My Recon

my recon methodology.

whois:

whois target.com

Banner Grabbing:

whatweb:

whatweb --no-errors target.com

curl:

curl -IL https://www.target.com

---

Subdomains Enumeration:

Listing:

subfinder:

subfinder -d domain.com -o output1.txt

assetfinder:

assetfinder -subs-only domain.com > output2.txt

crt.sh:

curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[] | select(.name_value | contains("dev")) | .name_value' | sort -u

selecting only entries where the name_value field (which contains the domain or subdomain) includes the string " dev. " The -r flag tells jq to output raw strings.

ffuf:

ffuf -w wordlist.txt:FUZZ -u https://FUZZ.target.com/ > output3.txt

See SecLists for subdomains wordlists.

add all together:

cat output1.txt output2.txt output3.txt > allsubs.txt

sort -u allsubs.txt > finalsubs.txt

cat finalsubs.txt | wc -l

list live subs:

cat finalsubs.txt | httpx-toolkit > live.txt

cat live.txt | wc -l

get URLs:

katana -u https://one-of-the-live-subs.target.com -o urls.txt

shortcut:

use gau tool:

gau target.com > subs.txt
sort -u subs.txt > finalsubs.txt

get all URLs known by AlienVaultOTC, CommonCrawl, urlscan.io, and waybackmachine. "it will take some time"

---

Resources recon:

ffuf:

ffuf -w wordlist.txt:FUZZ -u https://target.com/FUZZ

See SecLists for common web content.

robots:

curl -L https://target.com/robots.txt

Well-Known URIs:

curl -L https://target.com/.well-known/openidcon-figuration

This endpoint returns a JSON document containing metadata about the provider's endpoints, supported authentication methods, token issuance, and more.

Scrapy:

pip3 install scrapy

wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip

unzip ReconSpider.zip

python3 ReconSpider.py http://target.com

Google Dorking:

• Proviesec list

• TakSec list

GitHub Dorking:

• Dorking Mindset

• techgaun list

WayBackMachine:

• WayBackMachine for crawling

---

Is there a WAF?

Wafw00f:

wafw00f target.com