The document discusses techniques for reconnaissance including using Google dorks, WHOIS lookups, certificate searches, subdomain enumeration, service scanning, directory brute forcing, web crawling, Github reconnaissance, and fingerprinting services.
The document discusses techniques for reconnaissance including using Google dorks, WHOIS lookups, certificate searches, subdomain enumeration, service scanning, directory brute forcing, web crawling, Github reconnaissance, and fingerprinting services.
The document discusses techniques for reconnaissance including using Google dorks, WHOIS lookups, certificate searches, subdomain enumeration, service scanning, directory brute forcing, web crawling, Github reconnaissance, and fingerprinting services.
The document discusses techniques for reconnaissance including using Google dorks, WHOIS lookups, certificate searches, subdomain enumeration, service scanning, directory brute forcing, web crawling, Github reconnaissance, and fingerprinting services.
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt
You are on page 1/ 3
Recon:
Google Dorking:
site:x = shows results from a certain domain only
inurl: "x" = searches for pages with a url that matches the string "x" intitle: "x" = only shows webpages with a title that includes link:"x" = shows webpages that have x link in them filetype:x = searches for pages with x file extension
Quotes("") = force an exact match in a search in exact order
Minus(-x) = excludes x
WHOIS and Reverse WHOIS:
Installed in C:WHOIS ... use terminal
When a domain is registered, info must be given to identify the registered
people.
Reverse WHOIS can find registered domains for an individual or company name Browser bookmark for this
Run WHOIS on IP adress to find subdomains
IP Addresses:
Use nslookup (website bookmarked) to find ip of website
Certificate Searches:
Use crt.sh (bookmarked) to find alternate domain names using the same certificate (aka subdomains)
Subdomain Enumeration:
After finding many domains on the target, enumerate with sublist3r to find subdomains for each
Use gobuster dns mode for subdomain enumeration: - - - (or amass)
gobuster dns -d x.com -w -
Service Enumeration:
Use Nmap (on desktop) to find services running on open ports.
Directory Brute-forcing:
Use gobuster for directory brute-forcing:
gobuster dir -u x.com -w -
Web crawling:
Actually opening each url on a page and then each url from each of those pages and so on. Use the crawler in Burp Suite
Github Recon:
Oftentimes, companies will accidentally commit sensitive data or hints to
vulnerabilites in public repositories
PAY SPECIAL ATTENTION TO ISSUES AND COMMITS:
These are full of potential for unsolved issues and unpatched bugs. Look at protection mechanisms implemented and see if there is a bypass.
Once you have found a file of interest, check the Blame and History sections to see how it was developed
Look for hardcoded secrets like API keys, encryption keys, and database passwords
See if any source code deals with sensitive functionalities such as
authentication, password reset, state-changing actions, or private info reads
Pay special attention to code that deals with user input, such as HTTP request parameters, HTTP headers, HTTP request paths, database entries, file uploads, etc.
Check for outdated dependencies (check outdated versions for exploits)
Fingerprinting:
Run Nmap with -sV flag to enable version detection of services
In Burp, send a request to the server to check the HTTP headers. A server might leak useful info:
- HTTP headers like Server or X-Powered-By indicate technologies
-Server often reveals software versions running on server
- X-Powered-By reveals server or scripting language used
