Hey there, fellow bug hunters and curious minds! Are you ready to dive into the fascinating world of reconnaissance?
In this blog post, we’re going to embark on an exciting journey into the realm of reconnaissance. Whether you’re an aspiring ethical hacker, a bug bounty hunter, or simply someone eager to learn about the art of gathering information, this article will equip you with the essential tools and techniques to become a true recon ninja.
Definition:
Imagine you’re planning an adventure or a mission to a new place. Before you embark on your journey, wouldn’t it be helpful to gather as much information as possible about the destination?
That’s where reconnaissance comes into play. In the world of offensive security, reconnaissance is like conducting thorough research and scouting before launching an attack or defending against one.
Reconnaissance involves gathering information about a target, such as a website, network, or organization. It’s like playing the role of a detective, seeking clues and understanding the terrain before making a move. Its techniques can include searching for publicly available data, analyzing website structures, scanning for open ports, or even observing social media accounts.
By performing reconnaissance, experts can gain insights into potential vulnerabilities, weaknesses, or valuable information that may help them protect systems or identify potential threats. It’s an essential step in the pentesting process, providing a foundation for planning and making informed decisions.
Objective:
- Information Gathering:
- Collecting crucial data
- Identifying target details
- Understanding the landscape
2. Vulnerability Assessment:
- Analyzing weaknesses
- Discovering entry points
- Assessing security gaps
3. Target Profiling:
- Creating a profile
- Understanding behavior
- Mapping interconnectedness
4. Strategic Planning:
- Formulating attack strategies
- Developing countermeasures
- Making informed decisions
Here, I will provide a list of Recon tools to start with:
- Domain Name Information Lookup:
- whois or https://whois.arin.net — Gives target IP range.
- viewdns info — obtain detailed information about a target domain, including DNS records, WHOIS data, IP geolocation.
- nslookup — gather information about a target domain, such as IP addresses, DNS records, and other details that aid in understanding the target’s infrastructure.
- YouGetSignal — Get other sites on the same domain.
- DNS dumpster — web-based service for users to search and analyze historical DNS records, providing insights into subdomains, DNS changes, and potential security issues.
- Search DNS — online tool for users to search and retrieve DNS information, such as DNS records, IP addresses, and domain registration details, for a specific domain or hostname.
2. Service enumeration:
- nmap — discover hosts, open ports, and gather information about systems, providing insights into network security.
3. Sub-domain enumeration (and sub-domain of sub-domains):
- gobuster — https://github.com/OJ/gobuster
- sublist3r — https://github.com/aboul3la/Sublist3r
- Amass — https://github.com/owasp-amass/amass/
- dnsrecon — https://github.com/darkoperator/dnsrecon
- Knockpy — https://github.com/guelfoweb/knock
- SubBrute — https://github.com/TheRook/subbrute
- altdns — https://github.com/infosec-au/altdns
- EyeWitness — https://github.com/ChrisTruncer/EyeWitness
4. Check certificates:
- crt.sh — information about SSL/TLS certificates associated with a target domain.
- testssl.sh —checks a server’s service on any port for the support of TLS/SSL ciphers.
- SSLyze — analyze the SSL/TLS configuration of a server by connecting to it to ensure that it uses strong encryption settings.
5. Check malicious IP reputation:
- AbuseIPDB — an online platform that allows users to report and check IP addresses for malicious activity.
- Cisco Talos Intelligence — Lookup reputation for IP, domain, or network owner for real-time threat data.
- VirusTotal — online service that analyzes files and URLs, checking them against multiple antivirus engines and other scanning tools, providing insights on potential malware infections.
6. OSINT (Open Source Intelligence):
- Wayback Machine — An internet archive that allows you to view historical versions of websites, helping you uncover past information, changes, and potentially sensitive data. This can be automated by using these GitHub gists — waybackurls.py and waybackrobots.py.
- Google Dorks — Customized search queries that leverage advanced search operators to uncover hidden or vulnerable information on the web.
- Recon-ng — automates the collection and analysis of data from various sources, including search engines, social networks, and public databases.
- Shodan — discover open ports, vulnerable systems, and other information about devices on the internet.
