Reconnaissance - (practice of collecting information about a target) - Military language (enemy territory information)
Introduction:
In the ever-evolving landscape of cybersecurity, reconnaissance stands as the first crucial step towards understanding and defending against potential threats. It is the process of gathering information about a target system, network, or organization, providing a foundation for subsequent stages of an attack or defense. This blog post delves into the world of reconnaissance, shedding light on its significance, techniques, and best practices.
I. The Significance of Reconnaissance:
A. Understanding the Attack Surface:
1. Definition of Attack Surface
2. Importance of a Comprehensive View
B. Target Profiling:
1. Identifying Weaknesses and Vulnerabilities
2. Gaining Insight into Organizational Structure
C. Reducing Attack Footprint:
1. Minimizing Exposure to Threat Actors
2. Proactive Defense Strategies
II. Passive vs. Active Reconnaissance:
A. Passive Reconnaissance:
1. Definition and Scope
2. Tools and Techniques
B. Active Reconnaissance:
1. Definition and Scope
2. Tools and Techniques
III. Techniques for Effective Reconnaissance:
A. OSINT (Open-Source Intelligence):
1. Leveraging Publicly Available Information
2. Ethical Considerations
B. DNS Enumeration:
1. Unearthing Subdomains
2. Extracting Valuable Information
C. Subnet Discovery:
1. Identifying IP Ranges
2. Mapping Network Topology
D. Social Engineering:
1. Gathering Information through Human Interaction
2. Mitigating Social Engineering Threats
IV. Reconnaissance Tools of the Trade:
A. Shodan:
1. Scanning the Internet of Things (IoT)
2. Extracting Vulnerability Data
B. Maltego:
1. Visualizing Information Relationships
2. Creating Comprehensive Profiles
C. theHarvester:
1. Email and Subdomain Enumeration
2. Extracting Contact Information
D. Recon-ng:
1. Full-Featured Reconnaissance Framework
2. Automating Information Gathering
V. Best Practices for Ethical Reconnaissance:
A. Compliance with Legal and Ethical Standards:
1. Understanding Privacy Laws
2. Avoiding Unauthorized Access
B. Continuous Monitoring and Updating:
1. Staying Abreast of Changes
2. Adapting to New Technologies
C. Reporting and Documentation:
1. Structured Reporting of Findings
2. Archiving Information for Future Reference
Conclusion:
Reconnaissance forms the bedrock of any successful cybersecurity strategy. By understanding its techniques, tools, and ethical considerations, security professionals can bolster their defenses and stay one step ahead of potential threats. With continuous refinement and adherence to best practices, reconnaissance becomes a powerful weapon in the arsenal against cyber adversaries.
Reconnaissance - Part 1
Active Reconnaissance - hacker interact directly with computer system.
Passive Reconnaissance - gather information without directly interacting with system
*.hackerone.com - *(wildcard)
1.Subdomain Enumeration
1.Subfinder - subfinder -d hackerone.com -all -silent
2.amass - amass enum -passive -norecursive -d hackerone.com | tee amass.txt
3.assetfinder - assetfinder -subs-only hackerone.com
4.sublist3r - python3 sublist3r.py -d hackerone.com | tee sublist.txt
5.Finddomin
6.frogy subdomain
6.Knockpy (bruteing forcing) - Knockpy
7.DNSGEN
subdomain enum using Websites
1.https://www.virustotal.com
2.censys
3.https://chaos.projectdiscovery.io/#/
4.crt.sh
2.Finding live subdomains
1.httpx - cat allsubdomain.txt | /home/kali/go/bin/httpx -status-code -title -tech-detect
2.httprobe
url extraction from internet
1.gau - echo "hackerone.com" | gau | tee urls.txt
2.Gospider - gospider -s https://hackerone.com
finding parameters
1.Paramspider - paramspider -d example.com
2.Arjun - Finding parameter manually by bruteforce
Reconnaissance Part - 2
1.archive.org
2.waybackurls:
echo "hackerone.com" | waybackurls
sorting vulnerabilities through url
Tools:
GF
GF-patterns
replace parameters with payload
qsreplace
Footprinting websites:
1.Whatweb
2.Security headers (https://sitereport.netcraft.com)
3.subdomain(https://searchdns.netcraft.com)
4.securityheaders.com (find clickjacking)
5.https://whois.domaintools.com
6.https://mxtoolbox.com/dmarc.aspx
7.https://www.ssllabs.com (ssl/tls info)
8.https://osintframework.com/
Browser addons:(extensions)
1.wappalyzer
2.retire-js
3.shodan
4.knoxss
WAF identification:
WAFWOOF
Subdomain Takeover tool
subjack
Fuzzing(content Discovering)
FUFF
Dirsearch
Port scanning
nmap
naabu
masscan
Visual Recon
aquatone
eyewitness
Google dork (https://dorks.faisalahmed.me)
github dork (https://vsec7.github.io/)
shodan dork (https://github.com/lothos612/shodan)
vulnerability scan:
wp-scan - scanning wordpress websites
nuclei - vulnerability scanner
Manual Recon (checking the functionalities)
No comments:
Post a Comment