Open In App

Art Of Reconnaissance | Techniques for beginners

Last Updated : 07 Sep, 2020
Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite – Art Of Reconnaissance

In Previous Art of Reconnaissance article, we unrevealed the basic concepts of Reconnaissance, what, why, where, how etc. In this article, we will take the journey further by introducing you to some of the techniques that one can opt for Reconnaissance. We will also discuss about the tools created by esteemed testers which help us to automate the process of reconnaissance.

Road to Practical Reconnaissance

This section will demonstrate how you can start with the basics of Reconnaissance and then digging it deeper to a higher level. We will be needing but obvious Linux for installing our tools; however, there are various tools that are platform-independent, we will be describing them too. So, for getting through these automated scripts, one should be well versed with the basics of the tool that can be learned easily in the description of the tool.

1. Wappalyzer –

Our very first tool for Recon is wappalyzer. Wappalyzer is an addon that is available for both Chrome and Firefox. What this addon does is, it actually test for real-time technologies that a web application uses. Say what server it’s running on Apache, IIS, etc, what are the Frameworks or CMS website is running and a lot more things. This will help you to exploit things easily if the services are old.

In alternate to this, you can go for builtwith.com, it will show you the same results. One have to enter the domain which to test and will get similar results.

2. Nmap –

Nmap stands for Network Mapper, it is used to scab the networks for various purposes. In the Recon part, we use Nmap generally for scanning up the open ports and other services like SSH, FTP, etc. Nmap gives us a vast scope for Recon. Nmap is pre-built in the Kali Linux Distro for other versions. We can use commands such as Nmap -A -T4 -p- url.com.
In this command T4 stands for Threads, -A stands for scan everything and -p- means to scan every 65535 ports in order to look for open ports.

3. Sublister –

Sublister is a Subdomain finding script that helps us to find the subdomains for a specific subdomain. Being a bug bounty hunter or a WAPT Tester one will always go for subdomains instead of the primary domain. So finding subdomains is one of the key points when one is testing a web application. Sublister does the job here. We can enumerate the subdomains by Sublister using the command “python3 sublist3r.py -d domain.com” this will give all the subdomains of the target URL.

4. DirSearch / Dirbuster –

DirSearch is another Python-based tool that is used to find directories of a web application. Directories may include the specific web pages like admin, API, dashboard, and tons of webpages. DirSearch gives the results very faster and that too accurate. We also have a built-in tool in Kali Linux that is build up by OWASP i.e Dirbuster. The concept of such tools is that they have a wordlist which they use to brute-force with our target domain and help us to find the specific web pages that are hidden or not easily accessible to us.
We can use DirSearch by the command: python3 dirsearch -u domain.com -e php/aspx/etc , where -e here stands for an extension we can mention, -e PHP if we want to find specific PHP pages.

5. Aquatone –

Aquatone is another famous tool for enumerating the subdomains, but it also helps a tester to check majorly for subdomain takeover vulnerabilities, if exist in the web application. Aquatone does a decent job by scanning the ports, HTTP Headers, screenshots of the web pages which helps us to take a vast look at the target and attack it accordingly.

 

Conclusion –
The methods and techniques described in this article are for beginners, who are just getting into Web Application Testing so that they can get the exact results and their precious time is saved. We can also go for Google Dorking as described in Part 1 of Recon, Shodan and other methods too. These are some reliable resources on which almost 75% of decent testers rely on the Automation Process of Reconnaissance.


Similar Reads

Art of Reconnaissance
Reconnaissance, It is the first step that is involved in the process of ethically hacking or penetrating a Cyber Asset. Reconnaissance is the process in which the preliminary information of a particular target has to find out to judge, its overall structure and the weak points. The information that is being extracted via the process of Reconnaissan
4 min read
Hawkscan – Reconnaissance and Information Gathering Tool in Kali Linux
Hawkscan is a free and open-source tool available on Github. Hawkscan is based upon Open Source Intelligence (OSINT). Hawkscan is the easiest and useful tool for reconnaissance. The interface of Hawkscan is very similar to Metasploit 1 and Metasploit 2. Hawkscan provides a command-line interface that you can run on Kali Linux. This tool can be used
4 min read
Reconnaissance - Penetration Testing
Prerequisites :Ethical Hacking | FootprintingPenetration Testing - Software Testing Penetration Testing (or Pen Testing)It refers to process of testing an organization's security posture using similar techniques and tools to that of an attacker but with the knowledge and approval of the organization. Reconnaissance or Footprinting is the first step
6 min read
Social Engineering - The Art of Virtual Exploitation
Social engineering uses human weakness or psychology to gain access to the system, data, personal information, etc. It is the art of manipulating people. It doesn't involve the use of technical hacking techniques. Attackers use new social engineering practices because it is usually easier to exploit the victim's natural inclination to trust. For ex
4 min read
The Art Of Personal Branding - A Brief Introduction
Personal Branding has never been more important than it is in today's world. Anybody with access to the internet and social media can build an audience that helps them to build their brand and that’s exactly what people are doing nowadays. To better understand this let’s take an example - Try to Google yourself and see what you’ll find? For most of
5 min read
10 Best Free AI Art Generators to Create Image From Text [Free & Paid]
Through this article, we will dive into one of the most exciting areas of AI, where we explore the list of AI image generators from text. So with further ado, let's dive into the article. Text to Image is the technique of automatically converting any text information into a realistic image. Deep learning neural networks are used in this method to a
12 min read
Techniques to be an awesome Agile Developer (Part -1)
No matter how far down the wrong road you’ve gone, turn back. In software development, the requirements and challenges that come up during your project development are never ceasing and ever-changing. Your software project depends on the skills, training, and competence of all the developers on the team. A successful developer is the one with (tech
4 min read
5 Common Hacking Techniques Used by Hackers
Hacking is the process of exploiting vulnerabilities to gain unauthorized access to any computer, smartphone, tablet, or network system. Hackers use advanced computer and programming skills to exploit and get into the victim's system without their knowledge and gain lots of personal information including personal and financial data with passwords.
4 min read
Impact of AI and ML On Warfare Techniques
Artificial Intelligence provides the ability to adapt, reason and solutions to the problems. Modern warfare is becoming heavily reliant on Machine Learning and Artificial Intelligence. It is all because the integration of Al and ML enables machines to process a large amount of data with increased accuracy. Due to such enormous qualities, both Artif
5 min read
StandardScaler, MinMaxScaler and RobustScaler techniques - ML
StandardScaler follows Standard Normal Distribution (SND). Therefore, it makes mean = 0 and scales the data to unit variance. MinMaxScaler scales all the data features in the range [0, 1] or else in the range [-1, 1] if there are negative values in the dataset. This scaling compresses all the inliers in the narrow range [0, 0.005]. In the presence
3 min read