My approach to Recon

From a long time I wanted to write a blog on "Recon", every time in community meet-ups or my friends were asking about "How to do Recon".

So, I decided to write this blog and tried to include such tools and services which helps me a lot while hunting.

Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively or passively.

Why Recon ?

•     Info to increase attack surface
•     Sensitive information
•     Infrastructure details

Before starting I recommend to install "Swiftness" it helps a lot in target tracking and Notes keeping.

In this post I’ll provide the results of a simple and straightforward evaluation of the following sub-domain enumeration tools:

I start my recon process by using the Subfinder.

• Subfinder (https://github.com/ice3man543/subfinder)
• Knock (https://github.com/guelfoweb/knock)
• Sudomy (https://github.com/Screetsec/Sudomy)
• Lazy Recon (https://github.com/nahamsec/lazyrecon)
• Findomain (https://github.com/Edu4rdSHL/findomain)
• Amass (https://github.com/caffix/amass)
• Shodan (https://github.com/incogbyte/shosubgo)

For Visual Recon I mostly use:

• EyeWitness (https://github.com/FortyNorthSecurity/EyeWitness)
• Webscreenshot (https://github.com/maaaaz/webscreenshot)
• Aquatone (https://github.com/michenriksen/aquatone)

More assets ~ Great Extend

• https://github.com/0xbharath/censys-enumeration
• https://github.com/tomnomnom/assetfinder
• https://github.com/MilindPurswani/Syborg
• https://github.com/0xbharath/assets-from-spf/

Check for wayback URL's

• Waybackurls (https://github.com/tomnomnom/waybackurls)
• https://gist.github.com/mhmdiaa/2742c5e147d49a804b408bfed3d32d07
• http://ptrarchive.com/
• ReconCat (https://github.com/daudmalik06/ReconCat)

Domains from CSP

• Domain from CSP (https://github.com/0xbharath/domains-from-csp)

Virtual Host Discovery

• Virtual Host Discovery (https://github.com/jobertabma/virtual-host-discovery)
• https://pentest-tools.com/information-gathering/find-virtual-hosts

JS is 💛

• Meg (https://github.com/tomnomnom/meg)
• JSParser (https://github.com/nahamsec/JSParser)
• Link Finder (https://github.com/GerbenJavado/LinkFinder)
• SubJS (https://github.com/lc/subjs)
• GetJS (https://github.com/003random/getJS)
• https://javascriptbeautifier.com/

Github For Recon

• TruffleHog (https://github.com/dxa4481/truffleHog)
• Gitrob (https://github.com/michenriksen/gitrob)
• Github Cloner (https://github.com/mazen160/GithubCloner)
• Shhgit (https://github.com/eth0izzle/shhgit)
• Git all Secrets (https://github.com/anshumanbh/git-all-secrets)

For Manual Analysis, please check

•     API and key. (Get some more endpoints and find API keys.)
•     token
•     secret
•     TODO
•     password
•     http:// & https://
•     comments

Leaked Buckets

• S3Scanner (https://github.com/sa7mon/S3Scanner)
• Lazys3 (https://github.com/nahamsec/lazys3)
• Spaces Finder (https://github.com/appsecco/spaces-finder)
• CloudFlare Enumeration (https://github.com/mandatoryprogrammer/cloudflare_enum)

Certificate Transparency
 

• https://certdb.com/
• https://crt.sh/?q=%25target.com
• https://developers.facebook.com/tools/ct/search/
• https://transparencyreport.google.com/https/certificates?hl=en
• https://searchdns.netcraft.com/

Blog : https://blog.appsecco.com/certificate-transparency-part-3-the-dark-side-9d401809b025

Online Scarping

• https://virustotal.com/
• https://www.shodan.io/
• https://censys.io
• http://dnsgoodies.com
• https://viewdns.info/
• https://dnsdumpster.com/
• https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=xyz.com
• https://api.hackertarget.com/hostsearch/?q=xyz.com

Add-ons

• Retire.js: Outdated libraries
• Wappalyzer: Uncovers the technologies used on websites.

Best of luck for Hunting.
 
If you have questions about the post you want to ask me, Please contact me via twitter/fb.

Feed backs and edits are welcome.