Scribd
Upload
122 views3 pages

Recon

The document discusses techniques for reconnaissance including using Google dorks, WHOIS lookups, certificate searches, subdomain enumeration, service scanning, directory brute forcing, web crawling, Github reconnaissance, and fingerprinting services.

Uploaded by

Jacob Lanes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
122 views3 pages

Recon

The document discusses techniques for reconnaissance including using Google dorks, WHOIS lookups, certificate searches, subdomain enumeration, service scanning, directory brute forcing, web crawling, Github reconnaissance, and fingerprinting services.

Uploaded by

Jacob Lanes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Recon:

Google Dorking:

site:x = shows results from a certain domain only


inurl: "x" = searches for pages with a url that matches the string "x"
intitle: "x" = only shows webpages with a title that includes
link:"x" = shows webpages that have x link in them
filetype:x = searches for pages with x file extension

Quotes("") = force an exact match in a search in exact order

Minus(-x) = excludes x

WHOIS and Reverse WHOIS:

Installed in C:WHOIS ... use terminal

When a domain is registered, info must be given to identify the registered


people.

Reverse WHOIS can find registered domains for an individual or company name
Browser bookmark for this

Run WHOIS on IP adress to find subdomains

IP Addresses:

Use nslookup (website bookmarked) to find ip of website

Certificate Searches:

Use crt.sh (bookmarked) to find alternate domain names using the same
certificate
(aka subdomains)

Subdomain Enumeration:

After finding many domains on the target, enumerate with sublist3r to find
subdomains for each

Use gobuster dns mode for subdomain enumeration: - - - (or amass)

gobuster dns -d x.com -w -

Service Enumeration:

Use Nmap (on desktop) to find services running on open ports.

Directory Brute-forcing:

Use gobuster for directory brute-forcing:

gobuster dir -u x.com -w -

Web crawling:

Actually opening each url on a page and then each url from each of those
pages and so on.
Use the crawler in Burp Suite

Github Recon:

Oftentimes, companies will accidentally commit sensitive data or hints to


vulnerabilites in public repositories

PAY SPECIAL ATTENTION TO ISSUES AND COMMITS:


These are full of potential for unsolved issues and unpatched bugs.
Look at protection mechanisms implemented and see if there is a bypass.

Once you have found a file of interest, check the Blame and History sections
to see how it was developed

Look for hardcoded secrets like API keys, encryption keys, and database
passwords

See if any source code deals with sensitive functionalities such as


authentication,
password reset, state-changing actions, or private info reads

Pay special attention to code that deals with user input, such as HTTP
request
parameters, HTTP headers, HTTP request paths, database entries, file uploads,
etc.

Check for outdated dependencies (check outdated versions for exploits)

Fingerprinting:

Run Nmap with -sV flag to enable version detection of services

In Burp, send a request to the server to check the HTTP headers. A server
might
leak useful info:

- HTTP headers like Server or X-Powered-By indicate technologies

-Server often reveals software versions running on server

- X-Powered-By reveals server or scripting language used

You might also like