Recon For Web Pen-Testing!!

medium.com/@theUnixe/recon-for-web-pen-testing-6a6333673818

theUnixe April 30, 2023

theUnixe

Reconnaissance, or recon for short, is the process of gathering information about a target
to identify vulnerabilities and potential attack vectors.

In this article, we’ll discuss a step-by-step approach to web pen-testing recon, starting
with the sketch to more advanced techniques.

So, Whenever I start any subdomain the first thing, I do is start my passive recon. Below I
mentioned every tool/website I use.

Dig: Stands for Domain Information Groper,Dns lookup by querying name servers
and displaying the result to you!!

~#root㉿kali:

1/17
Wayback machine to view old files likes robots.txt and URLS

Tools use to automate this

waybackurls.py

Download:

https://gist.github.com/mhmdia/adf6bff70142e5091792841d4b372050

2/17
— Knockpy: —

GitHub - guelfoweb/knock: Knock Subdomain Scan

Knockpy is a portable and modular python3 tool designed to quickly

enumerate subdomains on a target domain through…

github.com

Usage: ./knockpy target.com

— Sublist3r: —

GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for

penetration testers

Sublist3r is a python tool designed to enumerate subdomains of websites

using OSINT. It helps penetration testers and…

github.com

Usage:python sublis3r.py -d target.com -p 80 443

— SubBrute: —

GitHub - TheRook/subbrute: A DNS meta-query spider that

enumerates DNS records, and subdomains.

3/17
SubBrute is a community driven project with the goal of creating the
fastest, and most accurate subdomain enumeration…

github.com

Usage: ./subbrute.py google.com

Google Dork:

site:target.com -site www.target.com

Online Resource:

– https://dnsdumpster.com/

– https://searchdns.netcraft.com/
– https://www.virustotal.com (Go
to search and

type target.com)

– https://crt.sh/?q=%25paypal.com (Use “%target.com”. )

Don’t Stop Here!!

Find Sub-domains of Sub-doamin

!!!!!!Some website have 5th and 6th level sub-domain!!!!!

Tool: altdns (https://github.com/infosec-au/altdns)

Input : sub-domain list

Usage: ./altdns.py -i subdomains.txt -o

data_output -w words.txt -r -s output.txt

Tool: SubBrute

./subbrute.py target.com > sudomains.txt

Then

./subbrute.py –t subdomains.txt

dnsx:is a fast and multi-purpose DNS toolkit designed for running various probe
through the retryabledns libery.Usage: https://github.com/projectdiscovery/dnsx

4/17
 Ffuf: iS a fast directory fuzzing tool, you can use it to enumerate more
directories in less amount of time!!

~#root㉿kali:

Now We Ha ve

5/17
WaybackURls
+
Subdomains
+

Subdomains of Subdomains

Check subdomain Validation

Tool: EyeWitnes

GitHub - FortyNorthSecurity/EyeWitness: EyeWitness is designed

to take screenshots of websites…

EyeWitness is designed to take screenshots of websites, provide some

server header info, and identify default…

github.com

provide a list of all subdomains and it will give you like a report with screenshots of all
sub-domain

Usage: ./EyeWitness.py -f subdomain.txt

Check Target IP Range

url: https://whois.arin.net

url: https://bgp.he.net/

Search by Target IP

Found Good IP Range

6/17
Real Case Study_-

Patrik Fehrenbach (@ITSecurityguard)

Wrote a Bash script to download phpinfo.php

file (if found) from Yahoo! IP range

(98.136.0.0–98.139.255.255)

Bash Script

ipa 98.13{6..9}.{0..255}.{0..255}; wget -t 1 -T 5 http:///phpinfo.php; &

Censys: is another great online tool that will give you juicy information about
your target!!

censys.io: https://censys.io/

Photon: is basically a data extraction tool which helps us find many useful
information from the websites.

Download: https://github.com/s0md3v/Photon

Usage: python3 photon.py -u target.com — keys — dns

7/17
 DnsDumpster: is very similar to dig,is it provides a GUI for you to work on.

Usage: https://dnsdumpster.com/

Github Recon

What you can find on Github?

• FTP Credentials

• Secret Keys [API_key, Aws_secret key, etc.]

• Internal credentials [Employee credentials]

• API Endpoints

• Domain Patterns

Go to github and searchEg.- “target.com” “dev”- “dev.target.com”- “target.com”

API_key- “target.com” password- “api.target.com”

8/17
 Google can also helpsite: “github.com” + “Target” + password

shodan: is the world’s first search engine for internet-connected devices.Explore

the Platfrom.

p Addresses.
SSL Certificates.
Services.
Favicon Hashes.
etc

9/17
Zoomeye: is another search engine and can be use to discover..

