Simplifying Shodan with Shodanish
From Sam (CoffeeJunkie) and Rajesh Ranjan. Recon can be very fruitful if assets can be found with interesting software running in the backend. In this case Shodanish by Aziz Hakim. This tool will help us out to simplify shodan dorks by giving the domain name of the company. This will be helpful in order to filter exact results in shodan in order to get results just from the company that you want to test.
Once the hash is given, these are the results well filtered for the target.
As you can see, once the results are filtered, ther are
622 total results. Look closely in this case when the results are NOT filtered.
As you can see, when the results are not filtered, there are
1313 total results. Therefore Shodanish will save us time by looking to the hosts that we want to search.
Expanding while simplifying Github Recon with GitHound
Companies all over the world have data exposed in Github. Attackers nowadays, can easily find AWS, secret keys, secret tokens, usernames, passwords and so on. There is a tool that automate the process of GitHub Recon such as GitHound by Tillson Galloway. Depending on the tester, some people prefer to do this manually, or automatically, some prefer to mix them.
As an example of things that are possible to find in GitHub, there is a file that contains recent copy pasted strings encoded in base64, the filename is
vim_settings.xml. There is a great way to exploit this file where we are able to find the entire copy-paste history. Clone the repository and run the following code in python:
from pydriller import RepositoryMining import re import base64 foundSet = set() for commit in RepositoryMining('./').traverse_commits(): for mod in commit.modifications: if mod.source_code_before != None: regex = re.findall(r"<text encoding=\"base64\">[^>]+</text>", mod.source_code_before) for result in regex: based = str(base64.b64decode(result[len("<text encoding='base64'>"):-len("</text>")])) if based not in foundSet: print(based) foundSet.add(based + "\n")
Improving Recon with GitHub
By the usage of GitHub Dorks, there is a great way to find more results by providing the subdomains of the target. As a curious fact, there is a good chance to find configuration files from second-level subdomains.
Recon is a key base in any pentesting assestment. Depending wether is for web application or network testing. Recon will open new doors and possibilities in the attacker path.