Greeting Everyone ! Hope Everything Is Going Good ! Today we Are Going to see How Easily You Can Perform Recon Against Your Targeted Domain We Are Going to Look Subdomains, Services , Server Info, Os Details, All Valid Url’s, All Wayback url, Google Hacking That we Are Going To cover In My firs Writeup On Recon Techniques this Guide For Who actually Started their Bugbounty Hunting .
This is my first writ-up on recon which we can utilize through some automation tool if your new in Bugbounty or web hacking field this blog may give you how you can start through subdomain finding to waybackurl & google hacking using google some interesting keyword.
Reconnaissance recon is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system. This phase help a tester to collect all possible Information About Target We have two Recon Phase ACTIVE Recon, PASSIVE Recon.
Let’s Start Your Recon Process:
→ Set Your Target In our case We will Set www.tesla.com As Recon
Look for Subdomains :
Tool : Subfinder, Sublis3r, subbrute
Usage Of Subfinder To utilize Your testing Phase Combo Two Tool Subfinder + httpx For Installation
subfinder -d tesla.com -silent -o domainsesla.txt | httpx -title -content-length -status-code -silent
As above command We See We combo two tool Subfinder + httpx We gathered All subdomains Inside Our Given File As We See We can Analyse Which Subdomain Is actually Active With their Response Code or Length Value .
Scan All Possible Services Port Against All Domain & Subdomain We collected Before :
Tool: Nmap, naabu, Rustscan
We Are going To utilize Our Recon Phase using Naabu : (Installation More Guide )Naabu is Good project Discovery Tool For Scan All Default Port Against Your Targeted Site.
Usage of Naabu:
naabu -iL domainlist.txt (List We According To Our Collected Subdomain Before)
To scan Against Specific Port → naabu -p 80,443,21–23 -iL domainlist.txt & Add Flag
As Above To run the naabu on a list of hosts,
-iL option can be used we successfully Get result As we Got All Valid Open Port from targeted Domain’s List.
Discover Server Information Using nikto , wappalyzer
We Are going to Verify Server Information Using Wappalyzer tool: Wappalyzer (Installation https://www.wappalyzer.com/)is a technology profiler that shows you what websites are built with.
Usage: Its Extension Which Flexible With Browser Whenever You Will Serve Your Targeted Site You Will Get Server Info Or Many More when Your Browsing your Targeted site.
Nikto : Using Nikto Banner grab Server Info .
Usage Of Niko: nikto -h target
As above we see we Successfully verified Server Info about our target Now You can Go CVE according to server Version.
Look For Os Details:
tools We are using: Nmap, zenmap , Wappalyzer
Usage Of nmap: Nmap is networking Scanning tool which scan network infrastructure, services as OS fingerprint.
command: nmap -A target
As above scan we used -A for aggressive scan as we got running OS Details.
Look for all Valid Url’s:
Tool we will use: Gau, linkfinder, burp spider
Usage Of gau: getallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
Usage of gau: gau domain.com -o output.txt (save it in output file )
As above we fetch all url’s from respective domain which we saved as output file using -o .
Find all urls using waybackurl:
Tool we use: waybackurl
Usage Of Waybackurl: This is really a good tool for bugbounty hunter to fetch all url from wayback machine .
Command: cat domainstesla.txt | waybackurls
As above we already saved all subdomains of tesla using subfinder tool so we used that file domainstesla.txt
Now we have all wayback urls now You can grep to collect you interesting parameter or end point usage: grep -iE “redirect=”.
Google hacking Content discovery:
Utilize google hacking technique to find more bug it help us to find file , parameter, directory structure , critical data such password, ftp , sql info, database exposed.
Find some interesting extension
- site:target.com filetype:aspx
- site:target.com filetype:swf (Shockwave Flash)
As we see we found all valid url which contain .php you can check like jsp, txt,pdf, doc, aspx
some google dorking keyword: https://gist.github.com/stevenswafford/393c6ec7b5375d5e8cdc
For Today that’s all I will Come with some interesting Topic on recon in next write up!
Hope You enjoyed ! Happy Hunting!
My twitter : https://twitter.com/@cyberTEACH2