Analyze your gau result with Gau-Expose Tool
Assalamu Alaikum
peace be upon you
Hello hackers. I hope you are well. I am Tamim Hasan a Security Researcher and Bug Bounty hunter From Bangladesh 🇧🇩.
Today we learn how we analyze our gau URLs results with the Gau-Expose tool. Making this tool Idea comes from Sm9l. So Thank you mate.
So What is Gau
It fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
Let’s Come to the point
So what Gau Expose tool does?
Answer: It makes your work a bit easier while analyzing gau results Also It gathers other information like
[] Gather subdomains
It gathers subdomains from gau URLs, With this, you may find some different domains that normal subdomain enumeration tools do not find.
[] Gather panel stuff
Like login, Regester, etc. it’s helpful because you may find an old panel that may be easily bypassed or find any panel that login easily with default Credentials. Or any admin/staff panel that has a register option is enabled.
[] Gather third-party assets
Like: grafana, Jira, Jenkins, etc
If you find any, You can go on that url (if it exists) then try to find exploit based on its version.
[] Gather robots.txt
I add this thing in this tool because sometime robots.txt shows you some paths that reveal sensitive information. These kinds of paths may not be in your wordlist but they exist on the domains robots.txt file. So check them manually.
[] Gather emails/usernames
It gathers emails and usernames if they exist on the gau results. This kind of result may help you to login to any special login panel like you find any special login author mail/username then you can try to brute-force on that.
[] Gather sensitive file
It gathers some sensitive files like bak, zip, xls, etc. So you have to check it manually because many times it greps unnecessary things.
[] Gather error
As we know that sometimes errors are exposed useful information, Which may help us in further attacks or help to chain with some other vulnerabilities. Though the chances are low, But there is no harm to take a chance.
[] Gather paths for directory brute-force
This is very useful because these paths you collect from gau result these paths are specific on target so combining these wordlists with common wordlists would be pretty good for target base directory brute-forcing.
Note: For getting fast results, You can use gauplus tool rather than gau.
++ Now before starting You have to do
- Install gauplus and uro tool
- Gauplus:
go install github.com/bp0lr/gauplus@latest- If this method isn't working install gauplus manually
git clone https://github.com/bp0lr/gauplus.gitcd gauplusgo buildmv gauplus /usr/local/bin/
- Uro
pip3 install uro++ Run your gauplus tool on your target live domains
cat live-domains.txt | gauplus -t 30 > gau-urls.txt
++ Now just run Gau-Expose tool
bash gau-expose.shthen put your gau-urls.txt paths that's it.
That’s all for today guys. If I made any mistakes please pardon me and if you have any suggestions/questions let me know. Have a nice day :)
You can follow me on Youtube | Github | Twitter | Linkedin | Facebook
