ehsahil

### Keybase proof

I hereby claim:

  * I am ehsahil on github.
  * I am ehsahil (https://keybase.io/ehsahil) on keybase.
  * I have a public key ASAX_QruRWe-ErPVC5AN0Mz185L-jxM8rZ1HBmpwFrCiOAo

To claim this, I am signing this object:

ehsahil

#Tools based on a resolver.rb by @melvinsh
#Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
require 'socket'
require 'colorize'
begin
   domain = ARGV[0]
rescue
   puts "Usage: ruby subdomain.rb domain"
   exit

ehsahil

#Tool based on a resolver.rb by @melvinsh
#Original Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
require 'socket'
require 'colorize'

begin
  file = File.open(ARGV[0], "r")
rescue
  puts "Usage: ruby recon.rb wordlist"

ehsahil

#Finding subdomains via Nmap. 

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub10000.lst

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub100000.lst

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.lst

ehsahil

require 'socket'
require 'colorize'

begin
  file = File.open(ARGV[0], "r")
rescue
  puts "Usage: ruby resolve.rb filename (where filename contains a list of domains)"
  exit
end

ehsahil

1. Listing AWS bucket content. (Testing for list permission)

Sahils-MacBook-Pro:~ sahil$ aws s3 ls s3://bucket

2. Writing on AWS Bucket. (Testing for write Permission)

Sahils-MacBook-Pro:~ sahil$ aws s3 cp test.txt s3://bucket (Copying test.txt into the bucket with no public file read permission)
Sahils-MacBook-Pro:~ sahil$ aws s3 mv test.txt s3://bucket (Moving test.txt into the bucket with no public file read permission)

Copy test.txt file into the aws s3 bucket with public file read permission. 

ehsahil

Basics Filters: 
1. City 
Example City:New Delhi. 

2. Country
Example: Country:INDIA

3. Port
Example:Ports: 8443, 8080, 8180 etc

ehsahil

“Hackme.tld” API_key
“Hackme.tld” secret_key
“Hackme.tld” aws_key
“Hackme.tld” Password 
“Hackme.tld” FTP
“Hackme.tld” login
“Hackme.tld” github_token
“Hackme.tld” http:// & https://  
“Hackme.tld” amazonaws
“Hackme.tld” digitaloceanspaces

ehsahil

-Commands

443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:domain.com

“hackme.tld” + internal 

“hackme.tld” + sandbox

“hackme.tld” + Staging

ehsahil

Tips from @jobertabma, co-founder of HackerOne -- https://twitter.com/jobertabma/status/998769037445230592

0x00: I visit the product and marketing pages and read up what the products do. I identify how the product it exposed to the end user. This will give me an idea what the initial attack surface looks like, what data they're protecting, how users interact with each other, and what the learning curve looks like. I sign up for any number of accounts that is required to test the features. This will give me insight into the individual features. I do some light fingerprinting of the frameworks they use.I've even talked to engineers, product managers, and executives before even looking at something.

0x01: I prioritize based on features and then weakness type. I generally set a goal for myself to go after particular information, e.g. for an email provider I might ask myself: "I want to get access to someone's emails." Because I know what their features do, I can make an educated guess which features process ema