Welcome to the 2nd Episode of Cool Recon Techniques. We are back with some more cool recon techniques which we think hackers out there usually miss out on! If you haven’t read the first Episode here’s the link!
So here we go!!
Technique 9: Effective Google Dorking
All of us do perform Google Dorking to find sensitive secrets from Google. But here is one of the effective methods which is going to reduce your manual work. A beautiful tool created by Pentest Tools called as Google-Hacking will help us over here.
Just provide the target name and choose what you are searching for and it creates Google Dorks for you.
You can modify these dorks to create and get something much more interesting and sensitive. For example : site: target.com ext:txt got us access to some internal mails of the organization.
The above tool has only 18 dorks so in order to perform a better recon you can use another great tool i.e. Pagodo
Pagodo has a large number of dorks and also you can add a list of your customized dorks :
Tip: Try dorking on different search engines like bing. At times bing dorking will give productive results for example “site:firebaseio.com” will give better O/P via bing Dorking
Technique 10: Virtual Host Scanning
Virtual Hosts are basically a single machine that acts like multiple systems hosting more than one domain. So for example think of a Bank website that has a single IP address 200.12.45.34 hosting 2 subdomains subdomain1.bank.com and subdomain2.bank.com.
Enumerating such virtual hosts can increase the attack surface area and help to find hidden endpoints. This can be easily done using the beautiful tool called as Vhosts-Sieve.
The steps are as follows:
Step 1: Find all the subdomains using various tools (Example: subfinder)
Step 2: Find VirtualHosts for the subdomains using the command:
python3 vhosts-sieve.py -d subdomain.txt -o vhosts.txt
Technique 11: Effective JavaScript Analysis
We all know the entire web application’s functionality is built on JavaScript. An effective JavaScript analysis can help you find and discover hidden contents which are not available. There are a lot of tools that help you to do this. You can also create your own regex pattern and grep them from the JS Files.
You can grab JS Files first by using the tool called as subjs using the below command
cat urls.txt | gau | subjs
cat urls.txt | waybackurls | subjs
Once you collect all the JS files you can use LinkFinder to analyze them.
There is also a famous extension to perform JS Analysis — Burp JS Miner . You can read more about it here.
Another Great Extension to scan JS files is chrome extension TruffleHog. TruffleHog looks for API keys , secrets and credentials on websites as you visit the websites, and alerts you if anything sensitive is found. It scans the webpage as well as the JS files.
Technique 12: Effective Cloud Checkers
Each and every company might use some or the other cloud services either for internal use (intranet) or for external use. Collecting these data and finding hidden endpoints is the goal over here. cloud_enum is an amazing service that helps to find all of these endpoints along with storage URLs. It tries to perform unauthenticated BlackBox testing on the hidden endpoint.
The command for the same is as follows:
python3 cloud_enum.py -k uber.com
You can add multiple keywords by appending the -k flag to increase the chances of hitting more services.
Technique 13: Finding Admin Panels using URLHunter
Ever imagined how simpler life would be if we got all of the Admin Panels at once? There’s where URLHunter helps you out to do so. URLHunter is an amazing service that helps you find all the hidden endpoints on basis of keywords that you specify. And here is the catch, give the keyword something like admin and allow URLHunter to find you all the hidden admin dashboards.
The command for the following would be:
urlhunter -keywords uber.com,admin -date latest -o output.txt
Technique 14: Finding Uncommon Subdomains using AnalyticsRelationships
We found this very interesting and uncommon subdomain enumeration technique using this tool called as AnalyticsRelationships. This tool basically checks out for domains/subdomains by looking at Google Analytics IDs from a URL. Google Analytics’ tracking code (or ID) is a unique identifier that allows Google Analytics to collect data when inserted into a website.
The command is pretty simple:
python3 analyticsrelationships.py -u https://www.domain.com
We hope that these recon techniques might help you to add and update your methodology. Do share your recon methodology in the comments section.
Happy Hunting!