Map Application Architecture

Check List

Generate a map of the application at hand based on the research conducted.

Methodology

Application Components

Perform a stealth TCP scan on common web ports to detect server software and versions, extracting server headers to identify technologies like Apache or Nginx for vulnerability mapping

Use a web fingerprinting tool to analyze the target, identifying server-side technologies, CMS, or frameworks, and cross-referencing with known exploits

Fetch HTTP headers to extract server details, such as software version or custom headers, to confirm the web server stack and assess misconfigurations

Scan web ports with enumeration scripts to identify PaaS-specific headers or patterns, detecting platforms like Heroku or Google App Engine

Conduct passive subdomain enumeration to uncover PaaS-hosted subdomains, revealing cloud-based infrastructure tied to the target

Query DNS records with a wordlist to identify subdomains potentially hosted on PaaS platforms, expanding the attack surface

Search for PaaS-specific terms in HTTP response bodies to confirm the presence of cloud platforms like Azure or Heroku, prioritizing tests for platform-specific misconfigurations

Scan web ports with scripts to detect serverless indicators, such as Lambda or Cloud Functions, by analyzing response headers, titles, or body content

Query response bodies for serverless-related terms to identify functions hosted on platforms like AWS Lambda or Azure Functions, assessing exposure risks

Use fingerprinting tools to confirm serverless environments, checking for unique response patterns or API gateway references

Perform port scanning with enumeration scripts to identify microservices-related endpoints, such as Kubernetes or Docker, by analyzing headers and titles

Run a Kubernetes-specific scanning tool on suspected cluster IPs to detect exposed nodes, services, or APIs, identifying misconfigured microservices

Use a web vulnerability scanner to enumerate paths and detect microservices frameworks, checking for common configuration files or API endpoints

Search response bodies for microservices-related terms like Kubernetes or service mesh to confirm the architecture and prioritize testing for orchestration vulnerabilities

Scan web ports with scripts to identify static storage endpoints, such as S3 buckets or Google Cloud Storage, by analyzing response headers or body content

Execute a bucket enumeration tool to brute-force cloud storage names associated with the target, identifying publicly accessible or misconfigured buckets

Run a cloud-specific scanning tool to detect exposed storage services across AWS, Google Cloud, or Azure, checking for sensitive data exposure

Query response bodies for cloud storage signatures to confirm the presence of S3, GCS, or Azure Blob Storage, assessing risks like public read access

Extract IPv4 ranges for major cloud providers (Google, AWS, Azure) by querying their public IP range APIs, identifying potential cloud-hosted assets

Filter cloud IP ranges for a specific region (e.g., us-east-1) to narrow reconnaissance to the target’s likely infrastructure, reducing irrelevant results

Perform high-speed port scanning on identified cloud IP ranges, focusing on web ports to discover live hosts and services

Extract IPs with open TLS ports from scan results, prioritizing them for certificate analysis to uncover associated domains or subdomains

Analyze TLS certificates for extracted IPs to retrieve subject details, linking IPs to target domains or identifying wildcard certificates

Parse TLS scan results to extract subject common names (CN) and map them to IPs, confirming ownership and identifying related assets

Scan common database ports (e.g., 3306 for MySQL, 5432 for PostgreSQL) with scripts to identify database services, versions, and configurations

Connect to database ports to retrieve banners or version information, confirming the presence of MySQL, PostgreSQL, or MSSQL instances

Use a fingerprinting tool to detect database-related technologies in the web stack, cross-referencing with port scan findings

Run automated database scanners to enumerate version details for MySQL or PostgreSQL, identifying vulnerabilities like outdated versions or weak authentication

Query a network intelligence platform for database services (e.g., MySQL, MSSQL) to confirm exposed instances and assess access risks

Scan web ports with authentication-specific scripts to detect login pages or authentication endpoints, identifying potential targets for credential testing

Perform SSH port scanning to enumerate supported authentication methods, checking for weak or unsupported methods like password-based login

Use a fingerprinting tool to identify authentication-related technologies or frameworks, confirming the presence of login interfaces

Query response headers for WWW-Authenticate or SSH banners to detect authentication mechanisms, prioritizing tests for misconfigured access controls

Scan web ports with enumeration scripts to identify third-party services or APIs, analyzing headers and titles for integration clues

Use a fingerprinting tool to detect third-party SDKs, CDNs, or APIs embedded in the website, noting their versions for vulnerability research

Fetch the website’s content and search for API, CDN, or SDK references in the response body, identifying external service dependencies

Enumerate paths with a directory scanner, targeting extensions like .api, .json, or .xml to uncover API endpoints or webhook configurations

Query DNS records to identify third-party service domains, such as CDNs or cloud APIs, linked to the target

Perform subdomain enumeration to discover third-party-hosted subdomains, expanding reconnaissance to external integrations

Search response bodies for terms like “api” or “webhook” to confirm third-party service integrations, assessing risks like exposed API keys or misconfigured webhooks

