Fingerprinting

Extensions navigateur : Wappalyzer et WhatRuns pour identifier les technologies utilisées.

Fichiers à consulter systématiquement :

• /robots.txt
• /sitemap.xml

DNS Enumeration

Outils en ligne

• DNSdumpster — cartographie DNS
• Netcraft — historique et infos serveur
• viewdns.info — multiples lookups DNS

host example.com
dig example.com
dig any example.com        # tous les enregistrements

Sous-domaines

Certificats SSL (passive)

• crt.sh — recherche dans les logs Certificate Transparency
• censys.io — idem

Bruteforce

gobuster dns -d example.com -w /path/to/wordlist
ffuf -w /path/to/wordlist -u https://example.com -H 'Host: FUZZ.example.com'
sublist3r -d example.com -o subdomains.txt

Virtual Hosts (vhost)

gobuster vhost -u https://example.com -w /path/to/wordlist
gobuster vhost -u https://example.com -w /path/to/wordlist --exclude-length 1542

ffuf -w /path/to/wordlist -u https://example.com -H 'Host: FUZZ.example.com'
ffuf -w /path/to/wordlist -u http://example.com -H 'Host: FUZZ.example.com' -fs 4242
# -fs : filtre les réponses par taille (ex: page par défaut)

Directory & Files Enumeration

gobuster dir -u http://example.com -w /path/to/wordlist.txt
gobuster dir -u https://example.com -w /path/to/wordlist.txt -x php,html,asp

ffuf -u http://target.com/FUZZ -w /path/to/wordlist
feroxbuster -u <url> -w /path/to/wordlist
dirb http://example.com /path/to/wordlist

Fuzzing

Pages

ffuf -u https://example.com/FUZZ -w /path/to/wordlist.txt

Paramètres GET

ffuf -u "https://example.com/page.php?param=FUZZ" -w /path/to/wordlist.txt

Paramètres POST

ffuf -u "https://example.com/login.php" \
  -X POST \
  -d "username=admin&password=FUZZ" \
  -w /usr/share/wordlists/rockyou.txt \
  -H "Content-Type: application/x-www-form-urlencoded"

Sous-domaines

ffuf -u https://FUZZ.example.com -w /path/to/wordlist.txt -H "Host: FUZZ.example.com"

OSINT

theHarvester — récolte emails, sous-domaines, IPs, etc.

theHarvester -d example.com -b google,bing,linkedin