- theHarvester — gathers email addresses, subdomains, and other information from public sources like search engines, social media platforms.
- IntelTechniques — website and resource hub created by OSINT expert Michael Bazzell, providing information, tools, and techniques for conducting OSINT investigations.
7. Github search automation tools:
- Gitrob — https://github.com/michenriksen/gitrob
- Git-all-secrets — https://github.com/anshumanbh/git-all-secrets
- truffleHog — https://github.com/dxa4481/truffleHog.git
- Git-secrets — https://github.com/awslabs/git-secrets
- Repo-supervisor — https://github.com/auth0/repo-supervisor
8. Amazon S3 bucket finder:
- S3 bucket finder — identify and enumerate misconfigured Amazon S3 buckets, aiding in the discovery of potentially exposed data or sensitive information.
- Google Dork
- Burp-Suite
8. Technology lookup:
- Netcraft — https://sitereport.netcraft.com/
- BuiltWith — https://builtwith.com/
- Wappalyzer — https://www.wappalyzer.com/
- Rescan — https://rescan.io/
- PageXRay — https://pagexray.com/
- WhatRuns — https://www.whatruns.com/
9. Get URLs:
- GAU (Get All Urls) — https://github.com/lc/gau
- Crawley — https://github.com/s0rg/crawley
- GoSpider — https://github.com/jaeles-project/gospider
- Zscanner — https://github.com/zseano/InputScanner
10. Endpoints:
- Burp-Suite — https://portswigger.net/burp
- Katana — https://github.com/projectdiscovery/katana
11. Find JS files:
- JSScanner — https://github.com/tampe125/jscanner
- JS-Scan —https://github.com/zseano/JS-Scan
- hakrawler — https://github.com/hakluke/hakrawler
- gf — https://github.com/tomnomnom/gf
- LinkFinder — https://github.com/GerbenJavado/LinkFinder
Burp and Katana can also be used to identify the JS files.
We can further combine the use of Burp-suite, JSScanner, and ZScanner to find endpoints from the JS files. Automated scanners often overlook these endpoints, which can actually be more vulnerable than the ones mentioned on web pages.
Run the spider tool on the target site in Burp Suite
Once the spider is finished, right-click on the target and select “Copy URLs in this host” option from the menu.
Create a text file and name it urlList.txt (name it whatever that you wish).
Paste the copied URLs from Burp suite to this text file.
Place the urlList.txt in the root of ZScanner.
Eg. c/xampp/htdocs/zscanner/urlList.txt
Open ZScanner in the browser
Click on “Begin Scanner”
4 output files will be generated in the /outputs/ folder:
JS-output.txt, GET-output.txt, POSTHost-
output.txt, POSTData-output.txtCopy JS-output.txt file and paste it in the root of
JS-Scan folder.Eg. c/xampp/js-scan/JS-output.txt
Open JS-Scan in the browser
Click on “Run Scanner”
You can see a screen similar to the screenshots provided in this page.
12. Directory Structure:
- Dirb — https://github.com/seifreed/dirb
- WFuzz — https://github.com/xmendez/wfuzz
- FFuf — https://github.com/ffuf/ffuf
- Gobuster — https://github.com/OJ/gobuster
- Dirbuster — https://github.com/KajanM/DirBuster
- Dirsearch — https://github.com/maurosoria/dirsearch
With all the above tools and online resources, now we have access to —
- old archived information of the target
- host information and open ports
- DNS information
- Whois information
- IP range of the target
- other sites on the same domain
- complete list of sub-domains
- SSL/TLS information of the target
- target’s repuation
- open-source information on the target
- FTP credentials, hard-coded secret keys, API endpoints, domain patterns (if anything available on Github)
- S3 bucket info (if available)
- Endpoints and directory structure
- JS files and hidden end points
- Technology stack of the target
Thank you for reading the post :)
As a bug hunting beginner, I’ve shared all the valuable information I’ve gathered while testing my target sites in this article. I hope you found it insightful and informative! If you enjoyed this read and want to support my other posts, I’d greatly appreciate it.
Feel free to leave a comment below with your thoughts, suggestions, or any insights I may have missed. Together, let’s continue learning and exploring the exciting world of bug hunting!