Skip to main content

How do i Recon web






Hey Guys This is me Imran Parray and today i have decide to share my recon process with the internet.  I believe that Recon is The Most Important part of Hacking web Apps and i also believe that everyone has their own methodology to do recon so today i am gonna share my recon process with you.

Let Start.


First of all i have two different ways to do the same process and it mainly depends upon the scope of the target web appilication. For the sake of this blog post i assume *.target.com is our target.



Start With Google




Seaching google about company details like how company works. and How they manage their different assets is always helpful in finding more issues.
In this portion I will try to understand the company/product you are going to test. It's gonna make it clear that which part of web-app is going to be your target. And what actually matters for the company. 

Fallowing are the google dorks to get some other information related to company:

site: site.com inurl:login,register,upload,logout,redirect,redir,goto,admin
site: site.com inurl:&
site: site.com ext:php,asp,aspx,jsp,jspa,txt,swf
site:paypal.com -www.paypal.com -www.sandbox
site:paypal.com filetype:txt
intitle:"index of /" Parent Directory site:yoursitehere.com
intitle:"Index of /admin" site:yoursitehere.com
intitle:"Index of /password" site:yoursitehere.com
intitle:"Index of /" passwd site:yoursitehere.com
intitle:"Index of /" .htaccess site:yoursitehere.com
Intitle: "login" "admin" site:yoursitehere.com
inurl:login site:yoursitehere.com
filetype:txt site:yoursitehere.com
filetype:xml site:yoursitehere.com
filetype:inf site:yoursitehere.com
filetype:ini site:yoursitehere.com
filetype:xls csv site:yoursitehere.com





































Sub-domain Enumeration






Screenshot of collecting subdomains






Sub-domain Enumeration plays an very important role in finding more Critical issues. Because the main domain of the company will be already having alot people testing and searching for new bugs.So chances of finding issues are less. So enumerating sub-domains and testing them one by one is more efficient. 






There are a lot of sub-domain enumeration tools like Sublister,KnockPy and alot of them. what is did is created one bash script which automatically collects sub-domains from:




    

  • Censys
    • 

  • Sublister
    • 

  • crt.sh
    • 

  • Certificate Transpirancy
    • 




It collects sub-domains from all these sources and copies them to one file `subdomains.txt` and it also remove duplicates if available.









Sub-domain Brute-forcing






Screenshot of Automation tools to use gobuster in dns mode








Well, For Subdomain Bruteforcing goBuster in DNS mode works fine for me. I use list of 20k Words to bruteforce the main domain of the comapny.







Hosts to Masscan






Automation Script










After collecting the huge number of sub-domains i will send them to my bash script which will find an ip address of each sub-domain and save them into one list.After That i will send this iplist to the masscan to scan all 65535 ports on every host.



and save the results in `Massca-Results.txt`







Proper use of Whatweb






Output of The tool















Well most of the bug hunters ignore whatWeb tool but for me its a awesome tool you just have to do it proper way. After finding the huge number of sub-domains i will pass that list to whatweb which will scan all the subdomains in list one by one and collect the final information in `whatweb-results.json` . After collecting information i will start searching string like "wordpress", "durpall" ect.in the file. If i found anything like that i will pass that sub-domain to wpscan or Durpal scanner.'



Command:



whatweb -t 50 -i subdomains.txt --log-json=whatweb-results.json












Taking Screenshots






Source code of tool






After collecting sub-domains i would loveto pass the list of sub-domains to the httpScreenShots tool which takes screenshot of everyone of them. It works both on HTTP and HTTPS 















Choosing Target:



After Reviewing The Screenshots i choose some target which looks interesting to me.



i create an list `targets.txt` and paste the URL's of those sub-domain which i am going to 



test in future. 









Bruteforcing is the Key to Success

















After Choosing the target i will try to bruteforce the target for some random files and Folders. I don't prefer fast bruteforcing neither i prefer too long list just some 1-2k file and folder and i keep it as slow as possible.




    

  • I Understand the naming convention like you see viewDocument.php try editDocument.php or deleteDocument.php
    • 

  • Bruteforce Config Files
    • 

  • Bruteforce Log Files
    • 

  • Bruteforce ini File.
    • 

  • .htaccess file
    • 

  • Bruteforce Common Files. [ easywins -x --threads 10 http://www.jkbose.co.in]
    • 

  • cgi scanner
    • 

  • Bruteforce Backup Files.
    • 


---
  ^    |
  |____| Do It Recursively 













After This i mostly prefer burp-suite and start playing around OWASP top 10 and web-app logic's







Thank You So Much !


























































Comments















Post a Comment



















Popular posts from this blog





















New Working Shopping Site SQLi Dorks 
















































Post a Comment









Read more






























Most Important XSS Cheat Sheet 
















































8 comments









Read more






























How to Install Mosh on you Linux ec2 Instance
















































174 comments









Read more