Now that we have a list of subdomains which we know are alive, we are going to want to investigate them more closely. We have several things we can do to these domains but we want to start by getting a good overview of what each domain might have to offer and then we move on to a more manual approach which will resemble a penester like approach (Numbered sections) In the other learning path (Lettered sections) we will be learning a more automated approach to vulnerability scanning. Both have to be done to be complete and one can not go withouth the other. We will miss a lot with automation but we can cover so much more ground than when we manually walk the application.
What is it?
When we execute subdomain flyover, we are trying to get an overview of what targets we have. We need to see what this list actually contains and i mean the world ‘See’ literally, we are going to take screenshots.
In subdomain flyover we are trying to take a screenshot of all of the alive domain we gathered in our previous steps 1 & 2. We have several tools we can use to do this, i personally use aquatone but i notice i am getting old and may not be as up to date as i was so i encourage you to do your own research a bit as well into which tools runs faster. They all basically do the same thing anyway. The endgame is the screenshots and maybe the HTML file but we can grab that by navigating to the page.
- Install Google Chrome or Chromium browser — Note: Google Chrome is currently giving unreliable results when running in headless mode, so it is recommended to install Chromium for the best results.
- Download the latest release of Aquatone for your operating system.
- Uncompress the zip file and move the
aquatonebinary to your desired location. You probably want to move it to a location in your
$PATHfor easier use.
- You can also add the binary to your
- export $PATH=’$PATH:/location/of/bin’
We want to use the chromium browser because what aquatone will do is it will open a…