Map Application Architecture

Check List

Cheat Sheet

Application Components

Web Server

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

curl -I $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: "*")

Platform-as-a-Service

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header,http-enum $WEBSITE

Amass

amass enum -passive -d $WEBSITE

DNSEnum

dnsenum $WEBSITE -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

Censys 

services.http.response.body: {"cloud", "platform", "app engine", "heroku", "azurewebsites"}

Serverless

Nmap 

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

Censys 

services.http.response.body: {"lambda", "cloud functions", "azure functions", "serverless"}

Microservices

Nmap

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

Kube-Hunter

kube-hunter --remote $CLUSTER

Nikto

nikto -h $WEBSITE

Curl

curl -I $WEBSITE

Censys

services.http.response.body: {"microservices", "kubernetes", "docker", "service mesh"}

Static Storage

Nmap

nmap -sS -sV --mtu 5000 --script http-enum,http-title,http-headers $WEBSITE

GCPBucketBrute

gcpbucketbrute -k test -u

CloudHunter

python3 cloudhunter.py $WEBSITE

Censys 

services.http.response.body: {"s3.amazonaws.com", "storage.googleapis.com", "blob.core.windows.net"}

Enum Clouds

Extract Cloud IPv4 Ranges

Google

wget -qO- https://www.gstatic.com/ipranges/cloud.json | jq '.prefixes[] | .ipv4Prefix' -r

Amazon

wget -qO- https://ip-ranges.amazonaws.com/ip-ranges.json | jq '.prefixes[] | .ip_prefix' -r

Azure

jq < /path_file/ServiceTags_Public_*.json '.values | .[] | .properties.addressPrefixes | .[]' -r

Scanning Large Ranges

Amazon

wget -qO- https://ip-ranges.amazonaws.com/ip-ranges.json | jq '.prefixes[] | if .region=="us-east-1" then .ip_prefix else empty end' -r | sort -u > range-ip-output.txt && cat range-ip-output.txt

Msscan

sudo masscan -iL range-ip-output.txt -oL range-ip-output.masscan -p 443 --rate 10000000 && head -25 range-ip-output.masscan

awk

awk '/open/ {print $4}' range-ip-output.masscan > range-ip-output.tlsopen && head -25 range-ip-output.tlsopen

Attributing Hosts

Extract TLS IP

head -1 range-ip-output.tlsopen && export IP=$(head -1 range-ip-output.tlsopen)

OpenSSL

openssl s_client -connect $IP:443 2>/dev/null | openssl x509 -text | grep Subject:

TLS Scan

TLS Test

echo $IP | tls-scan --port=443 --cacert=ca-bundle.crt -o range-ip-output-tlsinfo.json

Interpreting TLS Scan Results

Extract Subject

cat range-ip-output-tlsinfo.json | jq '[.ip, .certificateChain[].subjectCN] | join(",")' -r > range-ip-output-tlsinfo.csv | head -2 range-ip-output-tlsinfo.csv

Database

Nmap 

nmap -p 3306,5432,1433,1521 -sS -sV --mtu 5000 --script db2-das-info,mysql-info,ms-sql-info,mongodb-info,oracle-tns-version $WEBSITE

Netcat 

nc $WEBSITE 3306

Whatweb

whatweb $WEBSITE

Metasploit

msfconsole -qx "use auxiliary/scanner/mysql/mysql_version;set RHOSTS $WEBSITE;run;exit"
msfconsole -qx "use auxiliary/scanner/postgres/postgres_version;set RHOSTS $WEBSITE;run;exit"

Censys 

services.service_name: {MYSQL, POSTGRES, MSSQL}

Authentication

Nmap

Identifying Authentication Services Using Related Scripts

nmap -sS -sV --mtu 5000 --script http-auth-finder $WEBSITE

Nmap

Checking SSH-Based Authentication

nmap -p 22 -sS -sV --mtu 5000 --script ssh-auth-methods $WEBSITE

Whatweb

whatweb $WEBSITE

Censys 

services: (http.response.headers: (key: "WWW-Authenticate" and value.headers: *)) and services.port: 80 or services: (service_name: SSH and banner: * and port: 22)

Third Party Services and APIs

Nmap 

nmap -p 80,443 -sS -sV --mtu 5000 --script http-enum $WEBSITE

Whatweb 

whatweb $WEBSITE

Curl 

wget -qO- $WEBSITE | grep -E "api|cdn|sdk"

Dirsearch

dirsearch -u $WEBSITE -e api,php,json,xml

Dig

dig $WEBSITE

Amass

amass enum -d $WEBSITE

Censys 

services.http.response.body: {"api", "third-party", "integration", "webhook"}

Network Components

Reverse Proxy

Nmap 

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header,reverse-index $WEBSITE

Whatweb

whatweb $WEBSITE

Curl 

curl -I $WEBSITE

DNSRecon

dnsrecon -d $WEBSITE

wafw00f

wafw00f $WEBSITE

Censys 

services.http.response.headers: (key: "Server" and value.headers: {"nginx", "Apache", "HAProxy"})

Load Balancer

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-server-header $WEBSITE

Whatweb 

whatweb $WEBSITE

Curl 

for i in {1..10}; do curl -I $WEBSITE; done

Censys 

services.http.response.headers: (key: "Server" and value.headers: {"nginx", "HAProxy", "F5", "AWS ELB"})

Content Delivery Network

Nmap

nmap -p 80,443 -sS -sV --mtu 5000 --script http-trace --script-args=http-trace.host=$WEBSITE $WEBSITE

Whatweb

whatweb $WEBSITE

Curl

curl -I $WEBSITE

Dig 

dig $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: {"Cloudflare", "Akamai", "Fastly", "Amazon CloudFront"})

Security Components

Network Firewall

Nmap

Identifying Software-Based Firewalls

nmap -sS -sV --mtu 5000 --script firewall-bypass $WEBSITE

Whatweb 

whatweb $WEBSITE

Censys

services: (port: {80, 443} and http.response.headers: (key: "Server" and value.headers: "*Firewall*"))

Web Application Firewall

Nmap 

nmap -p 80,443 -sS -sV --mtu 5000 --script http-waf-fingerprint $WEBSITE

Metasploit

Identifying Cloud Based WAFs

msfconsole -qx "use auxiliary/gather/cloud_lookup;set HOSTNAME $WEBSITE;run;exit"

Whatweb 

whatweb $WEBSITE

Curl 

curl -I $WEBSITE

Wafw00f

wafw00f $WEBSITE

Censys

services.http.response.headers: (key: "Server" and value.headers: {"ModSecurity", "Cloudflare", "Imperva", "AWS WAF"})
PreviousFingerprint Web Application FrameworkNextOpen Source Intelligence

Last updated

Was this helpful?