πExtensive Recon Guide For Bug Hunting
WHAT IS RECONNAISSANCE?
Reconnaissance is one of the most important aspects of penetration testing. Itβs also known as Recon. Recon will help you to increase attack surface area and may allow you to get more vulnerabilities but the ultimate goal is to dig deep in the target.
Recon = Increase in Attack surface = More vulnerabilities
Recon = Finding untouched endpoints = Fewer duplicates
Recon = Sharpening your axe before attack
1. SUBDOMAIN ENUMERATION
Subdomain enumeration is the process of finding subdomains for one or more domains.
Tools used β
Visual Reconβ
Command Lineβ
Oneliners for Subdomain Enumeration β
$ amass enum -passive -norecursive -noalts -df domians.txt -o subs-list.txt
$ dnsx -silent -d $domain -w ~/wordlist.txt -o ~/dnsbrute.txt
$ cat domain.txt | dnsgen - | massdns -r ~/resolvers.txt -o S -w alive.txt2. FILTERING THE SUBDOMAINS WITH HTTPX
$ httpx -l domain.txt -timeout 13 -o domain-probe.txtPORT SCANNING β
$ naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
$ naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt
$ cat domain-subs.txt | aquatone -ports xlarge -scan-timeout 300 -out aquatone.txtSUBDOMAIN OF SUBDOMAIN ENUMERATION β βThis is one of the rare things people search for.β Tools used:
Subbrute: https://github.com/TheRook/subbrute
Altdns: https://github.com/infosec-au/altdns
Usage:
./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt
3. SCREENSHOT TOOLS
These tools are capable of taking screenshots of websites to view offline anytime.
Tools used β
Eyewitness: https://github.com/FortyNorthSecurity/EyeWitness
httpscreenshot: https://github.com/breenmachine/httpscreenshot
4. BROADENING YOUR SCOPE
More targets lead to more option which ultimately lead to more opportunities.
Crunchbase
bgp.he.net
tools.whoisxmlapi.com
5. WHAT TO DO AFTER ENUMERATION? | Collecting URLs
Waybackurls: https://github.com/tomnomnom/waybackurls
web archieve: https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse= urlkey
6. TIPS AND TRICKS
1. After collecting URLs, curl out the responses of the URLs and grep for the following URLs:
drive.google
docs.google
/spreadsheets/d/
/document/d/
$ cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google | docs. google | spreadsheet\/d | document.\/d\/)' ;echo -e " ==> $url" "\n"" $cu" ; done
2. Using paramspider, gxss to detect Cross-site Scripting (XSS)
Commands:-
$ cat params | qsreplace yogi | dalfox pipe --mining-dom --deep-domxss --mining-dict --remotepayloads=portswigger,payloadbox --remote wordlists=burp,assetnote -o xssoutput.txt$ cat alive.txt | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)" | tee xssBug3.txt
3. Using SQLidetector to search for sqli
Tool Link: https://github.com/eslam3kl/SQLiDetector
7. SHODAN FOR RECON
Shodan: https://www.shodan.io/
Shodan Dorks β
ssl: βtarget[.]comβ 200 http.title: βdashboardβ βunauthenticated dashboard org:βtarget.comβ x-jenkins 200 β unauthenticated jenkins server ssl:βtarget.comβ 200 proftpd port:21 β proftpd port:21 org:βtarget.comβ http.html:zabbix β CVE-2022-24255 Main & Admin Portals: Authentication Bypass org:βtarget.comβ http.title:βphpmyadminβ β-php my admin ssl:βtarget.comβ http.title:"BIG-IP βF5 BIG-IP using CVE-2020-5902
Example Writeup:- How I found XSS by searching in Shodan - Writeup
8. CENSYS FOR RECON
Censys: https://www.censys.io/ Example Writeup:- Letβs fuck waf using Origin IP: My approach on censys By Deepak Dhiman
9. FUZZING FOR SENSITIVE FILES & DIRECTORIES
Ffuf: https://github.com/ffuf/ffuf
Example Writeup:-Ffuf-ing Recon Writeup on FFuf
$ for i in cat host.txt; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;doneTip: Fuzz for β/wp-content/debug.logβ || Sometimes they contain SQL error, which can be chained.
10. FINDING SOURCE/BACKUP FILES
Subdomain Name: y0gi.hacklido.com
y0gi.hacklido.com /y0gi.zip - hacklido.zip β admin.zip β backup.zip y0gi.hacklido.com/y0gi/y0gi.zip - hacklido.zip β admin.zip β backup.zip y0gi. hacklido.com/hacklido/y0gi.zip - hacklido.zip β admin.zip β backup.zip y0gi. hacklido.com/admin/y0gi.zip - hacklido.zip β admin.zip β backup.zip
Tool Link: https://github.com/musana/fuzzuli
11. GOOGLE & GITHUB DORKING
Trivial Tricks:
Find Sensitive Data in Cloud storage through Google Dork:
site:http://s3.amazonaws.com βtarget[.]comβ site:http://blob.core.windows.net βtarget[.]comβ site:http://googleapis.com βtarget[.]comβ site:http://drive.google.com βtarget[.]comβ
Github Leaks for AWS, Jira, Okta, etc:
Org:βtargetβ pwd/pass/passwd/password βtarget.atlassianβ pwd/pass/passwd/password βtarget.oktaβ pwd/pass/passwd/password βJira.targetβ pwd/pass/passwd/password
Also search in Google groups, Gitlabs.
12. JAVASCRIPT[JS] FILES RECON
Grep all urls from wayback or gau.
Collect all js file β.jsβ
Filter js file:
$ httpx -content-type | grep 'application/javascript'Perform Nuclei scan
$ nuclei -t /root/nuclei-templates/exposures/
Js Recon Tip:
Collect all endpoints from Js files & Create a wordlist from those.
Craft a POST request with any parameter.
Use that request to fuzz for sensitive directory.
Tools:- JSFScan.sh , Jsminer {Burp Extension} , Trufflehog
13. SOME AUTOMATION FRAMEWORKS
Sudomy: https://github.com/Screetsec/Sudomy
Reconftw: https://github.com/six2dez/reconftw
Final Thoughts
Verify Data
Some data are intended, No bug here.
Reported > Invalid
Donβt get angry, You may lose bonds with good program
Yes, They do accept Third Party
Your crafting and exploits are gold. Make it high as you can
Be humble with Program
Money going no where. Donβt message constant to team
Last updated