xer0dayz Blog
Continuous Attack Surface Management (ASM) and reduction has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the attack surface with Sn1per Professional v9.0.
Highlights:
0:00 – Basic stealth mode single domain recon with Sn1per Professional v8.0
5:00 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
6:15 – Using InjectX fuzzer to fuzz dynamic URL’s (unreleased)
8:04 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
9:00 – More stealth mode single target recon with split panel/search/host jump features
11:20 – Manual scan analysis of discovered URL’s
16:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
17:35 – Use of Sn1per Professional’s host table filter
17:45 – Use of Sn1per Professional’s quick links to view websites in browser
18:52 – Use of Sn1per Professional’s built-in Google Dorks links to discover hidden content
19:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
22:22 – Using Burpsuite Professional JSLinkFinder plugin to analyze Javascript files
24:20 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
25:54 – Discovering hidden/cached content via URLScan.io
29:55 – Use of Sn1per Professional’s built-in Notepad add-on to keep notes on workspace
30:37 – Use of Fofa to conduct recon on target domain
35:31 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories with extensions (unreleased)
36:26 – Using Google dorks to discover content and URL’s
43:17 – Manual Javascript analysis from the command line
44:42 – Discovering pre-production and internal domains in Javascript files
53:18 – Digging deeper into hidden/discovered content on a target
57:14 – Discovering PayPal github repos in Javascript source
57:42 – Conducting basic github recon on PayPal developers for sensitive data
Highlights:
0:35 – Basic single domain recon with Sn1per Professional v8.0 + Command Execution Add-on
3:27 – Analyzing scan results via split screen Sn1per Professional host reports
5:45 – Discovering hidden content via Sn1per Professional Fuzzer add-on (unreleased)
7:23 – Sn1per Professional workspace navigator search/filter
7:31 – Sn1per Professionla ‘recon’ mode to discover sub-domains
9:00 – Sn1per ‘flyover’ mode of discovered domains from the command line
13:50 – Sn1per Professional ‘web’ mode visual recon
15:00 – Sn1per Professional ‘web’ mode scan
17:30 – Analyzing scan results and browsing discovered URL’s
20:00 – Using Sn1per Professional’s recon links to perform recon on TLD
32:30 – Sn1per Professional workspace report filtering for live web hosts
33:45 – Utilizing Sn1per Professional’s quick links to view websites
38:18 – Digging deeper manually into interesting hosts
40:00 – Leveraging Burpsuite Professional with Collaborator to catch emails and analyze HTTP requests
42:26 – Running URL Fuzzer Add-on to fuzz dynamic URL’s for open redirects and CRLF vulnerabilities (unreleased)
43:56 – Using Sn1per Professional’s built-in Notepad to keep/store notes in workspace
46:55 – Discovering hidden content via Sn1per Professional Fuzzer add-on (unreleased)
48:14 – Setting up Burpsuite Professional certificate authority to intercept HTTPS traffic
49:32 – Installing and using Burpsuite CO2 plugin to scan for SQL injection
50:38 – Manually fuzzing dynamic URL’s via Burpsuite Intruder
56:24 – Manually analyzing fuzzer results to discover hidden content
1:01:00 – Brute forcing basic authentication with Sn1per Professional’s Brute Force add-on (unreleased)
1:06:36 – Manually fuzzing dynamic URL’s via Burpsuite Intruder
1:14:22 – Using Sn1per Professional’s CSV export to view host table