Network Components

Perform a stealth TCP scan on common web ports to identify server headers and reverse proxy indicators, extracting software details like Nginx or Apache to confirm proxy presence

Use a web fingerprinting tool to analyze the target, detecting reverse proxy technologies or configurations through response patterns or headers

Fetch HTTP headers to inspect server or proxy-specific headers, identifying signatures of reverse proxies like HAProxy or Nginx

Query DNS records to map the target’s infrastructure, checking for CNAMEs or IPs that suggest proxying through external services

Run a WAF detection tool to identify if a reverse proxy is paired with a web application firewall, noting its type for potential bypass testing

Search a network intelligence platform for headers indicating reverse proxy software, confirming the use of Nginx, Apache, or HAProxy in the target’s stack

Scan web ports with scripts to detect load balancer signatures, analyzing server headers for indicators like F5 or AWS ELB

Use a fingerprinting tool to identify load balancer technologies, checking for patterns in responses that suggest traffic distribution

Send multiple HTTP header requests to the target, observing variations in server headers or response times to detect load balancer presence across multiple backend servers

Query a network intelligence platform for headers associated with load balancers like Nginx, HAProxy, or AWS ELB, confirming their role in the infrastructure

Perform a stealth TCP scan with scripts to trace HTTP responses, identifying CDN-specific headers or behaviors from providers like Cloudflare or Akamai

Use a fingerprinting tool to detect CDN usage, analyzing response headers or content delivery patterns for CDN-specific signatures

Fetch HTTP headers to identify CDN providers through server headers or custom headers like CF-Ray for Cloudflare or X-Akamai for Akamai

Query DNS records to check for CNAMEs pointing to CDN providers, confirming the use of services like Amazon CloudFront or Fastly

Search a network intelligence platform for headers indicating CDN presence, verifying providers like Cloudflare, Akamai, or Fastly in the target’s infrastructure

Document all findings, including header details, DNS records, and detected components, to create a comprehensive proof-of-concept for responsible disclosure

Assess the impact of identified components, such as misconfigured proxies, load balancers, or CDNs, to prioritize reporting based on potential vulnerabilities like header manipulation or cache poisoning

Security Components

Perform a stealth TCP scan with firewall bypass scripts to identify software-based firewalls, testing evasion techniques and analyzing responses for firewall signatures

Use a web fingerprinting tool to detect firewall technologies through response patterns, headers, or blocked requests that indicate filtering

Query a network intelligence platform for services on web ports with firewall-related server headers, confirming the presence of network-level filtering

Execute a targeted port scan on web ports with WAF fingerprinting scripts to detect WAF technologies, analyzing blocking responses or custom error pages

Run a cloud lookup module to identify cloud-based WAF services like Cloudflare, AWS WAF, or Akamai, mapping the target's WAF infrastructure

Use a fingerprinting tool to detect WAF presence through behavioral analysis of HTTP responses and error patterns

Fetch HTTP headers to inspect server or WAF-specific headers, identifying providers like ModSecurity, Cloudflare, or Imperva

Deploy a specialized WAF detection tool to confirm WAF type and version, testing various payloads to trigger blocking responses and fingerprint the protection layer

Search a network intelligence platform for WAF-specific server headers, verifying the presence of ModSecurity, Cloudflare, Imperva, or AWS WAF in the target's stack

Document all WAF findings, including detection method, WAF type, and blocking behavior, to create a comprehensive proof-of-concept for responsible disclosure

Assess WAF bypass potential by testing various payloads, encodings, or request patterns to identify weaknesses or evasion opportunities for further testing

Evaluate the impact of identified security components, such as misconfigured firewalls or bypassable WAFs, to prioritize reporting based on potential exploitation severity

Cheat Sheet

Application Components

Web Server

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

curl -I $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: "*")

Platform-as-a-Service

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header,http-enum $WEBSITE

Amass

amass enum -passive -d $WEBSITE

DNSEnum

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

Censys

services.http.response.body: {"cloud", "platform", "app engine", "heroku", "azurewebsites"}

Serverless

Nmap

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

Censys

services.http.response.body: {"lambda", "cloud functions", "azure functions", "serverless"}

Microservices

Nmap

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

Kube-Hunter

kube-hunter --remote $CLUSTER

Nikto

nikto -h $WEBSITE

Curl

curl -I $WEBSITE

Censys

services.http.response.body: {"microservices", "kubernetes", "docker", "service mesh"}

Static Storage

Nmap

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

GCPBucketBrute

gcpbucketbrute -k $USER -u

CloudHunter

cloudhunter $WEBSITE

Censys

services.http.response.body: {"s3.amazonaws.com", "storage.googleapis.com", "blob.core.windows.net"}

Enum Clouds

Extract Cloud IPv4 Ranges

Google

wget -qO- https://www.gstatic.com/ipranges/cloud.json | \
jq '.prefixes[] | .ipv4Prefix' -r

