投稿時間:2022-11-06 07:04:20 RSSフィード2022-11-06 07:00 分まとめ(4件)
カテゴリー等 | サイト名等 | 記事タイトル・トレンドワード等 | リンクURL | 頻出ワード・要約等/検索ボリューム | 登録日 |
---|---|---|---|---|---|
海外TECH | DEV Community | Certificate Parsing with `domain-recon` | https://dev.to/ervin_szilagyi/certificate-parsing-with-domain-recon-1eo9 | Certificate Parsing with domain recon What is Certificate Parsing Certificate parsing is a way of conducting web hacking reconnaissance when an attacker is targeting an organization The goal is to gather information about the organization and widen the attack space by enumerating every possible domain and subdomain owned by an organization One methodology of enumerating domains and subdomains is to take advantage of the SSL certificates used by the organization There are several online databases like crt sh and sslmate which can be used to enumerate certificates issued for domains owned by an organization Moreover if we take a look at the Subject Alternative Name of a certificate we might be able to enumerate other hostnames for which the certificate is applied What is domain recon domain recon is an open source command line tool written in Rust which automates certificate parsing It uses crt sh database to fetch information about certificates issued for a domain and all of its subdomains It extracts all the hostnames from the Common Name and Matching Identities fields the result of which will be a list of domains requiring further filtering We can distinguish the following type of domains in the list registered domains that can be resolved as IPv or IPv IP addresses unregistered domains wildcard domains domain names which contain a wildcard character for example example com Wildcards are used to secure multiple subdomain names hosts pertaining to the same base domain domain recon filters out wildcard domains from the list and tries to do a domain resolution for each non wildcard domain It drops all the domain names which are not registered and it displays a list only with the valid domain names In the case of the wildcard domains it will try to guess possible subdomains This is accomplished by taking a wordlist as input and replacing the wildcards with entries from the list To detect which domain names are registered it tries to do a domain resolution for each new entry and displays a new list with the successful queries Example of UsageThe source code for domain recon tool can be found on GitHub Executables are built and released for all Linux Mac and Windows operating systems and can be downloaded from the releases List all the domains and subdomains for dev to domain recon d dev to f words txtThe output of which will be something like this Fetching certificates Extracting domains sni cloudflaressl com A dev to A sni cloudflaressl com A www jobs dev to A jobs dev to A t shared global fastly net A dev to A storybook dev to A shop dev to A status dev to A docs dev to A customer service status ovhcloud com A status beta sailpoint com A itstatus stmonicatrust co uk A Expanding wildcards admin forem com A docs forem com A demo forem com A www forem com A www dev to A We can omit to expand wildcards by not specifying a wordlist domain recon d dev toOutput Fetching certificates Extracting domains jobs dev to A sni cloudflaressl com A dev to A www jobs dev to A shop dev to A sni cloudflaressl com A storybook dev to A docs dev to A customer service status ovhcloud com A status beta sailpoint com A t shared global fastly net A dev to A status dev to A itstatus stmonicatrust co uk A We can use the plain flag to suppress displaying IP addresses This can be useful if we want a list with domain names only which can be provided as input for tools such as httpx Example domain recon d dev to f words txt plain httpx probe sc title ip v projectdiscovery ioUse with caution You are responsible for your actions Developers assume no liability and are not responsible for any misuse or damage SUCCESS SUCCESS SUCCESS SUCCESS Fastly error unknown domain t shared global fastly net SUCCESS SUCCESS DEV Community SUCCESS SUCCESS Hello from Forem Admin Docs Forem Admin Docs SUCCESS SUCCESS thank you SUCCESS Webpack App SUCCESS Forem Shop SUCCESS SUCCESS Forem Community for Everyone SUCCESS DEV Status SUCCESS Customer Service Status SUCCESS SUCCESS St Monica Trust IT Status SUCCESS SUCCESS Dunder Mifflin Community Limitationsdomain recon can discover domain names that have public SSL certificates Currently it scans only valid certificates this can be easily changed to include invalid ones as well but according to my experience this is not as useful Nowadays most websites have SSL certificates including development and testing environments as well It can be helpful for a pen tester to scan for these environments Obviously it can not find environments without registered SSL certificates domain recon currently uses Google Cloudflare and Quad domain resolvers By default it is set to use Google only which we can override with dns resolver argument We can also set to use multiple resolvers at the same time dns resolver google cloudflare quad According to my experience having only one resolver might invoke rate limiting if we are scanning a huge number of domains at the same time Unfortunately there are slowdowns with multiple resolvers as well It relies on async std resolver crate for DNS resolution A future improvement would be to optimize the usage of async std resolver to achieve better performance Since it relies on async calls we can run on errors related to having too many opened connections This is somewhat mitigated by limiting the DNS calls to a lower number but I m sure there better ways to deal with it Further Readingdomain recon tool was inspired by Bug Bounty Bootcamp The Guide to Finding and Reporting Web Vulnerabilities book by Vickie Li It is a great resource for anyone interested in web hacking and penetration testing Source Code and ContributingAs mentioned above the source code for domain recon can be found on GitHub It is written entirely in Rust Any contribution is welcomed | 2022-11-05 21:46:45 |
Apple | AppleInsider - Frontpage News | Twelve South HiRise 3 review: Great design but not MFi-approved | https://appleinsider.com/articles/22/11/05/twelve-south-hirise-3-review-great-design-but-not-mfi-approved?utm_medium=rss | Twelve South HiRise review Great design but not MFi approvedThe Twelve South HiRise is a three device charger that solves a specific problem with most MagSafe chargers but doesn t bear Apple s MFi approval Twelve South HiRise When we were first introduced to the third generation HiRise from Twelve South we didn t expect to like it The HiRise family has proud legacy and we weren t sure this latest incarnation would hold up Read more | 2022-11-05 21:42:16 |
ニュース | BBC News - Home | Aaron Carter: Singer, rapper and brother of Backstreet Boys' Nick dies aged 34 | https://www.bbc.co.uk/news/entertainment-arts-63527899?at_medium=RSS&at_campaign=KARANGA | carter | 2022-11-05 21:23:38 |
ビジネス | 東洋経済オンライン | 次世代の鉄道車両「主役」は水素かハイブリッドか 当面は「すぐ使える」バイモード車両が先行? | 海外 | 東洋経済オンライン | https://toyokeizai.net/articles/-/630492?utm_source=rss&utm_medium=http&utm_campaign=link_back | 東洋経済オンライン | 2022-11-06 06:30:00 |
コメント
コメントを投稿