Scribd
Upload
30 views3 pages

Recon Techniques 1715701265

Uploaded by

Chepuri Krishnateja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views3 pages

Recon Techniques 1715701265

Uploaded by

Chepuri Krishnateja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Introduction to the Course:

* Recon [Ip, web, Subdomain]


* Javascript [Directories, Keys, Function]
* Enumeration [Urls, Function, API]
* Tools to use
* What to do with the data
* Where do we go from here

Tools: Gau, Httprobe, Subfinder, Builtwith, Ammass, Assetfinder, Anew, Hakrawler, gf, gf-patterns, ffuf

python update: pip install --upgrade python

Think like a hacker:

* What do sensitive files look like


* What services whould I try to exploit first
* Sensitive directories
* Osint
* Code Review
* API
* Error Message
* Following JS Endpoints

Commands:
amass enum -d <domain> | tee subs.txt
amass intel -d <link> -whois subfinder
-d <link> -o subs.txt subfinder -dl
<link> -o sub.txt
cat <domain file> | assetfinder -subs-only | tee subs.txt
cat subs.txt | anew subs1.txt cat sub.txt | httprobe |
tee alive.txt cat alive.txt | httpx -mc 403,300 | tee
httpx.txt
cat httpx.txt | gau -blacklist png,jpg,jpeg,woff1,woff2,woff3,eot,css,mp4,mp3,img | tee subs.txt
cat alive.txt | hakrawler -u -d 5 -t 1 | tee crawled.txt cat crawled.txt | grep ".JS$" | tee js.txt

Others Info: whois, shodan,censys,builtwith

Think Like a Hacker::


* What doosensitive files look like
* What services should i try to exploit first ::
FTP(20,21)
SSH(22)
SMB(139,137,445)
DNS(53)
Http/Https(443,80,8080,8443)
Telnet(23)
* Sensitive Directories ::
* Osint
* Code Review
* API Hacking: https://pentestbook.six2dez.com/enumeration/webservices/apis

# Tools https://github.com/Fuzzapi/fuzzapi
https://github.com/Fuzzapi/API-fuzzer
https://github.com/flipkart-incubator/Astra
https://github.com/BBVA/apicheck/
https://github.com/ngalongc/openapi_security_scanner https://github.com/assetnote/kiterunner
https://github.com/s0md3v/dump/tree/master/json2paths https://github.com/API-Security/APIKit
# Wordlists
https://github.com/chrislockard/api_wordlist
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common-
apiendpoints-mazen160.txt
https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api
https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/common-
methods/commonmethods.txt

# API keys guesser : https://api-guesser.netlify.app/


# Swagger to burp : https://rhinosecuritylabs.github.io/Swagger-EZ/
# List swagger routes : https://github.com/amalmurali47/swagroutes
# Checklist : https://gitlab.com/pentest-tools/API-Security-Checklist/-/blob/master/README.md
# Best mindmap : https://dsopas.github.io/MindAPI/play/
# GUID guesser : https://gist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18

subdomain Recon:
subfinder -d example.com amass
enum -d example.com assetfinder --
subs-only example.com findomain -t
example.com
sublist3r -d example.com

sort file1.txt file2.txt > sorted_output.txt cat


1stfile.txt 2nd.file.txt > subdomain.txt sort
subdomain.txt | uniq > root-domain.txt

sudo subfinder -d tesla.com -o 1.txt | sudo sublist3r -d tesla.com -o 2.txt | sudo assetfinder --subs-only
tesla.com > 3.txt | sudo findomain -t tesla.com --output cat * > full.txt | sort | uniq > final.txt

methodology:
subfinder -d <link> -o name.txt echo
<link> | assetfinder -subs-only
cat httpx.txt | gau -blacklist png,jpg,jpeg,woff1,woff2,woff3,eot,css,mp4,mp3,img | tee subs.txt cat
name.txt | httpx -sc -td -server -ip -cname -json -o httpx.json -mc 200 -x POST GET TRACE OPTIONS cat
name.txt | httprobe | tee alive.txt
sudo nmap -sC -sV -sT -iL name.txt -oN result.txt -vv
cat name.txt | hakrawler -t 1 -u -d 3 cat name.txt |
grep <link>| grep ".js$"
ffuf -u FUZZ.<link> -t 1 -p .9 -w /tools/wordlists/Seclists/Discovery/DNS/dns-jhaddix.txt

recon online source:


whois, shodan,censys,builtwith site:*.google.com -
www -artsandculture -news inurl:?

after recon::
gobuster -d <link> -o 1.txt >>>> cat 1.txt | cut -d " " -f 2
cat name.txt | gf xss cat name.txt | gf ssrf
cat name.txt | gf idor

Nmap commands:
nmap <subdomain.com> nmap
<subdomain.com> -p 80,443,22 nmap
<subdomain.com> -sV nmap
<subdomain.com> -sS nmap
<subdomain.com> -sU nmap
<subdomain.com> --script=vuln
nmap <subdomain.com> --script=enum
nmap -script=vuln -sV -sT -il sub.txt -oN result.txt
nmap -sU -sV -iL sub.txt -oN result.txt
Gau:
echo "<link>"| gau gau example.com
google.com gau example.com --o
url.txt gau example.com --blacklist
jpg,png,gif cat name.txt | wc -l
cat name.txt | httpx -mc 200

Prepared By : Zaber Mahmud

You might also like