Hack secret keys, emails, subdomains, DNS of any company website

There are many tools which are used in gathering information. These tools gather information but are not able to gather some secret information of target. There are various way to exploit any target. But there are some vital information which comes really helpful while exploiting target, explain ethical hacking investigators. So today we will show you a tool called photon.

According to ethical hacking researcher of International Institute of Cyber Security says that photon is useful in initial phase of pentesting.

Photon is a tool used in information gathering. This tool crawls on the target very fastly. Photon grabs information secret keys, emails, subdomains, DNS and many other information which can be used to exploit. For showing you we have tested this tool on Kali Linux 2018.4

  • Type git clone https://github.com/s0md3v/Photon.git
  • Type cd Photon
  • Type python photon.py
root@kali:/home/iicybersecurity/Downloads/Photon# python photon.py
_ _ _ / _ \/ / / /_
/ /
/ / _ \/ _ \/ / \/ _ \ / / / / / // / // // / / / / // // //_/__/____// // v1.1.5

usage: photon.py [-h] [-u root] [-c cook] [-r regex] [-e export] [-o output]
[-l level] [-t threads] [-d delay] [-v]
[-s seeds [seeds …]] [--stdout std]
[--user-agent user_agent] [--exclude exclude]
[--timeout timeout] [--headers] [--dns] [--ninja] [--keys]
[--update] [--only-urls] [--wayback]

optional arguments:
-h, --help show this help message and exit
-u root, --url root root url
-c cook, --cookie cook
cookie
-r regex, --regex regex
regex pattern
-e export, --export export
export format
-o output, --output output
output directory
-l level, --level level
levels to crawl
-t threads, --threads threads
number of threads
-d delay, --delay delay
delay between requests
-v, --verbose verbose output
-s seeds [seeds …], --seeds seeds [seeds …]
additional seed urls
--stdout std send variables to stdout
--user-agent user_agent
custom user agent(s)
--exclude exclude exclude urls matching this regex
--timeout timeout http request timeout
--headers add headers
--dns enumerate subdomains and dns data
--ninja ninja mode
--keys find secret keys
--update update photon
--only-urls only extract urls
--wayback fetch urls from archive.org as seeds
  • The above options are used while gathering information about the target.
  • Type python photon.py -u hack.me
  • -u is used to enter url.
root@kali:/home/iicybersecurity/Downloads/Photon# python photon.py -u hack.me
_ _ _ / _ \/ / / /_
/ /
/ / _ \/ _ \/ / \/ _ \ / / / / / // / // // / / / / // // //_/__/____// // v1.1.5

[~] Level 1: 1 URLs
[!] Progress: 1/1
[~] Level 2: 6 URLs
[!] Progress: 6/6
[~] Crawling 20 JavaScript files

