Web_Recon
First Manually Walking Through the Target
Try to uncover every feature in the application that users can access by browsing through every page and clicking every link. Access the functionalities that you don’t usually use.
Google Dorking
Google can be a means of discovering valuable information such as hidden admin portals, unlocked password files, and leaked authentication keys like (inurl
, site
, intitle
, link
, filetype
, Wildcard (*)
, Quotes (" ")
, Or (|)
, Minus (-)
).
look for all of a company’s subdomains by:
site:*.example.com
A compromised Kibana instance can allow attackers to collect extensive information about a site’s operation. Many Kibana dashboards run under the path
app/kibana
, so this query will reveal whether the target has a Kibana dashboard. You can then try to access the dashboard to see if it’s unprotected: site:example.cominurl:app/kibana
Google can find company resources hosted by a third party online, such as Amazon S3 buckets :
site:s3.amazonaws.com COMPANY_NAME
Look for special extensions that could indicate a sensitive file:
site:example.com ext: (php | log | jsp | asp | log)
use google hacking database It contains many search queries that could be helpful to you during the recon process.
WHOIS and Reverse WHOIS
You might be able to find the associated contact information, such as an email, name, address, or phone number: $ whois facebook.com
Find the IP address of a domain you know by running the nslookup command:
$ nslookup facebook.com
Reverse IP lookup and IP ranges (CIDRs) and also run
whois
on the IP, Reverse IP searches look for domains hosted on the same server:
Autonomous system numbers (ASNs) identify the owners of these networks. By checking if two IP addresses share an ASN:
run several IP-to ASN translations to see if the IP addresses map to a single ASN. If many addresses within a range belong to the same ASN, the organization might have a dedicated IP range
Subdomain Enumeration
Service Enumeration
it can be done in two ways first is active scan using nmap
or masscan
or Passive using shodan , Censys, Project Sonar it gives a lot of valuable info so it’s so important
Directory Brute-Forcing
The next thing you can do to discover more of the site’s attack surface is brute-force the directories of the web servers you’ve found. you might discover (hidden admin panels, configuration files, password files, outdated function alities, database copies, and source code files). Directory brute-forcing can sometimes allow you to directly take over a server! You can use Dirsearch
or Gobuster
for directory brute-forcing. Gobuster
’s Dir mode is used to find additional content on a specific domain or subdomain. This includes hidden directories and files.
Spidering the Site
Third-Party Hosting
Organizations can pay to store resources in buckets to serve in their web applications, or they can use S3 buckets as a backup or storage location Most buckets use the URL format
BUCKET.s3.amazonaws.com
orhttp://s3.amazonaws.com/BUCKET
, so the following search terms are likely to find results:(site:s3.amazonaws.com COMPANY_NAME
,site:amazonaws.com COMPANY_NAME
)Companies often still place keywords like
aws
ands3
in their custom bucket URLs, so try these searches: (amazonaws s3 COMPANY_NAME
,amazonaws bucket COMPANY_NAME
,amazonaws COMPANY_NAME
,s3 COMPANY_NAME
)
GitHub Recon
Start by finding the GitHub usernames relevant to your target by searching product names via GitHub’s search bar, When you’ve found usernames visit their pages. Find repositories related to the projects you’re testing and record them, along with the usernames of the organization’s top contributors
For each repository, pay special attention to the Issues and Commits sections. These sections are full of potential info leaks: unresolved bugs, Recent code changes that haven’t stood the test of time are more likely to contain bugs
Look at any protection mechanisms implemented to see if you can bypass them
search the Code section for potentially vulnerable code snippets.
Once you’ve found a file of interest, check the Blame and History sections at the top-right corner of the file’s page to see how it was developed
look for hardcoded secrets such as API keys, encryption keys, and database passwords. Search the organization’s repositories for terms like: (key, secret, and password) to locate hardcoded user credentials that you can use to access internal systems.
See if any of the source code deals with important functions such as authentication, password reset, state-changing actions, or private info reads. Pay attention to code that deals with user input, such as HTTP request parameters, HTTP headers, HTTP request paths, database entries, file reads, and file uploads
Look for any configuration files, Also search for old endpoints and S3 bucket URLs that you can attack. Record these files for further review in the future.
Pay attention to dependencies and imports being used and go through the versions list to see if they’re outdated and record them. You can use this information later to look for publicly disclosed vulnerabilities that would work on your target.
Creating Your own Scripts
Take a look at [[Bash_Scripting]]
Summary
Here you can find an extensive summary of all the tools mentioned in this article and the whole process
Scope Discovery
WHOIS looks for the owner of a domain or IP.
nslookup queries internet name servers for IP information about a host.
OSINT
Tech Stack Fingerprinting
Automation
Last updated
Was this helpful?