In the world of ethical hacking and bug bounty hunting, it’s crucial to gather information effectively. Reconnaissance, or “recon,” is a vital step in understanding a target and finding potential weaknesses. In this blog, we’ll explore various easy-to-use techniques and tools for efficient reconnaissance.
Finding Seeds/Roots
Scope Domains
Start by defining your scope. Bugcrowd and HackerOne are good places to identify target domains.
Acquisitions
Check Crunchbase for information on the target’s business acquisitions.
ASN Enumeration
Use tools like bgp.he.net, anslookup (cmdline), and Amass to understand the target’s Autonomous System (AS).
Reverse WHOIS
Find related domains with services like whoxy.com and DOMLink.
Ad/Analytics Relationships
Identify advertising and analytics relationships using builtwith.com and getrelationship.py.
Google-Fu
Use Google searches to find copyright text, terms of service, and privacy policy information.
Shodan
Check Shodan for information about the target’s internet-connected devices.
Subdomain Enumeration
Linked and JS Discovery
Use Burp Suite Pro for active discovery of linked and JavaScript-related subdomains. Turn off passive scanning, set forms auto-submit, and use advanced control for scope definition.
Other tools like GoSpider, Hakrawler, SubDomainizer, and Subcraper can help in finding subdomains.
Subdomain Scraping
Use tools like Google (site), Amass, Subfinder v2, github-subdomains.py, shosubgo, and Cloud Ranges for subdomain scraping.
Subdomain Brueforce
Amass can be used for brute-force subdomain enumeration. Use amass enum -brute commands with custom resolvers or wordlists for effective scanning.
Explore wordlists from various DNS enumeration tools and repositories like assetnote/wordlists.
Use tools like infosec-au/altdns for altering subdomains and bypassing Web Application Firewalls (WAF).
Other Techniques
Favicon Analysis
Explore Favicon Analysis using tools like devanshbatham/FavFreak to gather insights from a target’s website icons.
Port Analysis
Use masscan for port analysis with simple commands like masscan -p1-65535 -iL $ipFile --max-rate 1800 -oG $outPutFile.log. Also, try rastating/dnmasscan for DNS-related mass scanning.
Service Scanning
For service scanning, x90skysn3k/brutespray automates brute-force attacks on services.
Github Dorking
Enhance your reconnaissance with effective Github Dorking using resources like shhhhhhh and gwen001/github-search.
Screenshotting
Capture screenshots of discovered subdomains using tools like Eyewitness, Aquatone, and httpscreenshot for visual analysis.
Subdomain Takeover
Identify potential subdomain takeover opportunities with tools like EdOverflow/can-i-take-over-xyz, SubOver, and nuclei.
Automation++
Extending Tools
Enhance existing tools with frameworks like codingo/Interlace and utilities from tomnomnom.
Honorable Mention
Nuclei deserves recognition for its contribution to automating security scanning.
In conclusion, effective reconnaissance is vital for security assessment. By using simple tools and techniques, security professionals can thoroughly understand the target and find potential vulnerabilities. Happy hacking!