[!] Progress: 20/20

[+] Internal: 8
[+] Scripts: 20

[+] External: 12

[!] Total requests made: 27
[!] Total time taken: 0 minutes 34 seconds
[!] Requests per second: 0
[+] Results saved in hack.me directory
  • After finishing, scanned results will save in local directory. The result will save as the name of the target.
  • Type ls
  • Type cd hack.me
  • Type ls
root@kali:/home/iicybersecurity/Downloads/Photon# cd hack.me
root@kali:/home/iicybersecurity/Downloads/Photon/hack.me# ls
external.txt internal.txt scripts.txt
  • Above are the data which have been extract by photon. The above information can be used in other hacking activities.
  • For viewing any file type cat scripts.txt
root@kali:/home/iicybersecurity/Downloads/Photon/hack.me# cat scripts.txt
https://hack.me/assets/plugins/jquery-migrate-1.2.1.min.js
https://hack.me/assets/plugins/bootstrap-modal/js/bootstrap-modal.js
https://hack.me/assets/plugins/bootstrap-modal/js/bootstrap-modalmanager.js
https://hack.me/js/cfg.js
https://hack.me/assets/plugins/data-tables/DT_bootstrap.js
https://hack.me/js/core.js
https://hack.me/assets/plugins/jquery-1.10.2.min.js
https://hack.me/js/errors.js
https://hack.me/assets/scripts/signup.js
https://hack.me/assets/scripts/html5-search.js
https://hack.me/assets/plugins/back-to-top.js
https://hack.me/assets/plugins/hover-dropdown.js
https://hack.me/assets/plugins/jquery-slimscroll/jquery.slimscroll.min.js
https://hack.me/assets/plugins/select2/select2.min.js
https://hack.me/assets/plugins/bootstrap/js/bootstrap.min.js
https://hack.me/assets/scripts/app.js
https://hack.me/assets/plugins/respond.min.js
https://hack.me/assets/scripts/trends.js
https://hack.me/assets/plugins/data-tables/jquery.dataTables.js
https://hack.me/assets/plugins/messages/messages.js
  • The above information shows that target is using what kind javascript plugins. These plugins information can be used to create exploits which can attack the target.
  • Type cat external.txt
  • Type cat internal.txt
root@kali:/home/iicybersecurity/Downloads/Photon/hack.me# cat external.txt
https://hack.dev/101163/mutillidae-23101.html
https://www.elearnsecurity.com
https://www.eLearnSecurity.com
https://twitter.com/eLearnSecurity
https://www.facebook.com/hackmeproject
https://me.hack.me/developer.php
https://me.hack.me/signup
https://twitter.com/hackmeproject
https://www.elearnsecurity.com/course/?sp_source=Hackme&sp_term=SidebarBanner
https://me.hack.me/login
https://hackmeproject.uservoice.com/
https://twitter.com/Giutro
root@kali:/home/iicybersecurity/Downloads/Photon/hack.me# cat internal.txt
https://hack.me
https://hack.me/trends/
https://hack.me/
https://hack.me/explore/
https://hack.me/s/
https://hack.me/faq
https://hack.me/about
https://hack.me/hackmeterms.txt
  • The above shows the internal and external links which can be used in other hacking activities.
  • Type python photon.py -u hack.me -t 5 –keys
  • -u is used to enter url.
  • -t is used to enter no. of threads.
  • –keys will find APIs.
root@kali:/home/iicybersecurity/Downloads/Photon# python photon.py -u hack.me -t 5 --keys
_ _ _ / _ \/ / / /_
/ /
/ / _ \/ _ \/ / \/ _ \ / / / / / // / // // / / / / // // //_/__/____// // v1.1.5

[~] Level 1: 1 URLs
[!] Progress: 1/1
[~] Level 2: 6 URLs
[!] Progress: 6/6
[~] Crawling 20 JavaScript files

[!] Progress: 20/20

[+] Internal: 8
[+] Scripts: 20
[+] External: 12

[+] Keys: 7

[!] Total requests made: 27
[!] Total time taken: 0 minutes 21 seconds
[!] Requests per second: 1
[+] Results saved in hack.me directory
  • After finishing, scanned results will save in local directory.
  • The result will save as the name of the target.
  • Type ls
  • Type cd hack.me
  • Type ls
  • Type cat keys.txt
root@kali:/home/iicybersecurity/Downloads/Photon# cd hack.me/
root@kali:/home/iicybersecurity/Downloads/Photon/hack.me# ls
external.txt internal.txt keys.txt scripts.txt
root@kali:/home/iicybersecurity/Downloads/Photon/hack.me# cat keys.txt
https://hack.me/about: 8fLx6iJ7CUYx5Vn7Ib8mxg
https://hack.me/: 8fLx6iJ7CUYx5Vn7Ib8mxg
https://hack.me: 8fLx6iJ7CUYx5Vn7Ib8mxg
https://hack.me/s/: hackmesSearchPaginationBody
https://hack.me/faq: 8fLx6iJ7CUYx5Vn7Ib8mxg
https://hack.me/explore/: 8fLx6iJ7CUYx5Vn7Ib8mxg
https://hack.me/s/: 8fLx6iJ7CUYx5Vn7Ib8mxg
  • The above shows the api keys which are used by the target. The above information can be used in other hacking activities.
  • Type python photon.py -u 192.168.1.10 -t 10 –dns
  • -u is used to enter url.
  • -t is used to enter no. of threads.
  • –dns will find subdomains.
root@kali:/home/iicybersecurity/Downloads/Photon# python photon.py -u 192.168.1.10 -t 10 --dns
_ _ _ / _ \/ / / /_
/ /
/ / _ \/ _ \/ / \/ _ \ / / / / / // / // // / / / / // // //_/__/____// // v1.1.5


