Threat Actor Mindset | LegionHunter: Passive Recon with Waymore

By /

Listen to this Post

Waymore: A Gold Mine for Passive Reconnaissance

Waymore is a powerful tool for passive reconnaissance, collecting URLs from various sources to help identify potential attack surfaces. Below are the commands and techniques to maximize its utility:


<h1>Basic Waymore command to collect URLs</h1>

waymore -i domain[.]com -mode U -oU waymore_urls.txt

<h1>Filtering and sorting the collected URLs</h1>

cat waymore_urls.txt | grep "tld:" | grep -v ":80" | grep -v ":443" | sort -u | uro > juicy.txt

Sources Waymore Utilizes:

  • Wayback Machine (web.archive.org)
  • Common Crawl (index.commoncrawl.org)
  • Alien Vault OTX (otx.alienvault.com)
  • URLScan (urlscan.io)
  • Virus Total (virustotal.com)

Next Steps After URL Collection:

  1. Perform a full TCP+UDP port scan (slow and stealthy mode).
  2. Search on Shodan, Fofa, and Censys for more endpoints.

3. Vhost Fuzzing to discover hidden virtual hosts.

4. Active crawling using Katana for deeper exploration.

  1. Use Wappalyzer to identify the tech stack and tailor your wordlists.
  2. Nuclei CVE scanning (with rate limiting to avoid detection).
  3. Perform recursive subdomain fuzzing using a large wordlist.
  4. Fuzz 404 pages as they can sometimes reveal hidden resources.
  5. Monitor daily for changes manually to stay updated.
  6. Perform manual JavaScript analysis as automated tools may miss critical details.

Handling 403 Forbidden Responses:

  • 403 Bypassing Techniques: Try various methods to bypass 403 errors, such as header manipulation or using different HTTP methods.
  • Response Manipulation: Analyze and manipulate server responses to uncover hidden endpoints.

What Undercode Say:

Passive reconnaissance is a critical phase in the threat actor’s mindset, allowing for the identification of potential vulnerabilities without alerting the target. Tools like Waymore streamline this process by aggregating data from multiple sources, providing a comprehensive view of the attack surface.

To further enhance your reconnaissance efforts, consider integrating the following commands and techniques:


<h1>Full TCP port scan with Nmap</h1>

nmap -sS -p- -T4 -oA full_tcp_scan domain[.]com

<h1>UDP port scan with Nmap</h1>

nmap -sU -p- -T4 -oA full_udp_scan domain[.]com

<h1>Vhost fuzzing with ffuf</h1>

ffuf -w /path/to/wordlist.txt -u http://domain[.]com -H "Host: FUZZ.domain[.]com" -mc 200

<h1>Active crawling with Katana</h1>

katana -u http://domain[.]com -o katana_output.txt

<h1>Nuclei CVE scanning with rate limiting</h1>

nuclei -u http://domain[.]com -rate-limit 100 -t /path/to/cve-templates

<h1>Recursive subdomain fuzzing with ffuf</h1>

ffuf -w /path/to/wordlist.txt -u http://FUZZ.domain[.]com -recursion -o subdomains.txt

<h1>Manual JavaScript analysis</h1>

<h1>Use browser developer tools or tools like JSBeautifier to analyze JavaScript files.</h1>

For those looking to deepen their understanding of passive reconnaissance and related techniques, consider exploring the following resources:

By combining these tools and techniques, you can build a robust reconnaissance framework that will serve as the foundation for successful penetration testing and vulnerability assessment. Always remember to stay within legal boundaries and obtain proper authorization before conducting any form of security testing.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: