Map Application Architecture

PreviousFingerprint Web Application Framework NextOpen Source Intelligence

Last updated 2 months ago

Was this helpful?

Map Application Architecture

Check List

Generate a map of the application at hand based on the research conducted.

Cheat Sheet

Application Components

Web Server

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header $WEBSITE

whatweb $WEBSITE

curl -I $WEBSITE

services.http.response.headers: (key: "Server" and value.headers: "*")

Platform-as-a-Service

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header,http-enum $WEBSITE

amass enum -passive -d $WEBSITE

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

services.http.response.body: {"cloud", "platform", "app engine", "heroku", "azurewebsites"}

Serverless

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

services.http.response.body: {"lambda", "cloud functions", "azure functions", "serverless"}

Microservices

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

kube-hunter --remote $CLUSTER

nikto -h $WEBSITE

curl -I $WEBSITE

services.http.response.body: {"microservices", "kubernetes", "docker", "service mesh"}

Static Storage

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

gcpbucketbrute -k $USER -u

cloudhunter $WEBSITE

services.http.response.body: {"s3.amazonaws.com", "storage.googleapis.com", "blob.core.windows.net"}

Enum Clouds

Extract Cloud IPv4 Ranges

Google

wget -qO- https://www.gstatic.com/ipranges/cloud.json | \
jq '.prefixes[] | .ipv4Prefix' -r

Amazon

wget -qO- https://ip-ranges.amazonaws.com/ip-ranges.json | \
jq '.prefixes[] | .ip_prefix' -r

Azure

jq < /path_file/ServiceTags_Public_*.json '.values | .[] | .properties.addressPrefixes | .[]' -r

Scanning Large Ranges

Amazon

wget -qO- https://ip-ranges.amazonaws.com/ip-ranges.json | \
jq '.prefixes[] | if .region=="us-east-1" then .ip_prefix else empty end' -r | \
sort -u > /tmp/range-ip-output.txt

masscan -iL /tmp/range-ip-output.txt -oL /tmp/range-ip-output.masscan -p 80,443 --rate 10000000 && head -25 /tmp/range-ip-output.masscan

awk '/open/ {print $4}' /tmp/range-ip-output.masscan > /tmp/range-ip-output.tlsopen && head -25 /tmp/range-ip-output.tlsopen

Attributing Hosts

Extract TLS IP

head -1 /tmp/range-ip-output.tlsopen && export IP=$(head -1 /tmp/range-ip-output.tlsopen)

OpenSSL

openssl s_client -connect $IP:443 2>/dev/null | \
openssl x509 -text | \
grep Subject:

TLS Scan

TLS Test

echo $IP | \
tls-scan --port=443 --cacert=ca-bundle.crt -o /tmp/range-ip-output-tlsinfo.json

Interpreting TLS Scan Results

Extract Subject

cat /tmp/range-ip-output-tlsinfo.json | \
jq '[.ip, .certificateChain[].subjectCN] | join(",")' -r > /tmp/range-ip-output-tlsinfo.csv | \
head -2 /tmp/range-ip-output-tlsinfo.csv

Database

nmap -p 3306,5432,1433,1521 \
     -sS -sV --mtu 5000 \
     --script db2-das-info,mysql-info,ms-sql-info,mongodb-info,oracle-tns-version $WEBSITE

nc $WEBSITE 3306

whatweb $WEBSITE

msfconsole -qx "
    use auxiliary/scanner/mysql/mysql_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

msfconsole -qx "
    use auxiliary/scanner/postgres/postgres_version;
    set RHOSTS $WEBSITE;
    run;
    exit"

services.service_name: {MYSQL, POSTGRES, MSSQL}

Authentication

Identifying Authentication Services Using Related Scripts

nmap -sS -sV --mtu 5000 --script http-auth-finder $WEBSITE

Checking SSH-Based Authentication

nmap -p 22 -sS -sV --mtu 5000 --script ssh-auth-methods $WEBSITE

whatweb $WEBSITE

services: (http.response.headers: (key: "WWW-Authenticate" and value.headers: *)) and services.port: 80 or services: (service_name: SSH and banner: * and port: 22)

Third Party Services and APIs

nmap -p 80,443 -sS -sV --mtu 5000 --script http-enum $WEBSITE

whatweb $WEBSITE

wget -qO- $WEBSITE | grep -E "api|cdn|sdk"

dirsearch -u $WEBSITE -e api,php,json,xml

Dig

dig $WEBSITE

amass enum -d $WEBSITE

services.http.response.body: {"api", "third-party", "integration", "webhook"}

Network Components

Reverse Proxy

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header,reverse-index $WEBSITE

whatweb $WEBSITE

curl -I $WEBSITE

dnsrecon -d $WEBSITE

wafw00f $WEBSITE

services.http.response.headers: (key: "Server" and value.headers: {"nginx", "Apache", "HAProxy"})

Load Balancer

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header $WEBSITE

whatweb $WEBSITE

for i in {1..10}; do curl -I $WEBSITE; done

services.http.response.headers: (key: "Server" and value.headers: {"nginx", "HAProxy", "F5", "AWS ELB"})

Content Delivery Network

nmap -p 80,443 
     -sS -sV --mtu 5000 
     --script http-trace --script-args=http-trace.host=$WEBSITE $WEBSITE

whatweb $WEBSITE

curl -I $WEBSITE

Dig

dig $WEBSITE

services.http.response.headers: (key: "Server" and value.headers: {"Cloudflare", "Akamai", "Fastly", "Amazon CloudFront"})

Security Components

Network Firewall

Identifying Software-Based Firewalls

nmap -sS -sV --mtu 5000 --script firewall-bypass $WEBSITE

whatweb $WEBSITE

services: (port: {80, 443} and http.response.headers: (key: "Server" and value.headers: "*Firewall*"))

Web Application Firewall

nmap -p 80,443 -sS -sV --mtu 5000 --script http-waf-fingerprint $WEBSITE

Identifying Cloud Based WAFs

msfconsole -qx "use auxiliary/gather/cloud_lookup;set HOSTNAME $WEBSITE;run;exit"

whatweb $WEBSITE

curl -I $WEBSITE

wafw00f $WEBSITE

services.http.response.headers: (key: "Server" and value.headers: {"ModSecurity", "Cloudflare", "Imperva", "AWS WAF"})

PreviousFingerprint Web Application Framework NextOpen Source Intelligence

Last updated 2 months ago

Was this helpful?