<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Vulnerability Hunting on defektive</title><link>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/</link><description>Recent content in Vulnerability Hunting on defektive</description><generator>Hugo</generator><language>en</language><atom:link href="https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/index.xml" rel="self" type="application/rss+xml"/><item><title>Automated Scanning with Nuclei</title><link>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/nuclei/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/nuclei/</guid><description>&lt;p&gt;&lt;a href="https://github.com/projectdiscovery/nuclei"&gt;&lt;code&gt;nuclei&lt;/code&gt;&lt;/a&gt; does most of the heavy
lifting in the hunting phase. It runs a big community library of YAML
&lt;em&gt;templates&lt;/em&gt; — each one a precise check for a specific CVE, misconfiguration,
default credential, or information exposure — against your targets. It&amp;rsquo;s fast,
the false-positive rate is low (each template encodes a real matcher), and the
template set gets updated constantly.&lt;/p&gt;

&lt;h2 id="setup"&gt;Setup&lt;a class="td-heading-self-link" href="#setup" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;nuclei -update &lt;span class="c1"&gt;# update the binary&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;nuclei -update-templates &lt;span class="c1"&gt;# pull the latest template library&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;h2 id="run-against-your-live-urls"&gt;Run against your live URLs&lt;a class="td-heading-self-link" href="#run-against-your-live-urls" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Feed nuclei the live URL list from &lt;a href="https://defektive.github.io/docs/pentest-handbook/recon/http-probing-and-screenshots/"&gt;HTTP probing&lt;/a&gt;.
Use a project file so re-runs don&amp;rsquo;t repeat work:&lt;/p&gt;</description></item><item><title>Known Exploits with SearchSploit</title><link>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/known-exploits/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/known-exploits/</guid><description>&lt;p&gt;Your &lt;a href="https://defektive.github.io/docs/pentest-handbook/recon/service-enumeration/"&gt;service enumeration&lt;/a&gt; produced versioned
services — &lt;code&gt;vsftpd 2.3.4&lt;/code&gt;, &lt;code&gt;Apache Tomcat 8.5.32&lt;/code&gt;, &lt;code&gt;OpenSSH 7.2&lt;/code&gt;. SearchSploit
checks those versions against the offline &lt;a href="https://www.exploit-db.com/"&gt;Exploit-DB&lt;/a&gt;
archive, so you can find public exploits without leaving your terminal.&lt;/p&gt;

&lt;h2 id="setup"&gt;Setup&lt;a class="td-heading-self-link" href="#setup" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;code&gt;searchsploit&lt;/code&gt; ships with the &lt;code&gt;exploitdb&lt;/code&gt; package. Keep the database current:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;sudo apt install exploitdb &lt;span class="c1"&gt;# or: git clone exploitdb to /opt and symlink&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;searchsploit -u &lt;span class="c1"&gt;# update the local exploit database&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;h2 id="feed-it-your-nmap-results-directly"&gt;Feed it your nmap results directly&lt;a class="td-heading-self-link" href="#feed-it-your-nmap-results-directly" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The part I like: searchsploit reads nmap XML and looks up every detected service
automatically. Point it at the &lt;strong&gt;version/service&lt;/strong&gt; scans (not the quick port
sweeps). This is what Arsenic&amp;rsquo;s &lt;code&gt;as-searchsploit&lt;/code&gt; does:&lt;/p&gt;</description></item><item><title>Subdomain Takeover</title><link>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/subdomain-takeover/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/vulnerability-hunting/subdomain-takeover/</guid><description>&lt;p&gt;A subdomain takeover happens when a DNS record (usually a CNAME) points at a
third-party service — S3, GitHub Pages, Heroku, Azure, a SaaS app — that&amp;rsquo;s since
been deleted or never claimed. Anyone who registers that resource controls
content served on the client&amp;rsquo;s subdomain. It&amp;rsquo;s high-impact and often overlooked,
and your &lt;a href="https://defektive.github.io/docs/pentest-handbook/discovery/"&gt;discovery&lt;/a&gt; phase already handed you the full subdomain
list to check.&lt;/p&gt;

&lt;h2 id="how-to-spot-one"&gt;How to spot one&lt;a class="td-heading-self-link" href="#how-to-spot-one" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The signature is a CNAME pointing to an external service that returns a
service-specific &amp;ldquo;not found / no such bucket / unclaimed&amp;rdquo; error. For example,
&lt;code&gt;assets.example.com&lt;/code&gt; CNAME&amp;rsquo;d to a non-existent S3 bucket returns &lt;code&gt;NoSuchBucket&lt;/code&gt;.&lt;/p&gt;</description></item></channel></rss>