[~] Level 1: 1 URLs
[!] Progress: 1/1
[~] Level 2: 39 URLs

[!] Progress: 39/39
[~] Crawling 38 JavaScript files
[!] Progress: 38/38
[+] Files: 2
[+] Intel: 10
[+] Internal: 251
[+] Scripts: 38
[+] External: 111
[+] Fuzzable: 139
[!] Total requests made: 78
[!] Total time taken: 0 minutes 26 seconds
[!] Requests per second: 2
[~] Enumerating subdomains
[!] 0 subdomains found
[~] Generating DNS map
[+] Results saved in 192.168.1.10 directory
  • After finishing, scanned results will save in local directory. The result will save as the name of the target.
  • Type ls
  • Type cd 192.168.1.10
  • Type ls
  • Type intel.txt
root@kali:/home/iicybersecurity/Downloads/Photon# cd 192.168.1.10/
root@kali:/home/iicybersecurity/Downloads/Photon/192.168.1.10# ls
external.txt files.txt fuzzable.txt intel.txt internal.txt scripts.txt
root@kali:/home/iicybersecurity/Downloads/Photon/192.168.1.10# cat intel.txt
admin@metacorp.com
bob@ateliergraphique.com
jack@metacorp.com
test@thebodgeitstore.com
cycloneuser-3@cyclonetransfers.com
admin@owaspbwa.org
psiinon@gmail.com
vicnum@ciphertechs.com
contact@wackopicko.com
michael.coates@owasp.org
  • The above query shows the extracted emails which can be used in other hacking activities.
  • Type cat files.txt
root@kali:/home/iicybersecurity/Downloads/Photon/192.168.1.10# cat files.txt
./documentation/mutillidae-installation-on-xampp-win7.pdf
images/lolhax.jpg
  • The above query shows the files that have been extracted from the target. This information can be used in other hacking activities.
  • python photon.py -u hack-yourself-first.com -t 10 –ninja
  • -u is used to enter url.
  • -t is used to enter no. of threads.
  • –ninja is used to make depth scan.
root@kali:/home/iicybersecurity/Downloads/Photon# python photon.py -u hack-yourself-first.com -t 10 --ninja
_ _ _ / _ \/ / / /_
/ /
/ / _ \/ _ \/ / \/ _ \ / / / / / // / // // / / / / // // //_/__/____// // v1.1.5

[+] URLs retrieved from robots.txt: 4
[~] Level 1: 5 URLs
[!] Progress: 5/5
[~] Level 2: 14 URLs
[!] Progress: 14/14
[~] Crawling 5 JavaScript files

[!] Progress: 5/5

[+] Robots: 4
[+] Internal: 30
[+] Scripts: 5
[+] External: 6

[+] Fuzzable: 11

[!] Total requests made: 24
[!] Total time taken: 0 minutes 30 seconds
[!] Requests per second: 0
[~] Enumerating subdomains
[!] 0 subdomains found
[~] Generating DNS map
[+] Results saved in hack-yourself-first.com directory
  • After finishing, scanned results will save in local directory. The result will save as the name of the target.
  • Type ls
  • Type cd 192.168.1.10
  • Type ls
  • Type intel.txt
root@kali:/home/iicybersecurity/Downloads/Photon/hack-yourself-first.com# cat intel.txt
pauldiresta@f1.com
troyhunt@hotmail.com
lewishamilton@f1.com
felipemassa@f1.com
jean-ericvergne@f1.com
valtteribottas@f1.com
charlespic@f1.com
pastormaldonado@f1.com
fdasdf@gmail.com
markwebber@f1.com
coderNirmal@gmail.com
exileytacc@gmail.com
abc@f1.com
sergioperez@f1.com
adriansutil@f1.com
jensonbutton@f1.com
julesbianchi@f1.com
estebangutierrez@f1.com
root@linux.org
kimiraikkonen@f1.com
danielricciardo@f1.com
fernandoalonso@f1.com
nicorosberg@f1.com
a@a.com
romaingrosjean@f1.com
crazypand03@yourmomgey.com
abc@gmail.com
maxchilton@f1.com
giedovandergarde@f1.com
nicohulkenberg@f1.com
sebastianvettel@f1.com
  • The above query shows the extracted mail ids which can be used in other hacking activities.
  • This will also help to do social engineering attacks on target.