Building Practices
How to perform LinkedInt recon automation?
Trickest provides community crosslinked tool that works pretty similarly to LinkedInt but with more features and better maintenance.
How to extract root domains?
Trickest provides community unfurl tool that can be used for extracting root domains by using the %r.%t regex as a custom input's value.
How to pull the IPs from the machines that are spun up?
Add a custom-script to your workflow with a command like curl icanhazip.com | tee out/output.txt. To log the public IP before anything starts running, then refer back to this node’s output whenever you need it. This’s assuming you use only one machine for the workflow. If you use more, add more of these nodes and run them in parallel to log each one.
How to perform horizontal (domains, ASNs, IPs) enumeration discovery?
A few of our ideas you can try here:
For the initial ASNs and IP ranges discovery, try to use bgp.he.net. It's a manual process but it doesn't take that long and it's always good to double-check that the ASNs you're scanning belong to your target and not another company with a similar name.
Then try discovering other domains by using:
- BuiltWith's Relationships feature
- amass-intel
- Google dorking with the copyright text (Copyright 2022 - Company Name)
- Search shodan for the target's favicons using favup
- Search shodan for the target's name (we have a shodan-python integration)
After you have an extensive list of root domains, try to enumerate subdomains in every possible way - search the Trickest library for "subdomain" and you'll find lots of different tools. A few of recommended are amass, subfinder, puredns, github-subdomains, gotator, theHarvester, assetfinder, vita, jldc-subdomain, and findomain. Don't forget to configure these tools with any API keys you have to make them query more sources, and use good wordlists and resolvers.
Once you have a list of IP ranges and subdomains, pass everything to cero to look through SSL certificates. Any new root domains found here (you can use unfurl to extract them quickly as mentioned before) will go through the same process with subdomain enumeration, etc.
Also if the company has any public code on GitHub, try enumerate their repositories and the repositories of their employees using a combination of crosslinked and enumerepo (check out the Insiders project and workflow). Then look through these repositories for any domains/subdomains.
After all these sources have been exhausted, resolve everything with dnsx then pass the found IP addresses to hakrevdns (or use dnsx again to grab PTR records). And again any new root domains will start the process from the start.
Repeat this methodology for each acquisition of your target company (depending on the scope of the test) which will be discovered using crunchbase.com
How to execute intel command with amass?
Trickest provides community amass-intel tool, as an addition to general amass tool, for such purpose.
To get maximum results from amass-intel tool, use it in tandem with cero tool (to extract domains from SSL certificates) and dnsx / hakrevdns (to resolve domains and then reverse-lookup them). In addition to amass-intel's reverse whois functionality, this combination will get you maximum results.
How to change tool to take in a single domain instead of a file including domain(s)?
Trickest provides string-to-file tool for tools that do not have a string input for defining a domain. In the Builder’s Left Sidebar, Library tab, use search to find string-to-file tool, add it to the Canvas just before your tool and connect them by file input. Single domain value pass to the string-to-file tool's input.
Explore additional How-tos and practices and maximize the platform's capabilities.