JSubFinder is a device writtin in golang to look webpages & javascript for hidden subdomains and secrets and techniques within the given URL. Developed with BugBounty hunters in thoughts JSubFinder takes benefit of Go’s superb efficiency permitting it to make the most of giant information units & be simply chained with different instruments.
Set up
Set up the applying and obtain the signatures wanted to seek out secrets and techniques
Utilizing GO:
go get github.com/ThreatUnkown/jsubfinder
wget https://uncooked.githubusercontent.com/ThreatUnkown/jsubfinder/grasp/.jsf_signatures.yaml && mv .jsf_signatures.yaml ~/.jsf_signatures.yaml
or
Fundamental Utilization
Search
Search the given url’s for subdomains and secrets and techniques
$ jsubfinder search -hExecute the command specified
Utilization:
JSubFinder search [flags]
Flags:
-c, --crawl Allow crawling
-g, --greedy Verify all recordsdata for URL's not simply Javascript
-h, --help assist for search
-f, --inputFile string File containing domains
-t, --threads int Ammount of threads for use (default 5)
-u, --url strings Url to verify
International Flags:
-d, --debug Allow debug mode. Logs are saved in log.data
-Okay, --nossl Skip SSL cert verification (default true)
-o, --outputFile string title/location to retailer the file
-s, --secrets Verify outcomes for secrets and techniques e.g api keys
--sig string Location of signatures for locating secrets and techniques
-S, --silent Disable printing to the console
Examples (outcomes are the identical on this case):
$ jsubfinder search -u www.google.com
$ jsubfinder search -f file.txt
$ echo www.google.com | jsubfinder search
$ echo www.google.com | httpx --silent | jsubfinder search$apis.google.com
ogs.google.com
retailer.google.com
mail.google.com
accounts.google.com
www.google.com
insurance policies.google.com
help.google.com
adservice.google.com
play.google.com
With Secrets and techniques Enabled
observe --secrets=""
will save the key leads to a secrets and techniques.txt file
$ echo www.youtube.com | jsubfinder search --secrets=""
www.youtube.com
youtubei.youtube.com
funds.youtube.com
2Fwww.youtube.com
252Fwww.youtube.com
m.youtube.com
television.youtube.com
music.youtube.com
creatoracademy.youtube.com
artists.youtube.comGoogle Cloud API Key <redacted> present in content material of https://www.youtube.com
Google Cloud API Key <redacted> present in content material of https://www.youtube.com
Google Cloud API Key <redacted> present in content material of https://www.youtube.com
Google Cloud API Key <redacted> present in content material of https://www.youtube.com
Google Cloud API Key <redacted> present in content material of https://www.youtube.com
Google Cloud API Key <redacted> present in content material of https://www.youtube.com
Superior examples
$ echo www.google.com | jsubfinder search -crawl -s "google_secrets.txt" -S -o jsf_google.txt -t 10 -g
-crawl
use the default crawler to crawl pages for different URL’s to investigate-s
permits JSubFinder to seek for secrets and techniques-S
Silence output to console-o <file>
save output to specified file-t 10
use 10 threads-g
search each URL for JS, even ones we do not assume have any
Proxy
Permits the upstream HTTP proxy with TLS MITM sypport. This lets you:
- Browse websites in realtime and have JSubFinder seek for subdomains and secrets and techniques actual time.
- If wanted run jsubfinder on one other server to dump the workload
$ JSubFinder proxy -hExecute the command specified
Utilization:
JSubFinder proxy [flags]
Flags:
-h, --help assist for proxy
-p, --port int Port for the proxy to hear on (default 8444)
--scope strings Url's in scope seperated by commas. e.g www.google.com,www.netflix.com
-u, --upstream-proxy string Adress of upsteam proxy e.g http://127.0.0.1:8888 (default "http://127.0.0.1:8888")
International Flags:
-d, --debug Allow debug mode. Logs are saved in log.data
-Okay, --nossl Skip SSL cert verification (default true)
-o, --outputFile string title/location to retailer the file
-s, --secrets Verify outcomes for secrets and techniques e.g api keys
--sig string Location of signatures for locating secrets and techniques
-S, --silent Disable printing to the console
$ jsubfinder proxy
Proxy began on :8444
Subdomain: out.reddit.com
Subdomain: www.reddit.com
Subdomain: 2Fwww.reddit.com
Subdomain: alb.reddit.com
Subdomain: about.reddit.com
With Burp Suite
- Configure Burp Suite to ahead visitors to an upstream proxy/ (Consumer Choices > Connections > Upsteam Proxy Servers > Add)
- Run JSubFinder in proxy mode
Burp Suite will now ahead all visitors proxied by means of it to JSubFinder. JSubFinder will retrieve the response, return it to burp and in one other thread seek for subdomains and secrets and techniques.
With Proxify
- Launch Proxify & dump visitors to a folder
proxify -output logs
- Configure Burp Suite, a Browser or different device to ahead visitors to Proxify (see directions on their github web page)
- Launch JSubFinder in proxy mode & set the upstream proxy as Proxify
jsubfinder proxy -u http://127.0.0.1:8443
- Use Proxify’s replay utility to replay the dumped visitors to jsubfinder
replay -output logs -burp-addr http://127.0.0.1:8444
Run on one other server
Easy, run JSubFinder in proxy mode on one other server e.g 192.168.1.2. Observe the proxy steps above however set your purposes upstream proxy as 192.168.1.2:8443
Superior Examples
$ jsubfinder proxy --scope www.reddit.com -p 8081 -S -o jsf_reddit.txt
--scope
limits JSubFinder to solely analyze responses from www.reddit.com-p
port JSubFinders proxy server is working on-S
silence output to the console/stdout-o <file>
output examples to this file