Web Servers.
IP & Ports.
Headers & Status Codes.
Vulnerabilities.
etc.

usage:https://www.zoomeye.org/

Content Discovery: —

10/17
• Google is your friend
• Use Google Dork to find:-

- File Extensions
- Parameters

- Login Page
- Sometimes
Directory Structure
- Important Stuff

• I often use Google Dork to find files with

specific extension which also reveal

technology used by Target.

-site:target.com filetype:php- site:target.com filetype:aspx- site:target.com

filetype:swf (Shockwave Flash)- site:target.com filetype:wsdl

Find Parameter
• Google Dork:

- site: target.com inurl:.php?id=

- site: target.com inurl:.php?user=

- site: target.com inurl:.php?book=

Find Login Page

• Google Dork

- site: target.com inurl:login.php

- site: target.com intext: “login”

- site: target.com inurl:portal.php

- site: target.com inurl:register.php

(Note: if site has register page, there are chancesthat site also have login page)

Find Directory Structure

• Google Dork:
-site: target.com
intext: “index of /”

11/17
Tools:

Gobuster- https://github.com/OJ/gobuster

Dirsearch- https://github.com/maurosoria/dirsearch

Feroxbuster- https://github.com/epi052/feroxbuster

paramSpider- https://github.com/devanshbatham/ParamSpider

Usage: python3 paramspider.py — domain target.com

assetfinder:https://github.com/tomnomnom/assetfinder

subzy: https://github.com/LukaSikic/subzy

Finding Hidden GET & POST Parameters!!

During Bug Bounty, I discovered some interesting parameters. Sometimes developers

“hide” parameters in GET or POST queries, and sometimes it can be interesting to try to
find these parameters and inject payloads into them.

To help me with this hunt, I use a good tool called Arjun. This python script will bruteforce
the GET and POST parameters. Try and you will see!

Download:

GitHub - s0md3v/Arjun: HTTP parameter discovery suite.

12/17
HTTP Parameter Discovery Suite Arjun can find query parameters for URL
endpoints. If you don't get what that means…

github.com

LinkFinder: is a python script written to discover endpoints and their parameters in

java Scripts files.

Download: https://github.com/GerbenJavado/LinkFinder

Usage: ./linkfinder.py -i https://target.com-o cli

Vulnerability Scanning

Nuclei: it’s extremely good and you can make your own templates in YAML and use
thousands of other templates by other hackers!!

cat subs.txt | nuclei

subs.txt | nuclei -t /nuclei-templates/<your template>

13/17
Nikto: https://github.com/sullo/nikto

TiDos: is an offensive web application framework with lots of modules.It helps in

many penetration testing task from performing recon to attacking a web
application.

Download: https://github.com/0xInfection/TIDoS-Framework

Usage: ./tidos.py

NoTe: TiDos Installation (https://www.youtube.com/watch?v=5a_GFWeovYI)

BurpSuite —
Run Spider tool on your target in Burp Suite

• Once the spider has finished right click on the host

and click “Copy Urls in this host“

14/17
Zscanner
Once copied, paste them into urls.txt• Put urls.txt file in the root of ZscannerEg.
c/xampp/htdocs/zscanner/urls.txt• Now open zscanner in browser

Click on “Begin Scanner”

/outputs/ folder:
• 4 files are outputted in the

JS-output.txt, GET-output.txt, POSTHost-

output.txt, POSTData-output.txt

• Copy JS-output.txt file and put

it in the root of

JS-Scan root folder

Eg. c/xampp/js-scan/JS-output.txt

15/17
JS-Scan
Open JS-Scan in browser

Takeaways
• Endpoints extracted from JS files are more
vulnerable then Endpoints defined in

WebPages.

• Automated Scanners generally don’t scan

Endpoints defined in JS files.

• Developers & Testers don’t care about them.

Amazon Web Services (AWS or S3 Buckets)

AWS Simple Storage Service (often shortenedto S3) is used by companies that
don’t want tobuild and maintain their own storagerepositories• By using Amazon
Simple Storage Service, theycan store objects and files on a virtual serverinstead of
on physical racks
After the user has created their bucket, theycan start storing their source
code,certificates, passwords, content, databasesand other data.

What if target is vulnerable?

You can get full access to S3 bucket• You can download, upload and overwrite files

How to find S3 Buckets?

site: amazonaws.com inurl: yahoo(Download:

Burp Suite can also Help

16/17
AWS Hacking

Open Terminal

Install awscli in kali: sudo apt-get install awscli

Interact with Bucket: aws ls s3://hackerone-attachments

Find World Writable Direcotry : aws s3 mv test.txt s3://hackerone-attachments

Thank You!!

17/17