WHAT IS RECONNAISSANCE? The Reconnaissance is one of the most important aspect of penetration testing. Its also known as Recon. Recon will help you to increase attack surface area and may allow you to get more vulnerabilities but ultimate goal is to dig deep in the target Recon = Increase in Attack surface = More vulnerabilities Recon = Finding untouched endpoints = Less duplicates Recon = Sharpening your axe before attack
SUBDOMAIN ENUMERATION Subdomain enumeration is the process of finding subdomains for one or more domain. Tools used: Visual Recon: VirusTotal, subdomainfinder.c99.nl https://crt.sh/?q=%25.target.com https://securitytrails.com/list/apex_domain/target.com https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t arget.com%22 Amass Dnsx Subfinder Chaos AssetFinder
SUBDOMAIN OF SUBDOMAIN ENUMERATION One of the rare things people search of. Tools used: Subbrute: https://github.com/TheRook/subbrute altdns: https://github.com/infosec-au/altdns Usage: ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt
BROADENING YOUR SCOPE More targets lead to more option which ultimately lead to more opportunities. Crunchbase bgp.he.net tools.whoisxmlapi.com https://whois.arin.net
After collecting URLs, curl out the responses of the URLs and grep for the following URLs: drive.google docs.google /spreadsheets/d/ /document/d/ TIPS AND TRICKS By Aditya_Shende cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google | docs. google | spreadsheet\/d | document.\/d\/)';echo -e "==> $url" "\n"" $cu"; done
ffuf: https://github.com/ffuf/ffuf FUZZING FOR SENSITIVE FILES & DIRECTORIES FFUF-ing RECON Writeup on FFuf for i in `cat host.txt`; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done Tip: Fuzz for "/wp-content/debug.log" || Sometimes they contain SQL error, which can be chained.
Collect all js file ".js" Filter js file: " httpx -content-type | grep 'application/javascript'" Perform Nuclei scan "nuclei -t /root/nuclei-templates/exposures/" Grep all urls from wayback or gau. JAVASCRIPT[JS] FILES RECON Collect all endpoints from Js files & Create a wordlist from those. Craft a POST request with any parameter. Use that request to fuzz for sensitive directory. Js Recon Tip: Tools: JSFSCAN , Jsminer {Burp Extension} , Trufflehog
Some data are intended, No bug here. Verify Data Don't get angry, You may lose bonds with good program Reported > Invalid Your crafting and exploits are gold. Make it high as you can Yes, They do accept Third Party Money going no where. Don't message constant to team Be humble with Program