search

My Recon

Note: As said earlier, everyone's Recon methodology may differ. Here you can find mine in which some tools or methods may be outdated or the latest one. feel free to add the new one to your methodology. Here I gonna differentiate my recon methodology into two different approaches. 1) Recon in Web Application security assessment 2) Recon in Infrastructure security assessment

Recon in Web Application security assessmentNote: There are plenty of tools, techniques available on the internet and I don't want to dump it all in you. So here you can find some of my commonly used tools and tutorials to install and use it. 1) Collect Information from the Internet about Target Tools: Shodanarrow-up-right - Search engine used to discover devices connected to the internet. Installation in Kali Linux - pip install shodan Working - Tuts 1arrow-up-right & Tuts 2arrow-up-right Archivearrow-up-right - Way back machine used to crawl the past and present histories of our target. Installation in kali Linux - Collections of Archive toolsarrow-up-right Working - Tutsarrow-up-right Amass arrow-up-right- Used to perform network mapping and discover the external assets using OSINT. Censys.ioarrow-up-right - Used to retrieve organization assets from the internet. Working - Tutsarrow-up-right Commands: “example.com” internal Pentest Toolsarrow-up-right & Many. 2) Collect Information like Technologies and services used Tools: Wappalyzerarrow-up-right - Cool Addon available for both chrome and firefox browsers used to find technologies, the framework, server, programming language and etc, used in that visited website. Netcraftarrow-up-right - Used to find technologies and infrastructure used in that site. Eyewitnessarrow-up-right - Used to take screenshots of given sites, servers, and services. Working: Tutsarrow-up-right 3) Crawling Endpoints Tools: Burpsuite Spiderarrow-up-right - A Default feature available in the Burpsuite tool. Used to crawl endpoints of the targeted site. Hakrawlerarrow-up-right - Tool used to discover endpoints and assets in that site. Installation in kali Linux - go get github.com/hakluke/hakrawler Working - Tutsarrow-up-right Photonarrow-up-right - This awesome tool is used to extract much information from the endpoints and save it in an organized manner. Working - Tutsarrow-up-right URLExtratorarrow-up-right - Another cool tool used for crawl endpoints and additional information from it. 4) DNS Discovery & Port Scanning Tools: Nmap arrow-up-right- A master tool for pentesters used to scan ports and services. Working - Tutsarrow-up-right more about enumeration -> Click Herearrow-up-right DNSDumpsterarrow-up-right - Online site used to retrieve Host records and all information related to that target. DNScan arrow-up-right- Used to enumerate DNS Subdomain scanner. Working - Tutsarrow-up-right Masscan arrow-up-right- One of the fastest Internet port scanner. Working - Tuts arrow-up-right 5) Collect Sensitive and Interesting information Tools: Trust me sometimes /robots.txt reveals some interesting paths. Dirbarrow-up-right, Dirbusterarrow-up-right, Dirsearcharrow-up-right & DirHuntarrow-up-right - These are some awesome Web Content scanners that retrieve some cool sensitive endpoints. Working - Tutsarrow-up-right Below are some of my nice Google Dorks which lead to Sensitive Information Disclosure site:example.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()" site:example.com ext:log | ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:sql | ext:dbf | ext:mdb | ext:perf 6) Subdomain Scanner and Takeovers Tools: Domained arrow-up-right- It is a collection of 8+ Subdomain scanners tool which will enumerate many subdomains and subdomains of subdomains too. SubJack arrow-up-right- Tool used to takeover subdomains by identifying which one can be hijacked. Installation in Kali Linux: go get github.com/haccer/subjack SubOverarrow-up-right - Tool that can easily detect and report potential subdomain takeovers that exist. 7) Tools to recon application frameworks: Tools: Wpscanarrow-up-right - WordPress scanner and vulnerability database. WpHunter arrow-up-right- WordPress vulnerability scanner Joomscan arrow-up-right- Joomla Vulnerability Scanner CMSeek arrow-up-right- CMS Detection and Exploitation suite JoomlaScan arrow-up-right- Joomla CMS Scanner CMSScan arrow-up-right- Scans for WordPress, Joomla, Drupal, vBulletin Sites for vulnerabilities. DroopeScan arrow-up-right- A Plugin based scanner. Drupwn arrow-up-right- Drupal Recon and Exploitation tool. 8) Always check Source Code, JS Files and understand how each mechanisms works.

Recon in Infrastructure security assessment1) Scan the whole network: Tools: Nmap arrow-up-right- Detects ports, services, and it's version in the network - Tutsarrow-up-right, Tuts 1arrow-up-right Zenmaparrow-up-right, Advanced IP Scannerarrow-up-right, Advanced Port Scannerarrow-up-right for better GUI. 2) If Powershell allows full language go for PS scripts. Powerviewarrow-up-right, Poweruparrow-up-right, and other Scriptsarrow-up-right. 3) Look for internal applications and portals Always Check for default credentials and commonly used credentials Sites: Always check the official documentation check Github arrow-up-rightrepos too Routerpasswordarrow-up-right Cirtarrow-up-right Open-Sezarrow-up-right Default passwordarrow-up-right Datarecoveryarrow-up-right 4) Check for local admin privilege escalation 5) Check network VLAN's 6) Understand the network architecture

PreviousInformation GatheringNextEnumeration - Open Ports

Last updated