InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • DNS
  • SSL/TLS certificate
  • Virtual Hosts brute force
  1. Web applications

Recon - Hostnames discovery

DNS

If a DNS service is accessible on the targeted server, multiple techniques can be used to retrieve hostnames that could be linked to a web application: DNS brute forcing, DNS zone transfer, etc. If an hostname for an Internet facing web application is known, subdomain names may be found in public resources and proprietary databases.

For more information on these technique, refer to the [L7] DNS - Methodology note.

SSL/TLS certificate

If an HTTPS service is exposed, the SSL / TLS certificate presented by the service may disclose one or multiple hostnames in the Subject and Subject Alternative Name fields. The ports and services scanning tool nmap will automatically extract these information. A review can also be done manually using a web browser in order to retrieve the SSL / TLS certificate.

Virtual Hosts brute force

The term Virtual Host, or VHOST, refers to the practice of running more than one web application on a single server. Virtual hosts can be "IP-based" or "name-based".

When a webserver receive an HTTP request, routed to it using the IP address of the TCP packet, it uses the hostname specified in the HTTP Host header to determine the named virtual host queried.

Whenever using named virtual hosts over SSL / TLS, in an HTTPS configuration, the HTTP request, headers included, can't be read until the SSL / TLS session is established. In order to provide a practical solution, and present the SSL / TLS certificate associated to the requested hostname, an extension to the SSL / TLS protocol called Server Name Indication (SNI) was defined. The SNI allows the client to include the requested hostname in the first message of the SSL / TLS handshake during the session setup.

The virtual-host-discovery Ruby script and the VHostScan Python script can be used to brute force VHOSTS (over HTTP or through an SSL / TLS session).

Note that whenever specifying a wordlist, both tools will replace %s by the specified hostname. So a wordlist used for DNS brute forcing should be adapted using:

awk '{print $0 ".%s"}' <ORIGINAL_WORDLIST> > <WORDLIST>
ruby scan.rb --ip=<IP> --host=<DOMAIN>
ruby scan.rb --ssl=on --wordlist=<WORDLIST> --ignore-http-codes=<HTTP_ERROR_CODE, [...]> --ip=<IP> --host=<DOMAIN>

VHostScan -t <IP> -b <DOMAIN>
VHostScan -t <IP> --ssl -w <WORDLIST> -b <DOMAIN> --ignore-http-codes <HTTP_ERROR_CODE, [...]>
PreviousRecon - Server exposureNextRecon - Application mapping

Last updated 3 years ago