Reconnaissance Strategy and Techniques 0.2

Changelog 0.1 | Recon Method Addeds
Changelog 0.2 | New Tip added in No.3 & No.6


Reconnaissance is the cornerstone of effective security assessments, paving the way for successful vulnerability discovery. In this guide, we delve into advanced reconnaissance techniques that go beyond the usual tools, helping you uncover hidden targets and vulnerabilities. By adopting a unique and strategic approach to reconnaissance, you can enhance your security assessment capabilities and gain an edge in identifying critical security issues.

1. Setting the Stage: Wildcard Domain Hypothesis

To illustrate the process, begin with a hypothetical wildcard domain, such as โ€œ*โ€ This domain will serve as an example throughout the guide, aiding in the explanation of each step.

2. Rethinking Traditional Tools: Subdomain Enumeration

Instead of relying solely on conventional subdomain enumeration tools like subfinder and amass, consider a more strategic approach.

(i). Subfinder Configuration Enhancement

Open the subfinder configuration file. In this file, various services are listed, many of which are available for free. Optimize your reconnaissance by registering accounts for all these services and obtaining their API keys. Incorporate these keys into the configuration file to expand your host discovery capabilities.

(ii). Comprehensive Subdomain Enumeration**

Leverage a specialized tool called โ€œโ€ This tool amalgamates results from multiple subdomain enumeration tools, presenting you with an extensive list of subdomains. This approach increases your chances of identifying hidden targets.

3. Refining the List: Identifying Live Hosts

After compiling a comprehensive list of potential subdomains, employ the โ€œhttpxโ€ tool to determine which hosts are live and operational. This step streamlines your focus, allowing you to concentrate on active targets.

Tip #1

Avoid using httpX to filter live subdomains.
Remember, httpX is tailored for web servers. By using it directly,
you might overlook subdomains exposing other services. Always prioritize
a resolver.

4. Focus on Live Hosts: Preparation for Further Analysis

Armed with a refined list of live hosts, youโ€™re ready to proceed with more detailed analysis and vulnerability assessment.

5. Unconventional Vulnerability Scanning: Moving Beyond the Norm

Rather than following conventional practices like running โ€œnucleiโ€ scans on all identified hosts, consider adopting a more distinctive approach.

6. Comprehensive Waybackurls Collection

Gather โ€œwaybackurlsโ€ for all hosts simultaneously. While this approach demands time, it often leads to the discovery of additional URLs that might otherwise be overlooked. These URLs may provide unique points of entry for further exploration.

Tip #1

๐Ÿ“ŒA javascript bookmarklet that will extract all Wayback-URL's endpoints.

โœ…How To Use ๐Ÿ‘‰ Copy Code-> Create New Bookmark-> In URL Bar Paste The Code->
Open Target Site-> Click bookmark-> Surprise!๐Ÿ”ฅ

๐Ÿ”— Link -

๐Ÿ“ŒThis javascript bookmarklet that will extract all endpoints
(starting with /) from your current DOM.

๐Ÿ”— Link -

7. Manual Keyword Search: Targeted Discovery

Engage in manual keyword searches on the collected URLs. Look for keywords like โ€œadminโ€ or โ€œapi=โ€ within the URLs. These searches can reveal hidden functionalities and potential vulnerabilities that automated tools might miss.

8. Parameter Analysis: Uncovering Hidden Vulnerabilities

Delve into the URLs to identify intriguing parameters like โ€œredirect_to=โ€ or โ€œaccount_id=โ€. Save these parameters in a separate file for manual analysis. Often, these parameters offer unexplored avenues for discovering valid vulnerabilities.

9. Exploring Login Panels: Probing for Common Bugs

Search for login panels within the URLs and test them for common vulnerabilities. These panels can be potential entry points for unauthorized access or other security issues.

10. The Significance of JavaScript (JS) Files

Recognize the importance of JS files. Scan your URL collection for JS files, as they may contain valuable information such as configuration details (โ€œapp-config.jsโ€) or user-specific data (โ€œaccount.jsโ€).

11. Unveiling Hidden Directories: Broadening the Scope

Leverage your list of URLs to uncover hidden directories. These directories might host crucial functionalities or vulnerable components.

12. Initial โ€œNucleiโ€ Scan: Exploratory Vulnerability Testing

Select a host that appears unusual and run an initial โ€œnucleiโ€ scan. While this scan might not yield immediate results, itโ€™s a starting point for further analysis.

13. Application Analysis: Understanding the Workflow

Delve into application analysis to gain insight into the applicationโ€™s workflow, functionalities, and interactions. A thorough understanding of the application enhances your ability to identify vulnerabilities.

14. Leveraging Application Knowledge

Having a deep understanding of the applicationโ€™s inner workings positions you ahead in discovering critical vulnerabilities before others.

15. CVE Assessment: Addressing Known Vulnerabilities

Assess the application for vulnerabilities stemming from known Common Vulnerabilities and Exposures (CVEs), especially if certain services are outdated. This proactive approach can identify vulnerabilities that threat actors might exploit.

16. Blind SSRF: Preparing for Unexpected Discoveries

Keep โ€œBurp Collaboratorโ€ ready and incorporate tokens as necessary. This approach can help detect blind Server-Side Request Forgery (SSRF) vulnerabilities that could otherwise go unnoticed.

17. Payment Services and Response Manipulation

When dealing with payment services, check whether test card usage is allowed. Additionally, experiment with Response Manipulation techniques to bypass restrictions.

18. Staying Current: Monitoring CVEs

Regularly monitor recent and zero-day CVEs. Test these vulnerabilities against your application, significantly increasing the probability of uncovering critical vulnerabilities.

19. Collaboration and Learning: Seeking Help

Embrace collaboration and seek assistance from peers when needed. While collaboration is valuable, ensure you conduct initial research on your problem before reaching out for help.

20. In-Depth Exploration: Uncovering Vulnerabilities

Thoroughly explore your application, unearthing hidden directories and parameters. This systematic approach may lead to the discovery of vulnerabilities such as SQL injection (SQLi) or Cross-Site Scripting (XSS).

Conclusion: Elevate Your Reconnaissance Game

Mastering reconnaissance is a journey that requires both innovation and dedication. By adopting these advanced techniques, you can uncover hidden vulnerabilities that might go unnoticed with traditional approaches. As you embark on your security assessment endeavors, remember that your commitment to continuous learning and collaboration will be your greatest assets.

Stay Connected: Follow and Support!

If you found this guide valuable, follow for more insightful content. Your support keeps me creating quality resources.

Fuel Future Content: Buy Me a Coffee

Consider buying me a coffee to support ongoing content creation. Every contribution helps.