My Recon

Note: As said earlier, everyone's Recon methodology may differ. Here you can find mine in which some tools or methods may be outdated or the latest one. feel free to add the new one to your methodology. Here I gonna differentiate my recon methodology into two different approaches. 1) Recon in Web Application security assessment 2) Recon in Infrastructure security assessment

⭐ Recon in Web Application security assessment ⭐ Note: There are plenty of tools, techniques available on the internet and I don't want to dump it all in you. So here you can find some of my commonly used tools and tutorials to install and use it. 1) Collect Information from the Internet about Target Tools: Shodan - Search engine used to discover devices connected to the internet. Installation in Kali Linux - pip install shodan Working - Tuts 1 & Tuts 2 Archive - Way back machine used to crawl the past and present histories of our target. Installation in kali Linux - Collections of Archive tools Working - Tuts Amass - Used to perform network mapping and discover the external assets using OSINT. Censys.io - Used to retrieve organization assets from the internet. Working - Tuts Commands: “example.com” internal Pentest Tools & Many. 2) Collect Information like Technologies and services used Tools: Wappalyzer - Cool Addon available for both chrome and firefox browsers used to find technologies, the framework, server, programming language and etc, used in that visited website. Netcraft - Used to find technologies and infrastructure used in that site. Eyewitness - Used to take screenshots of given sites, servers, and services. Working: Tuts 3) Crawling Endpoints Tools: Burpsuite Spider - A Default feature available in the Burpsuite tool. Used to crawl endpoints of the targeted site. Hakrawler - Tool used to discover endpoints and assets in that site. Installation in kali Linux - go get github.com/hakluke/hakrawler Working - Tuts Photon - This awesome tool is used to extract much information from the endpoints and save it in an organized manner. Working - Tuts URLExtrator - Another cool tool used for crawl endpoints and additional information from it. 4) DNS Discovery & Port Scanning Tools: Nmap - A master tool for pentesters used to scan ports and services. Working - Tuts more about enumeration -> Click Here DNSDumpster - Online site used to retrieve Host records and all information related to that target. DNScan - Used to enumerate DNS Subdomain scanner. Working - Tuts Masscan - One of the fastest Internet port scanner. Working - Tuts 5) Collect Sensitive and Interesting information Tools: Trust me sometimes /robots.txt reveals some interesting paths. Dirb, Dirbuster, Dirsearch & DirHunt - These are some awesome Web Content scanners that retrieve some cool sensitive endpoints. Working - Tuts Below are some of my nice Google Dorks which lead to Sensitive Information Disclosure site:example.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()" site:example.com ext:log | ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:sql | ext:dbf | ext:mdb | ext:perf 6) Subdomain Scanner and Takeovers Tools: Domained - It is a collection of 8+ Subdomain scanners tool which will enumerate many subdomains and subdomains of subdomains too. SubJack - Tool used to takeover subdomains by identifying which one can be hijacked. Installation in Kali Linux: go get github.com/haccer/subjack SubOver - Tool that can easily detect and report potential subdomain takeovers that exist. 7) Tools to recon application frameworks: Tools: Wpscan - WordPress scanner and vulnerability database. WpHunter - WordPress vulnerability scanner Joomscan - Joomla Vulnerability Scanner CMSeek - CMS Detection and Exploitation suite JoomlaScan - Joomla CMS Scanner CMSScan - Scans for WordPress, Joomla, Drupal, vBulletin Sites for vulnerabilities. DroopeScan - A Plugin based scanner. Drupwn - Drupal Recon and Exploitation tool. 8) Always check Source Code, JS Files and understand how each mechanisms works.

⭐ Recon in Infrastructure security assessment ⭐ 1) Scan the whole network: Tools: Nmap - Detects ports, services, and it's version in the network - Tuts, Tuts 1 Zenmap, Advanced IP Scanner, Advanced Port Scanner for better GUI. 2) If Powershell allows full language go for PS scripts. Powerview, Powerup, and other Scripts. 3) Look for internal applications and portals Always Check for default credentials and commonly used credentials Sites: Always check the official documentation check Github repos too Routerpassword Cirt Open-Sez Default password Datarecovery 4) Check for local admin privilege escalation 5) Check network VLAN's 6) Understand the network architecture