the that the hyperlink is actually leading to a weird address, which is the real address.

An internationalized domain name (IDN) is an Internet domain name that contains at least one label that is displayed in software applications, in whole or in part, in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Devanagari, Hebrew or the Latin alphabet-based characters with diacritics or ligatures, such as French. These writing systems are encoded by computers in multibyte Unicode. Internationalized domain names are stored in the Domain Name System (DNS) as ASCII strings using Punycode transcription.

https://en.wikipedia.org/wiki/IDN_homograph_attack#:~:text=The%20internationalized%20domain%20name%20(IDN,the%20attack%2C%20although%20technically%20homoglyph <-- Extra info https://www.irongeek.com/homoglyph-attack-generator.php <-- Manual homoglyph attack https://github.com/elceef/dnstwist <-- DNS homoglyph generator

Subdomains

Bruteforcing subdomains

You can use many tools for this, mostly brute-force attacks to be honest. I personally use ffuf and sublist3r. But you can use wfuzz, dirbuster, gobuster, dirb, burp, or any tool that can help you fuzz an URL.

I personally like to use ffuf (Fuzz faster you f*ck*) which comes included with Kali. wfuzz is also a pretty good tool. For a generic brute-force for any subdomain on a domain a usually use sublist3r because it is fast to setup:

$ sublist3r -d DOMAIN.com -b -p 80 -t 16 -o subdomains.txt

Bruteforcing Virtual Hosts

What I like about ffuf/wfuzz is the flexibility it gives you. You can set custom HTTP headers if you need to find Virtual Hosts. If you are not familiar with Vhosts, it is just a way for web servers to publish multiple websites with one ip. The web server will grab the HOST header (Can be configured otherwise though) and will then "proxy" the request to the appropriate webapp/webroot. The following command will use common subdomains names (just replace with any list if wanted) and then set the Host header to an arbitrary value. Then, just enter the machine ip and launch the first request. You will only get false positives. Just filter by the size of one of said false positive and then you are good to go.

$ ffuf -w /usr/share/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.domain.com" -u http://MACHINE_IP -fs {size}
wfuzz -u http://target.com -w ./dnslist.txt -H "Host: Fuzz.target.com" --AAA

OSINT - Certificates

If there are SSL/TLS certificates you can always look up https://crt.sh, which holds Certificate Transparency (CT) logs. When any certificate is issued by a CA, it creates a transparent log of all the certificates created for said domain. It helps against malicious actors trying to forge malicious domains/certs.

PreviousSSHNextIPP

Last updated