Bug Bounty Recon — Horizontal Enumeration

HORIZONTAL ENUMERATION
  1. Discovering the IP space:
ASN FOR APPLE INC
whois -h whois.radb.net  -- '-i origin AS714' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq
WHOIS TOOL
DOMAIN RESEARCH SUITE
WHOXYRM DEMO
crunchbase
GO111MODULE=on go get -v github.com/projectdiscovery/mapcidr/cmd/mapcidrGO111MODULE=on go get -v github.com/projectdiscovery/dnsx/cmd/dnsxecho 17.0.0.0/8 | mapcidr -silent | dnsx -ptr -resp-only -o output.txt

Breakdown:

When an IP range is given to mapcidr through stdin(standard input), it performs expansion spitting out each IP address from the range onto a new line:17.0.0.1, 17.0.0.2, 17.0.0.3, 17.0.0.4 .

dnsX demo
whois -h whois.radb.net  -- '-i origin AS714' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | mapcidr -silent | dnsx -ptr -resp-only

4) Favicon Hashing:

What is a favicon?

The image/icon shown on the left-hand side of a tab is called as favicon.ico. This icon is generally fetched from a different source/CDN. Hence, we can find this favicon link from the source code of the website.

FAVICON

Generating the MurmurHash value:

To generate the MurmurHash value which is unique to each favicon we will use a tool called MurMurHash.

1. git clone https://github.com/Viralmaniar/MurMurHash.git
2. cd MurMurHash/
3. pip3 install -r requirements.txt

Running:

  • Upon running the tool, it will ask you to enter the URL for the hash.
  • And after entering the favicon link it will provide you with a unique hash value (-2057558656).
python3 MurMurHash.py
MurMurhash

Weaponizing through Shodan:

Now we query Shodan (https://www.shodan.io/) http.favicon.hash:<hash> with that favicon hash.

SHODAN

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
apex

apex

I try to analyze ransomware attacks | Static Code Analysis | Privacy & Security Updates | Pen Testing | Bug Bounty