Prerequisite – Art Of Reconnaissance
In Previous Art of Reconnaissance article, we unrevealed the basic concepts of Reconnaissance, what, why, where, how etc. In this article, we will take the journey further by introducing you to some of the techniques that one can opt for Reconnaissance. We will also discuss about the tools created by esteemed testers which help us to automate the process of reconnaissance.
Road to Practical Reconnaissance
This section will demonstrate how you can start with the basics of Reconnaissance and then digging it deeper to a higher level. We will be needing but obvious Linux for installing our tools; however, there are various tools that are platform-independent, we will be describing them too. So, for getting through these automated scripts, one should be well versed with the basics of the tool that can be learned easily in the description of the tool.
1. Wappalyzer –
Our very first tool for Recon is wappalyzer. Wappalyzer is an addon that is available for both Chrome and Firefox. What this addon does is, it actually test for real-time technologies that a web application uses. Say what server it’s running on Apache, IIS, etc, what are the Frameworks or CMS website is running and a lot more things. This will help you to exploit things easily if the services are old.
In alternate to this, you can go for
builtwith.com, it will show you the same results. One have to enter the domain which to test and will get similar results.
2. Nmap –
Nmap stands for Network Mapper, it is used to scab the networks for various purposes. In the Recon part, we use Nmap generally for scanning up the open ports and other services like SSH, FTP, etc. Nmap gives us a vast scope for Recon. Nmap is pre-built in the Kali Linux Distro for other versions. We can use commands such as
Nmap -A -T4 -p- url.com.
In this command
T4 stands for Threads,
-A stands for scan everything and
-p- means to scan every 65535 ports in order to look for open ports.
3. Sublister –
Sublister is a Subdomain finding script that helps us to find the subdomains for a specific subdomain. Being a bug bounty hunter or a WAPT Tester one will always go for subdomains instead of the primary domain. So finding subdomains is one of the key points when one is testing a web application. Sublister does the job here. We can enumerate the subdomains by Sublister using the command “
python3 sublist3r.py -d domain.com” this will give all the subdomains of the target URL.
4. DirSearch / Dirbuster –
DirSearch is another Python-based tool that is used to find directories of a web application. Directories may include the specific web pages like admin, API, dashboard, and tons of webpages. DirSearch gives the results very faster and that too accurate. We also have a built-in tool in Kali Linux that is build up by OWASP i.e Dirbuster. The concept of such tools is that they have a wordlist which they use to brute-force with our target domain and help us to find the specific web pages that are hidden or not easily accessible to us.
We can use DirSearch by the command:
python3 dirsearch -u domain.com -e php/aspx/etc , where
-e here stands for an extension we can mention,
-e PHP if we want to find specific PHP pages.
5. Aquatone –
Aquatone is another famous tool for enumerating the subdomains, but it also helps a tester to check majorly for subdomain takeover vulnerabilities, if exist in the web application. Aquatone does a decent job by scanning the ports, HTTP Headers, screenshots of the web pages which helps us to take a vast look at the target and attack it accordingly.
The methods and techniques described in this article are for beginners, who are just getting into Web Application Testing so that they can get the exact results and their precious time is saved. We can also go for Google Dorking as described in Part 1 of Recon, Shodan and other methods too. These are some reliable resources on which almost 75% of decent testers rely on the Automation Process of Reconnaissance.