Recon Step/ Methodology

This is just a self-note on different steps to perform while approaching a target.

1. Subdomain Enumeration

  • Amass (amass enum -active -d domain.com -o amass-subdomain-result.txt)
  • Assetfinder (assetfinder -subs-only domain.com | anew assetfinder-subdomain-result.txt)
  • Subfinder (subfinder -d domain.com -o subfinder-subdomain-result.txt)
  • Findomain (findomain -t domain.com -u findomain-subdomain-result.txt)

Subdomain Bruteforcing:

  • amass (amass enum -brute -d domain.com -src)
  • knockpy
  • dnsenum
  • dnsrecon (python3 dnsrecon.py -d domain.com -D subdomains-top1mil-5000.txt -t brt)

Permutations:

  • altdns (./altdns.py -i known-subdomains.txt -o new_subdomains.txt -r -s domains-google.com.AltDNS.txt)

2. Perform ASN enumeration and find acquisitions of a target

  • To find ASN number (http://bgp.he.net) and asnlookup.com. Then, You can use ASN in amass to find seed domains Command: amass intel -asn 46489

3. Probing for live host

4. Take a screenshot of all probed domains and subdomains

5. Perform Port Scan

  • Masscan
  • Nmap

You can then use “dnmasscan” (a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan) to scan all the enumerated subdomains. Then use Nmap to scan further like services, running different scripts, etc. on interesting findings.

You can also use nmap and perfrom following:

  • nmap 10.10.10.1 -p- then run command on open ports
  • nmap 10.10.10.1 -p 80, 81, 22, 443 -sC -sV

Together it becomes: nmap -iL list.txt -p- -sC -sV

6. Find Amazon S3 Bucket

  • We can look them up on github: “hackme.tld” + “s3”
  • For Automation: Lazys3

7. Use Nuclei templates to find different vulnerabilities on the list of domains

8. Perform Google Dorking and GitHub Dorking/ Recon

  • Gitrob tool
  • GitDorker

Resource: https://securitytrails.com/blog/github-dorks

For Passive Recon:

https://censys.io/

https://shodan.io

https://www.zoomeye.org/

https://virustotal.com

https://hunter.io/

https://dnsdumpster.com/

https://otx.alienvault.com/

https://crt.sh/

https://www.whoxy.com/

https://pentest-tools.com/information-gathering/google-hacking#