My Recon
Note: As said earlier, everyone's Recon methodology may differ. Here you can find mine in which some tools or methods may be outdated or the latest one. feel free to add the new one to your methodology.
Here I gonna differentiate my recon methodology into two different approaches.
1) Recon in Web Application security assessment
2) Recon in Infrastructure security assessment
⭐ Recon in Web Application security assessment ⭐
Note: There are plenty of tools, techniques available on the internet and I don't want to dump it all in you. So here you can find some of my commonly used tools and tutorials to install and use it.
1) Collect Information from the Internet about Target
Tools:
Shodan - Search engine used to discover devices connected to the internet.
Installation in Kali Linux - pip install shodan
Working - Tuts 1 & Tuts 2
Archive - Way back machine used to crawl the past and present histories of our target.
Installation in kali Linux - Collections of Archive tools
Working - Tuts
Amass - Used to perform network mapping and discover the external assets using OSINT.
Censys.io - Used to retrieve organization assets from the internet.
Working - Tuts
Commands: “example.com” internal
Pentest Tools & Many.
2) Collect Information like Technologies and services used
Tools:
Wappalyzer - Cool Addon available for both chrome and firefox browsers used to find technologies, the framework, server, programming language and etc, used in that visited website.
Netcraft - Used to find technologies and infrastructure used in that site.
Eyewitness - Used to take screenshots of given sites, servers, and services.
Working: Tuts
3) Crawling Endpoints
Tools:
Burpsuite Spider - A Default feature available in the Burpsuite tool. Used to crawl endpoints of the targeted site.
Hakrawler - Tool used to discover endpoints and assets in that site.
Installation in kali Linux - go get github.com/hakluke/hakrawler
Working - Tuts
Photon - This awesome tool is used to extract much information from the endpoints and save it in an organized manner.
Working - Tuts
URLExtrator - Another cool tool used for crawl endpoints and additional information from it.
4) DNS Discovery & Port Scanning
Tools:
Nmap - A master tool for pentesters used to scan ports and services.
Working - Tuts
more about enumeration -> Click Here
DNSDumpster - Online site used to retrieve Host records and all information related to that target.
DNScan - Used to enumerate DNS Subdomain scanner.
Working - Tuts
Masscan - One of the fastest Internet port scanner.
Working - Tuts
5) Collect Sensitive and Interesting information
Tools:
Trust me sometimes /robots.txt reveals some interesting paths.
Dirb, Dirbuster, Dirsearch & DirHunt - These are some awesome Web Content scanners that retrieve some cool sensitive endpoints.
Working - Tuts
Below are some of my nice Google Dorks which lead to Sensitive Information Disclosure
site:example.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()"
site:example.com ext:log | ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:sql | ext:dbf | ext:mdb | ext:perf
6) Subdomain Scanner and Takeovers
Tools:
Domained - It is a collection of 8+ Subdomain scanners tool which will enumerate many subdomains and subdomains of subdomains too.
SubJack - Tool used to takeover subdomains by identifying which one can be hijacked.
Installation in Kali Linux: go get github.com/haccer/subjack
SubOver - Tool that can easily detect and report potential subdomain takeovers that exist.
7) Tools to recon application frameworks:
Tools:
Wpscan - WordPress scanner and vulnerability database.
WpHunter - WordPress vulnerability scanner
Joomscan - Joomla Vulnerability Scanner
CMSeek - CMS Detection and Exploitation suite
JoomlaScan - Joomla CMS Scanner
CMSScan - Scans for WordPress, Joomla, Drupal, vBulletin Sites for vulnerabilities.
DroopeScan - A Plugin based scanner.
Drupwn - Drupal Recon and Exploitation tool.
8) Always check Source Code, JS Files and understand how each mechanisms works.
⭐ Recon in Infrastructure security assessment ⭐ 1) Scan the whole network: Tools: Nmap - Detects ports, services, and it's version in the network - Tuts, Tuts 1 Zenmap, Advanced IP Scanner, Advanced Port Scanner for better GUI. 2) If Powershell allows full language go for PS scripts. Powerview, Powerup, and other Scripts. 3) Look for internal applications and portals Always Check for default credentials and commonly used credentials Sites: Always check the official documentation check Github repos too Routerpassword Cirt Open-Sez Default password Datarecovery 4) Check for local admin privilege escalation 5) Check network VLAN's 6) Understand the network architecture
Last updated
Was this helpful?