Methodology
Methodology
Methodology
  • πŸ§‘β€πŸ«My Methodologies
  • πŸ•ΆοΈGoogle Dorks
  • πŸŒ€Possible "Content-Type" Header values
  • πŸ“œScripts written by me for XSS
  • πŸ”ΌSubdomain Takeover
  • ✍️Tips and Write-ups
  • πŸ”§Tools and their Uses
  • 🎯XSS nuclei template CVE-2023-24488.yaml
  • πŸ•΅οΈRecon strategies by other Hackers
    • πŸ”ŽBlind SQL Injection Detection and Exploitation (Cheat Sheet)
    • πŸ”ŽHow i got more than 100 vulnerabilities in just one site? (zseano-challenge)
    • πŸ”ŽJS is l0ve ❀️.
    • πŸ”ŽMy top 5 bookmarks that I consistently use for bug bounty and penetration testing.
    • πŸ”ŽFind the treasure hidden inside JavaScript
    • πŸ”ŽDeep-Subdomains-Enumeration-Methodology
    • πŸ”ŽExtensive Recon Guide For Bug Hunting
    • πŸ”ŽFinding Time Based SQLi injections : Edition 2023
    • πŸ”ŽFrom Self XSS to Account Take Over(ATO)
    • πŸ”ŽHow I hacked NASA and got 8 bugs ?
    • πŸ”ŽHow I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
    • πŸ”ŽLeakage of credential data for full control over the target.
    • πŸ”ŽRecon Like a Boss
    • πŸ”ŽRecon With Me
    • πŸ”ŽSimple Recon Methodology
    • πŸ”ŽSQL injection through HTTP headers
    • πŸ”ŽHow to Get Unique Subdomains on Large scope
    • πŸ”ŽStatic Analysis of Client-Side JavaScript for pen testers and bug bounty hunters
  • 🎯subdomain-enumeration
  • πŸ› οΈCRLF
  • ❌xss
  • ⛴️Ghetto XSS Cheatsheet
  • πŸš€Oneliners
Powered by GitBook
On this page
  • WHAT IS RECONNAISSANCE?
  • 1. SUBDOMAIN ENUMERATION
  • 2. FILTERING THE SUBDOMAINS WITH HTTPX
  • 3. SCREENSHOT TOOLS
  • 4. BROADENING YOUR SCOPE
  • 5. WHAT TO DO AFTER ENUMERATION? | Collecting URLs
  • 6. TIPS AND TRICKS
  • 7. SHODAN FOR RECON
  • 8. CENSYS FOR RECON
  • 9. FUZZING FOR SENSITIVE FILES & DIRECTORIES
  • 10. FINDING SOURCE/BACKUP FILES
  • 11. GOOGLE & GITHUB DORKING
  • 12. JAVASCRIPT[JS] FILES RECON
  • 13. SOME AUTOMATION FRAMEWORKS
  • Final Thoughts
  1. Recon strategies by other Hackers

Extensive Recon Guide For Bug Hunting

PreviousDeep-Subdomains-Enumeration-MethodologyNextFinding Time Based SQLi injections : Edition 2023

Last updated 1 year ago

WHAT IS RECONNAISSANCE?

Reconnaissance is one of the most important aspects of penetration testing. It’s also known as Recon. Recon will help you to increase attack surface area and may allow you to get more vulnerabilities but the ultimate goal is to dig deep in the target.

1. SUBDOMAIN ENUMERATION

Subdomain enumeration is the process of finding subdomains for one or more domains.

Tools used β‡’

Oneliners for Subdomain Enumeration β‡’

$ amass enum -passive -norecursive -noalts -df domians.txt -o subs-list.txt
$ dnsx -silent -d $domain -w ~/wordlist.txt -o ~/dnsbrute.txt
$ cat domain.txt | dnsgen - | massdns -r ~/resolvers.txt -o S -w alive.txt

2. FILTERING THE SUBDOMAINS WITH HTTPX

$ httpx -l domain.txt -timeout 13 -o domain-probe.txt

PORT SCANNING β‡’

$ naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
$ naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt
$ cat domain-subs.txt | aquatone -ports xlarge -scan-timeout 300 -out aquatone.txt

SUBDOMAIN OF SUBDOMAIN ENUMERATION β‡’ β€œThis is one of the rare things people search for.” Tools used:

    • Usage: ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt

3. SCREENSHOT TOOLS

These tools are capable of taking screenshots of websites to view offline anytime.

Tools used β‡’

4. BROADENING YOUR SCOPE

More targets lead to more option which ultimately lead to more opportunities.