Amazon

wget -qO- https://ip-ranges.amazonaws.com/ip-ranges.json | \
jq '.prefixes[] | .ip_prefix' -r

Azure

jq < /path_file/ServiceTags_Public_*.json '.values | .[] | .properties.addressPrefixes | .[]' -r

Scanning Large Ranges

Amazon

wget -qO- https://ip-ranges.amazonaws.com/ip-ranges.json | \
jq '.prefixes[] | if .region=="us-east-1" then .ip_prefix else empty end' -r | \
sort -u > /tmp/range-ip-output.txt

Msscan

masscan -iL /tmp/range-ip-output.txt -oL /tmp/range-ip-output.masscan -p 80,443 --rate 10000000 && head -25 /tmp/range-ip-output.masscan

awk

awk '/open/ {print $4}' /tmp/range-ip-output.masscan > /tmp/range-ip-output.tlsopen && head -25 /tmp/range-ip-output.tlsopen

Attributing Hosts

Extract TLS IP

head -1 /tmp/range-ip-output.tlsopen && export IP=$(head -1 /tmp/range-ip-output.tlsopen)

OpenSSL

openssl s_client -connect $IP:443 2>/dev/null | \
openssl x509 -text | \
grep Subject:

TLS Scan

TLS Test

echo $IP | \
tls-scan --port=443 --cacert=ca-bundle.crt -o /tmp/range-ip-output-tlsinfo.json

Interpreting TLS Scan Results

Extract Subject

cat /tmp/range-ip-output-tlsinfo.json | \
jq '[.ip, .certificateChain[].subjectCN] | join(",")' -r > /tmp/range-ip-output-tlsinfo.csv | \
head -2 /tmp/range-ip-output-tlsinfo.csv

Database

Nmap

nmap -p 3306,5432,1433,1521 \
     -sS -sV --mtu 5000 \
     --script db2-das-info,mysql-info,ms-sql-info,mongodb-info,oracle-tns-version $WEBSITE

Netcat

nc $WEBSITE 3306

Whatweb

whatweb $WEBSITE

Metasploit

msfconsole -qx "
    use auxiliary/scanner/mysql/mysql_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

msfconsole -qx "
    use auxiliary/scanner/postgres/postgres_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

Censys

services.service_name: {MYSQL, POSTGRES, MSSQL}

Authentication

Nmap

Identifying Authentication Services Using Related Scripts

nmap -sS -sV --mtu 5000 --script http-auth-finder $WEBSITE

Nmap

Checking SSH-Based Authentication

nmap -p 22 -sS -sV --mtu 5000 --script ssh-auth-methods $WEBSITE

Whatweb

whatweb $WEBSITE

Censys

services: (http.response.headers: (key: "WWW-Authenticate" and value.headers: *)) and services.port: 80 or services: (service_name: SSH and banner: * and port: 22)

Third Party Services and APIs

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-enum $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

wget -qO- $WEBSITE | grep -E "api|cdn|sdk"

Dirsearch

dirsearch -u $WEBSITE -e api,php,json,xml

Dig

dig $WEBSITE

Amass

amass enum -d $WEBSITE

Censys

services.http.response.body: {"api", "third-party", "integration", "webhook"}

Network Components

Reverse Proxy

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header,reverse-index $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

curl -I $WEBSITE

DNSRecon

dnsrecon -d $WEBSITE

wafw00f

wafw00f $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: {"nginx", "Apache", "HAProxy"})

Load Balancer

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

for i in {1..10}; do curl -I $WEBSITE; done

Censys

services.http.response.headers: (key: "Server" and value.headers: {"nginx", "HAProxy", "F5", "AWS ELB"})

Content Delivery Network

Nmap

nmap -p 80,443 
     -sS -sV --mtu 5000 
     --script http-trace --script-args=http-trace.host=$WEBSITE $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

curl -I $WEBSITE

Dig

dig $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: {"Cloudflare", "Akamai", "Fastly", "Amazon CloudFront"})

Security Components

Network Firewall

Nmap

Identifying Software-Based Firewalls

nmap -sS -sV --mtu 5000 --script firewall-bypass $WEBSITE

Whatweb

whatweb $WEBSITE

Censys

services: (port: {80, 443} and http.response.headers: (key: "Server" and value.headers: "*Firewall*"))

Web Application Firewall

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-waf-fingerprint $WEBSITE

Metasploit

Identifying Cloud Based WAFs

msfconsole -qx "use auxiliary/gather/cloud_lookup;set HOSTNAME $WEBSITE;run;exit"

Whatweb

whatweb $WEBSITE

Curl

curl -I $WEBSITE

Wafw00f

wafw00f $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: {"ModSecurity", "Cloudflare", "Imperva", "AWS WAF"})

PreviousFingerprint Web Application Framework NextOpen Source Intelligence

Last updated 1 month ago