1

Best Recon methodology

By: Hossam Shady

Note: This document is not created by a professional content writer so any mistake and
error is a part of great design

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 2

Disclaimer

This document is generated by VIEH Group and if there is any contribution or or

credit, it’s mentioned on the first page. The information provided herein is for

educational purposes only and does not constitute legal or professional advice. While

we have made every effort to ensure the accuracy and reliability of the information

presented, VIEH Group disclaims any warranties or representations, express or

implied, regarding the completeness, accuracy, or usefulness of this document. Any

reliance you place on the information contained in this document is strictly at your

own risk. VIEH Group shall not be liable for any damages arising from the use of or

reliance on this document. also we highly appreciate the source person for this

document.

Happy reading !

Content Credit: Hossam Shady

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 3

Introduction

What is recon?

Reconnaissance or Recon is to gather all possible information about the

target or the victim you wanna hack as location , ip, open ports ,

services , all subdomains and all directories etc…

First of all I am gonna talk only about web applications and how to

gather all possible information about the web applications to start

hacking

Subdomain Enumeration :

Every domain has many subdomains can reach thousands of subs

1- https://securitytrails.com is great site for enumerating

possible subdomains about any domain or organization

securitytrails.com

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 4

as you can see in the image there are more than

171K subdomains for yahoo.com and the site provides more

information about the domain as records , A , AAAA , CNAME etc…

you can use securitytrails api for gathering all subdomains via terminal

but it’s paid not free and recommended only for huge organizations

recon

2- https://subdomainfinder.c99.nl/ is great site for

gathering subdomains

subdomainfinder.c99.nl

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 5

as you can see it gives you option for copy all live subdomains , also you

can use their api but it’s paid too

3- amass tool from github https://github.com/owasp-amass/amass

to use amass effectively you have to provide it with many api keys

(take your time to gather all possible apis even it takes week)

after installing amass put that command in terminal

nano $HOME/.config/amass/config.ini

and start searching for apis as shodan , censys, cloudflare ,fofa and

more and more

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 6

after providing all apis you can gathered start using the amass tool as

following

first put all domains in file called domains.txt or any thing other

amass enum -active -df domains.txt -config $HOME/.config/amass/config.ini

-o amass_subdoamins.txt

there are many other options you can see with #amass enum -h

4- assetfinder tool github https://github.com/tomnomnom/assetfinder

that tool gather all subdomains passively

cat domains | assetfinder -subs-only

5- virtual host

ffuf -u 'https://example.com' -H 'Host: FUZZ.example.com' -w

Seclists/Discovery/DNS/top-1million-11.txt

and after running the above command you will see many outputs with

the same size ex: 1301 then filter that size with -fs

ffuf -u 'https://example.com' -H 'Host: FUZZ.example.com' -w

Seclists/Discovery/DNS/top-1million-11.txt -fs 1301

after that you can go to subdomain from vhost but not working like

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 7

but you need to add the subdomain you found

to /etc/hosts this subdomain indicates to the main domain ip for ex:

ffuf.me => 138.68.165.164 then any subdomain you put should indicate

for the same ip as

after putting the subdomain you found in /etc/hosts and indicate it to

origin domain ip save and go back to your browser and see you can

access the subdomain directly as :

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 8

Observe that the page worked and downloaded secret file and you can

practice more go free http://ffuf.me

I think you have collected all possible subdomains and put them in file

called subdomains.txt then run the following command to remove all

duplicates

cat subdomains.txt | sort -u >> uniq_subs.txt

after that you can run httpx to get only live subdomain

cat uniq_subs.txt | httpx -o httpx

after running httpx it’s time for the Part 2

Part 2 :

Directory and file Enumeration

There are many ways to get directories and files

1- dirb for directory enumeration

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 9

dirb https://example.com

2- dirsearch for file enumeration

dirsearch -u https://example.com

3- ffuf for fuzzing file and directories

ffuf -u https://www.example.com/FUZZ -w wordlist/Seclists/Discovery/Web-

content/raft-medium-files.txt -mc 200,302,301 -t 1000

you can use other tools as gobuster , meg , etc…

Part 3 :

Parameter fuzzing and gathering

1- arjun

arjun -u https://www.example.com/file.php

2- paramspider

paramspider -l domains.txt -s

3- gospider

gospider -S domains.txt -o gospider

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 10

4- burpsuite paraminer

after installing the extension

go to request and right click >> extensions >> paraminer >> Guess

params >> Guess everything

Part 4 :

Collecting all urls related to target

urls.txt ex: https://example.com

1- waybackurls

cat urls.txt | waybackurls

2- Gau

cat urls.txt | gau

3- Katana

katana -list urls.txt -v -jc -o katana

4- hakrawler

cat urls.txt | hakrawler

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com

 11

Thanks for reading

Social media:@viehgroup vww.viehgroup.com support@viehgroup.com