  • Crunchbase

  • bgp.he.net

  • tools.whoisxmlapi.com

5. WHAT TO DO AFTER ENUMERATION? | Collecting URLs

6. TIPS AND TRICKS

1. After collecting URLs, curl out the responses of the URLs and grep for the following URLs:

  • drive.google

  • docs.google

  • /spreadsheets/d/

  • /document/d/

    $ cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google | docs. google | spreadsheet\/d | document.\/d\/)' ;echo -e " ==> $url" "\n"" $cu" ; done

2. Using paramspider, gxss to detect Cross-site Scripting (XSS)

  • Commands:-

    $ cat params | qsreplace yogi | dalfox pipe --mining-dom --deep-domxss --mining-dict --remotepayloads=portswigger,payloadbox --remote wordlists=burp,assetnote -o xssoutput.txt
    $ cat alive.txt | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)" | tee xssBug3.txt

3. Using SQLidetector to search for sqli

7. SHODAN FOR RECON

Shodan Dorks β‡’

ssl: β€œtarget[.]com” 200 http.title: β€œdashboard” –unauthenticated dashboard org:β€œtarget.com” x-jenkins 200 β€” unauthenticated jenkins server ssl:β€œtarget.com” 200 proftpd port:21 β€” proftpd port:21 org:β€œtarget.com” http.html:zabbix β€” CVE-2022-24255 Main & Admin Portals: Authentication Bypass org:β€œtarget.com” http.title:β€œphpmyadmin” β€”-php my admin ssl:β€œtarget.com” http.title:"BIG-IP β€”F5 BIG-IP using CVE-2020-5902

8. CENSYS FOR RECON

9. FUZZING FOR SENSITIVE FILES & DIRECTORIES

$ for i in cat host.txt; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done

  • Tip: Fuzz for β€œ/wp-content/debug.log” || Sometimes they contain SQL error, which can be chained.

10. FINDING SOURCE/BACKUP FILES

Subdomain Name: y0gi.hacklido.com

y0gi.hacklido.com /y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi.hacklido.com/y0gi/y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi. hacklido.com/hacklido/y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi. hacklido.com/admin/y0gi.zip - hacklido.zip – admin.zip – backup.zip

11. GOOGLE & GITHUB DORKING

Trivial Tricks:

  • Find Sensitive Data in Cloud storage through Google Dork:

  • Github Leaks for AWS, Jira, Okta, etc:

Org:β€œtarget” pwd/pass/passwd/password β€œtarget.atlassian” pwd/pass/passwd/password β€œtarget.okta” pwd/pass/passwd/password β€œJira.target” pwd/pass/passwd/password

  • Also search in Google groups, Gitlabs.

12. JAVASCRIPT[JS] FILES RECON

  • Collect all js file β€œ.js”

  • Filter js file:

    $ httpx -content-type | grep 'application/javascript'

  • Perform Nuclei scan

    $ nuclei -t /root/nuclei-templates/exposures/

  • Collect all endpoints from Js files & Create a wordlist from those.

  • Craft a POST request with any parameter.

  • Use that request to fuzz for sensitive directory.

13. SOME AUTOMATION FRAMEWORKS

Final Thoughts

  • Some data are intended, No bug here.

  • Don’t get angry, You may lose bonds with good program

  • Your crafting and exploits are gold. Make it high as you can

  • Money going no where. Don’t message constant to team

Recon = Increase in Attack surface = More vulnerabilities Recon = Finding untouched endpoints = Fewer duplicates Recon = Sharpening your axe before attack

Visual Recon⇒

Command Line⇒

Subbrute:

Altdns:

Eyewitness:

httpscreenshot:

Waybackurls:

Gau:

web archieve: urlkey

Tool Link:

Shodan:

Example Writeup:-

Censys: Example Writeup:-

Ffuf:

Example Writeup:-

Tool Link:

site: β€œtarget[.]com” site: β€œtarget[.]com” site: β€œtarget[.]com” site: β€œtarget[.]com”

Grep all urls from wayback or gau.

Js Recon Tip:

Tools:- , Jsminer {Burp Extension} ,

Sudomy: Reconftw:

Verify Data

Reported > Invalid

Yes, They do accept Third Party

Be humble with Program

πŸ•΅οΈ
πŸ”Ž
https://Virustotal.com
https://Subdomainfinder.c99.nl
https://crt.sh/?q=%25.target.com
https://securitytrails.com/list/apex_domain/target.com
https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22target.com%22
Amass
Sunfinder
dnsx
Chaos
Assetfinder
https://github.com/TheRook/subbrute
https://github.com/infosec-au/altdns
https://github.com/FortyNorthSecurity/EyeWitness
https://github.com/breenmachine/httpscreenshot
https://whois.arin.net/
https://github.com/tomnomnom/waybackurls
https://github.com/lc/gau
https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse=
https://github.com/eslam3kl/SQLiDetector
https://www.shodan.io/
How I found XSS by searching in Shodan - Writeup
https://www.censys.io/
Let’s fuck waf using Origin IP: My approach on censys By Deepak Dhiman
https://github.com/ffuf/ffuf
Ffuf-ing Recon Writeup on FFuf
https://github.com/musana/fuzzuli
http://s3.amazonaws.com
http://blob.core.windows.net
http://googleapis.com
http://drive.google.com
JSFScan.sh
Trufflehog
https://github.com/Screetsec/Sudomy
https://github.com/six2dez/reconftw
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή
πŸ”Ή