Reconnaissance Strategy and Techniques 0.2
Changelog 0.1 | Recon Method Addeds
Changelog 0.2 | New Tip added in No.3 & No.6Introduction
Reconnaissance is the cornerstone of effective security assessments, paving the way for successful vulnerability discovery. In this guide, we delve into advanced reconnaissance techniques that go beyond the usual tools, helping you uncover hidden targets and vulnerabilities. By adopting a unique and strategic approach to reconnaissance, you can enhance your security assessment capabilities and gain an edge in identifying critical security issues.
1. Setting the Stage: Wildcard Domain Hypothesis
To illustrate the process, begin with a hypothetical wildcard domain, such as โ*.brut.ninja.โ This domain will serve as an example throughout the guide, aiding in the explanation of each step.
2. Rethinking Traditional Tools: Subdomain Enumeration
Instead of relying solely on conventional subdomain enumeration tools like subfinder and amass, consider a more strategic approach.
(i). Subfinder Configuration Enhancement
Open the subfinder configuration file. In this file, various services are listed, many of which are available for free. Optimize your reconnaissance by registering accounts for all these services and obtaining their API keys. Incorporate these keys into the configuration file to expand your host discovery capabilities.
(ii). Subenum.sh: Comprehensive Subdomain Enumeration**
Leverage a specialized tool called โsubenum.sh.โ This tool amalgamates results from multiple subdomain enumeration tools, presenting you with an extensive list of subdomains. This approach increases your chances of identifying hidden targets.
3. Refining the List: Identifying Live Hosts
After compiling a comprehensive list of potential subdomains, employ the โhttpxโ tool to determine which hosts are live and operational. This step streamlines your focus, allowing you to concentrate on active targets.
Tip #1
Avoid using httpX to filter live subdomains.
Remember, httpX is tailored for web servers. By using it directly,
you might overlook subdomains exposing other services. Always prioritize
a resolver.4. Focus on Live Hosts: Preparation for Further Analysis
Armed with a refined list of live hosts, youโre ready to proceed with more detailed analysis and vulnerability assessment.
5. Unconventional Vulnerability Scanning: Moving Beyond the Norm
Rather than following conventional practices like running โnucleiโ scans on all identified hosts, consider adopting a more distinctive approach.
6. Comprehensive Waybackurls Collection
Gather โwaybackurlsโ for all hosts simultaneously. While this approach demands time, it often leads to the discovery of additional URLs that might otherwise be overlooked. These URLs may provide unique points of entry for further exploration.
Tip #1
๐A javascript bookmarklet that will extract all Wayback-URL's endpoints.
โ
How To Use ๐ Copy Code-> Create New Bookmark-> In URL Bar Paste The Code->
Open Target Site-> Click bookmark-> Surprise!๐ฅ
๐ Link - https://lnkd.in/gsygEUmz
๐This javascript bookmarklet that will extract all endpoints
(starting with /) from your current DOM.
๐ Link - https://lnkd.in/gnt9hShw7. Manual Keyword Search: Targeted Discovery
Engage in manual keyword searches on the collected URLs. Look for keywords like โadminโ or โapi=โ within the URLs. These searches can reveal hidden functionalities and potential vulnerabilities that automated tools might miss.
8. Parameter Analysis: Uncovering Hidden Vulnerabilities
Delve into the URLs to identify intriguing parameters like โredirect_to=โ or โaccount_id=โ. Save these parameters in a separate file for manual analysis. Often, these parameters offer unexplored avenues for discovering valid vulnerabilities.
9. Exploring Login Panels: Probing for Common Bugs
Search for login panels within the URLs and test them for common vulnerabilities. These panels can be potential entry points for unauthorized access or other security issues.
10. The Significance of JavaScript (JS) Files
Recognize the importance of JS files. Scan your URL collection for JS files, as they may contain valuable information such as configuration details (โapp-config.jsโ) or user-specific data (โaccount.jsโ).
11. Unveiling Hidden Directories: Broadening the Scope
Leverage your list of URLs to uncover hidden directories. These directories might host crucial functionalities or vulnerable components.
12. Initial โNucleiโ Scan: Exploratory Vulnerability Testing
Select a host that appears unusual and run an initial โnucleiโ scan. While this scan might not yield immediate results, itโs a starting point for further analysis.
13. Application Analysis: Understanding the Workflow
Delve into application analysis to gain insight into the applicationโs workflow, functionalities, and interactions. A thorough understanding of the application enhances your ability to identify vulnerabilities.
14. Leveraging Application Knowledge
Having a deep understanding of the applicationโs inner workings positions you ahead in discovering critical vulnerabilities before others.
15. CVE Assessment: Addressing Known Vulnerabilities
Assess the application for vulnerabilities stemming from known Common Vulnerabilities and Exposures (CVEs), especially if certain services are outdated. This proactive approach can identify vulnerabilities that threat actors might exploit.
16. Blind SSRF: Preparing for Unexpected Discoveries
Keep โBurp Collaboratorโ ready and incorporate tokens as necessary. This approach can help detect blind Server-Side Request Forgery (SSRF) vulnerabilities that could otherwise go unnoticed.
17. Payment Services and Response Manipulation
When dealing with payment services, check whether test card usage is allowed. Additionally, experiment with Response Manipulation techniques to bypass restrictions.
18. Staying Current: Monitoring CVEs
Regularly monitor recent and zero-day CVEs. Test these vulnerabilities against your application, significantly increasing the probability of uncovering critical vulnerabilities.
19. Collaboration and Learning: Seeking Help
Embrace collaboration and seek assistance from peers when needed. While collaboration is valuable, ensure you conduct initial research on your problem before reaching out for help.
20. In-Depth Exploration: Uncovering Vulnerabilities
Thoroughly explore your application, unearthing hidden directories and parameters. This systematic approach may lead to the discovery of vulnerabilities such as SQL injection (SQLi) or Cross-Site Scripting (XSS).
Conclusion: Elevate Your Reconnaissance Game
Mastering reconnaissance is a journey that requires both innovation and dedication. By adopting these advanced techniques, you can uncover hidden vulnerabilities that might go unnoticed with traditional approaches. As you embark on your security assessment endeavors, remember that your commitment to continuous learning and collaboration will be your greatest assets.
Stay Connected: Follow and Support!
If you found this guide valuable, follow for more insightful content. Your support keeps me creating quality resources.
Fuel Future Content: Buy Me a Coffee
Consider buying me a coffee to support ongoing content creation. Every contribution helps.
