<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Discovery on defektive</title><link>https://defektive.github.io/docs/pentest-handbook/discovery/</link><description>Recent content in Discovery on defektive</description><generator>Hugo</generator><language>en</language><atom:link href="https://defektive.github.io/docs/pentest-handbook/discovery/index.xml" rel="self" type="application/rss+xml"/><item><title>Subdomain Enumeration</title><link>https://defektive.github.io/docs/pentest-handbook/discovery/subdomain-enumeration/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/discovery/subdomain-enumeration/</guid><description>&lt;p&gt;For each in-scope root domain you want every subdomain you can find. There are
three techniques and they don&amp;rsquo;t fully overlap — I run all three, because each
one finds names the others miss.&lt;/p&gt;
&lt;table&gt;
 &lt;thead&gt;
 &lt;tr&gt;
 &lt;th&gt;Technique&lt;/th&gt;
 &lt;th&gt;Source&lt;/th&gt;
 &lt;th&gt;Finds&lt;/th&gt;
 &lt;/tr&gt;
 &lt;/thead&gt;
 &lt;tbody&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Passive&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;OSINT APIs, search engines, cert logs&lt;/td&gt;
 &lt;td&gt;Known/indexed names, zero target traffic&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Active&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;DNS queries against the target&amp;rsquo;s resolvers&lt;/td&gt;
 &lt;td&gt;Names that resolve but aren&amp;rsquo;t indexed&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Brute force&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Wordlist against a resolver&lt;/td&gt;
 &lt;td&gt;Predictable names (&lt;code&gt;dev&lt;/code&gt;, &lt;code&gt;vpn&lt;/code&gt;, &lt;code&gt;staging&lt;/code&gt;)&lt;/td&gt;
 &lt;/tr&gt;
 &lt;/tbody&gt;
&lt;/table&gt;

&lt;h2 id="passive-subfinder--amass"&gt;Passive: subfinder + amass&lt;a class="td-heading-self-link" href="#passive-subfinder--amass" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;I usually start with &lt;code&gt;subfinder&lt;/code&gt; (ProjectDiscovery) for passive enum — it&amp;rsquo;s
fast. &lt;code&gt;amass&lt;/code&gt; pulls from a different (overlapping) set of sources, so I run both
and merge the results.&lt;/p&gt;</description></item><item><title>DNS Resolution</title><link>https://defektive.github.io/docs/pentest-handbook/discovery/dns-resolution/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/discovery/dns-resolution/</guid><description>&lt;p&gt;Enumeration gives you a list of &lt;em&gt;candidate&lt;/em&gt; names. Most engagements need to know
which ones actually resolve, what they resolve to, and which IPs that adds to
scope. It&amp;rsquo;s a mass-resolution problem — you can easily end up with tens of
thousands of candidate names.&lt;/p&gt;

&lt;h2 id="mass-resolution-with-dnsx"&gt;Mass resolution with dnsx&lt;a class="td-heading-self-link" href="#mass-resolution-with-dnsx" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Arsenic originally used &lt;code&gt;fast-resolv&lt;/code&gt; for this. These days I use
&lt;a href="https://github.com/projectdiscovery/dnsx"&gt;&lt;code&gt;dnsx&lt;/code&gt;&lt;/a&gt; (ProjectDiscovery) — it
resolves huge lists quickly against a pool of resolvers and it&amp;rsquo;s actively
maintained.&lt;/p&gt;</description></item><item><title>Certificate &amp; SSL Harvesting</title><link>https://defektive.github.io/docs/pentest-handbook/discovery/cert-and-ssl-harvesting/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/discovery/cert-and-ssl-harvesting/</guid><description>&lt;p&gt;TLS certificates are full of hostnames. A cert&amp;rsquo;s &lt;strong&gt;Common Name (CN)&lt;/strong&gt; and
&lt;strong&gt;Subject Alternative Names (SANs)&lt;/strong&gt; list every name the operator put on it —
including internal names, dev hosts, and sibling domains that never show up in
DNS enumeration or OSINT.&lt;/p&gt;
&lt;p&gt;There are two angles: passively reading &lt;strong&gt;certificate transparency logs&lt;/strong&gt;
(covered on the &lt;a href="https://defektive.github.io/docs/pentest-handbook/discovery/subdomain-enumeration/#certificate-transparency-crtsh"&gt;Subdomain Enumeration&lt;/a&gt;
page) and actively &lt;strong&gt;grabbing certs off live hosts&lt;/strong&gt;. This page is the active
side. It&amp;rsquo;s worth doing because it catches certs that were never logged to CT and
certs served directly on IPs with no DNS name at all.&lt;/p&gt;</description></item><item><title>Host Discovery</title><link>https://defektive.github.io/docs/pentest-handbook/discovery/host-discovery/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/discovery/host-discovery/</guid><description>&lt;p&gt;You may have hundreds or thousands of IPs in scope, especially after expanding
CIDRs. Full port scanning all of them is wasteful — most won&amp;rsquo;t be up. Host
discovery is a fast first pass to find the live ones, so the expensive
&lt;a href="https://defektive.github.io/docs/pentest-handbook/recon/"&gt;recon&lt;/a&gt; phase only targets hosts that exist.&lt;/p&gt;

&lt;h2 id="expand-cidrs-to-addresses"&gt;Expand CIDRs to addresses&lt;a class="td-heading-self-link" href="#expand-cidrs-to-addresses" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;First, turn any CIDR ranges into individual addresses so you can scan and track
them per-host. &lt;code&gt;nmap -sL&lt;/code&gt; (&amp;ldquo;list scan&amp;rdquo;) expands ranges without sending a single
packet:&lt;/p&gt;</description></item></channel></rss>