Introduction
Reconnaissance is a critical phase in penetration testing and cybersecurity assessments. It involves gathering as much information as possible about a target system or network to identify potential entry points and understand the target’s infrastructure. This data is crucial for exploiting vulnerabilities and ensuring a successful security assessment. In this comprehensive guide, we will explore the various techniques and tools used in reconnaissance, categorized into small, medium, and large scope targets.
Reconnaissance for Small Scope Targets
Small scope targets typically include single domains, such as target.com
. Focusing on a limited scope allows for a more in-depth analysis of specific assets.
1. Whois Lookup
- Tool:
whois target.com
- Purpose: Retrieve registration details, including domain owner information, contact details, and the domain’s history.
2. DNS Records Lookup
- Tools:
dnsrecon
,dnsenum
- Purpose: Extract DNS records to gather information about nameservers, mail servers, and IP addresses associated with the domain.
3. Technology Fingerprinting
- Tool:
whatweb target.com
- Purpose: Identify the technologies in use, such as the web server, content management system (CMS), and frameworks.
4. Identifying CVEs
- Tools:
Snykretires.js
(Burp Extension, Browser Extension) - Purpose: Check for known vulnerabilities (Common Vulnerabilities and Exposures – CVEs) related to the technologies employed by the target.
5. Directory Enumeration
- Tool:
ffuf
- Purpose: Discover hidden directories and files on the web server that may contain sensitive information.
6. Port Scanning
- Tool:
nmap
- Purpose: Identify open ports and the services running on them, which could serve as entry points for attacks.
7. Broken Link Hijacking
- Tools:
blc
,socialhunter
- Purpose: Detect broken links that can be hijacked for malicious purposes.
8. Wayback History
- Tools:
waybackurl
,waymore
- Purpose: Retrieve historical versions of the target’s web pages to uncover outdated and potentially vulnerable content.
9. Analyzing JavaScript Files
- Tools:
JFScan
,Secretfinder
,Linkfinder
,retirejs
- Purpose: Analyze JavaScript files for exposed secrets, API keys, and other sensitive information.
10. Parameter Discovery
- Tools:
Paramspider
,Arjun
,Paramminer
(Burp Extension) - Purpose: Identify and manipulate parameters that could be used for further exploitation.
11. Google Dorking
- Tool: Google Dorking
- Purpose: Use advanced search operators to find specific types of information exposed by the target.
12. GitHub Search
- Tools:
Trufflehog
,Gitgrabber
,GitDorker
- Purpose: Search GitHub repositories for exposed credentials or sensitive information related to the target.
13. Misconfigured Cloud Storage
- Tools:
cloud_enum
, buckets.com - Purpose: Identify and exploit misconfigured cloud storage buckets associated with the target.
14. Template-Based Scanning
- Tool:
nuclei
- Purpose: Automate vulnerability scanning based on pre-defined templates for known issues.
15. Internet Search Engine Discovery
- Tools:
Shodan
,CLIUncover
- Purpose: Discover devices, systems, and information related to the target that are exposed on the internet.
16. Potential Pattern Extraction
- Tools:
gf
,gf patterns
- Purpose: Extract and analyze patterns in the target’s data to identify potential vulnerabilities.
17. General Security Misconfiguration
- Tools:
CORS Scan
,Security Headers Scan
,SPF/DMARC
,CRLF
,XSS
,SQLi
- Purpose: Identify and exploit general security misconfigurations that might be present on the target.
Reconnaissance for Medium Scope Targets
Medium scope targets involve broader assets like subdomains, requiring a more extensive approach.
1. Subdomain Enumeration (Active & Passive)
- Tools:
subfinder -d target.com -all
,ffuf
(for active fuzzing with wordlists) - Purpose: Identify subdomains and related assets belonging to the target.
2. Sorting and Filtering
- Purpose: Organize and filter the enumerated subdomains to focus on those most likely to be sensitive (e.g.,
Jenkins
,qa
,prod
,uat
,payments
).
3. Probing with httpx and Status Code Length
- Tool:
httpx
- Purpose: Identify large content targets by analyzing response codes and content lengths.
4. Subdomain Takeover
- Tool:
subzy
- Purpose: Check for vulnerable subdomains that can be taken over.
5. Web Screenshots
- Tool:
webscreenshot
- Purpose: Capture screenshots of all accessible subdomains for quick visual inspection.
6. Wordlist Generation
- Tool:
CeWL
- Purpose: Generate custom wordlists based on the content found on the target’s website.
7. Directory Enumeration
- Tool:
ffuf
- Purpose: Discover directories and files across multiple subdomains.
8. Port Scanning
- Tools:
nmap
,naabu
- Purpose: Identify open ports on all discovered subdomains.
9. Wayback History Extraction
- Tools:
waybackurl
,waymore
- Purpose: Extract and analyze historical data from all subdomains.
10. Nuclei Scanning
Tool: nuclei
Purpose: Run vulnerability scans across all subdomains.
11. Shodan Scanning
Tool: Shodan
Purpose: Extract IP addresses from subdomains and run additional scans using tools like `fuff` and `nuclei` on those IPs.
12. General Vulnerability Scanning
Purpose: Perform a broad vulnerability scan across all identified subdomains and associated IPs.
Reconnaissance for Large Scope Targets
Large scope targets cover entire organizations, including subsidiaries, acquisitions, and all assets connected to the internet.
1. Tracking and Tracing
- Tool:
TLDbrute
- Purpose: Identify top-level domains (TLDs) and associated assets across the entire target organization.
2. Subsidiary & Acquisition Enumeration
- Tools:
Acquisitions
,Wikipedia
,Crunchbase
,index.co
- Purpose: Discover and enumerate all subsidiaries and acquisitions of the target organization.
3. Reverse Lookup & ASN Lookup
- Tools:
viewdns.info
,sslScrape
- Purpose: Perform reverse lookups on IP addresses and Autonomous System Numbers (ASN) to map the organization’s entire digital footprint.
4. Automation Tools
- Tools:
BHEEM
,Reconftw
,Osmedeus
,Sniper
- Purpose: Automate the reconnaissance process for large scope targets to ensure comprehensive coverage.
5. Detailed Vulnerability Assessment
- Purpose: Conduct a thorough vulnerability assessment across all identified assets, including subsidiaries and acquired companies, using a combination of automated tools and manual techniques.
Conclusion
Reconnaissance is the foundation of any successful cybersecurity operation. By understanding and applying the appropriate tools and techniques across different scopes—small, medium, and large—you can effectively identify vulnerabilities and secure your target environment. Whether you’re focusing on a single domain or an entire organization’s digital footprint, the steps outlined in this guide provide a comprehensive approach to reconnaissance, ensuring no stone is left unturned.
For more insights and detailed walkthroughs on advanced cybersecurity techniques, visit suvendudash.com. Watch my YouTube video on live reconnaissance here: Live Recon Video