SlideShare a Scribd company logo

Different Methodology To Recon Your Targets

E
EslamAkl

"Different methodology to Recon your targets" is a technical session which presented at CAT Reloaded CyberSecurity circle. Eslam Akl Penetration tester

Engineering
1 of 17
Download to read offline
DIFFERENT METHODOLOGY TO RECON TARGETS CAT RELOADED ~$Eslam Akl 2020
$~:whoami 
 eslam3kl
 Penetration tester CAT Reloaded Cyber Security member Python script lover, Technical blogger and Vuln machine attacker
Hunting & Penetration testing Steps. Recon Types. Before & After Recon. Recon based on SCOPE. Small Scope required information Medium Scope required information Large Scope required information Recommended options. Simple Methodology Automation framework 3klcon v1.0 Practice on real target. Juicy links and resources. $~:Agenda
Hunting & Penetration testing Steps: Recon / Information Gathering Scanning Vuln. Assessment Post-Exploitation Reporting
Recon Types: 1. Passive Recon Collecting information about the target without any type of interaction with it. > Scan web application itself ! We don’t do that here D: 2. Active Recon Scan the web application domain, subdomains, acquisitions, servers, etc > Actually, we do that here :)
Before Recon After Recon Company name Available scope User credentials to login (more than account) Overview about the company business, works and logic Information from program page related to security purposes Subdomains ASN&Acquisitions Service info Database info Backend technology used Information Exposure Interesting directories& Endpoints Juicy links which may be vulnerable More and more
Recon based SCOPE Small Scope Target > domain or subdomain Ex. target.com / support.target.com / api.target.com Medium Scope Target > list of subdomains Ex. *.target.com Large Scope Target > All website related to the company is in scope
Small Scope required information ! All processes here will be performed on specific subdomain Directory enum. GitHub Dorking Server enum. Database enum. Google dorking for sensitive files Extract juicy vulnerable links by GF-Patterns Waybackurls enum. Parameter discovery Automation vulnerability scanning JS file analysis Backend enum. WAF detection GitHub search links Port scan
Medium Scope required information ! All processes here will be performed on all subdomains List of subdomains Subdomains takeover Misconfiguration in Storage vuln (S3 buckets) Directory enum. GitHub Dorking GitHub search links Server enum. Google dorking for sensitive files Database enum. Waybackurls enum. Parameter discovery Automation vulnerability scanning JS file analysis Backend enum. Search Engine discovery(Shodan, Spyse, Censys, etc) Port scan WAF detection
Large Scope required information ! All processes here will be performed on all targets Seeds/Roots ASN to get IP ranges Acquisitions DNS & SSL enum. List of subdomains Subdomains takeover Misconfiguration in Storage vuln (S3 buckets) Directory enum. GitHub Dorking GitHub search links sensitive files Waybackurls enum. Parameter discovery Automation vulnerability scanning JS file analysis Backend enum. Search Engine discovery (Shodan, Spyse, Censys, etc) Port scan WAF detection Database enum. Server enum. Google dorking for
Simple Methodology
Recommended options Don’t perform all this steps MANUALLY! Automate it <3 Let your remote machine discover vulnerabilities while sleeping. VPS machines via Amazon or Google Stay in touch with new tools and technologies to update your framework! Update it every week <3 Use bash or python to script any process which may take much time like using regex to extract special pattern of data
3klcon v2.0 Automation Recon framework Link: https://github.com/eslam3kl/3klCon
That’s enough ! Let’s PRACTICE !!
GitHub Dorking https://www.bugcrowd.com/resources/webinars/github-recon-and- sensitive-data-exposure/ Js analysis https://blog.appsecco.com/static-analysis-of-client-side- javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 Just another recon methodology from jhaddix Just another Recon Guide for Pentesters and Bug Bounty Hunters | Offensity Bug bounty hunting methodology v4.0 from jhaddix (Recommended) https://www.youtube.com/watch?v=p4JgIu1mceI Active recon by using Nmap, Metasploit, etc https://www.infopulse.com/blog/pentesters-training-and-practice- recon-active-information-gathering-and-vulnerability-search/ Juicy references and resources.
Don’t forget ! Google Is your friend <3
Thank you <3 Stay in Touch ! Medium Blog | GitHub | Twitter

Recommended

Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 

Recommended

Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug BountyNull Bhubaneswar
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 

More Related Content

What's hot

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 

What's hot (20)

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 

Similar to Different Methodology To Recon Your Targets

technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resourcesidsecconf
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationJonathan Cran
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Sumo Logic
 
Open Source Monitoring Tools Shootout
Open Source Monitoring Tools ShootoutOpen Source Monitoring Tools Shootout
Open Source Monitoring Tools Shootouttomdc
 
Owasp modern information gathering
Owasp modern information gatheringOwasp modern information gathering
Owasp modern information gatheringKZA
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 

Similar to Different Methodology To Recon Your Targets (20)

technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Computer security
Computer securityComputer security
Computer security
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resources
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment Automation
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018
 
Open Source Monitoring Tools Shootout
Open Source Monitoring Tools ShootoutOpen Source Monitoring Tools Shootout
Open Source Monitoring Tools Shootout
 
Owasp modern information gathering
Owasp modern information gatheringOwasp modern information gathering
Owasp modern information gathering
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 

Recently uploaded

data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Air Compressor reciprocating single stage
Air Compressor reciprocating single stageAir Compressor reciprocating single stage
Air Compressor reciprocating single stageAbc194748
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesMayuraD1
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwaitjaanualu31
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadhamedmustafa094
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 

Recently uploaded (20)

data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Air Compressor reciprocating single stage
Air Compressor reciprocating single stageAir Compressor reciprocating single stage
Air Compressor reciprocating single stage
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 

Different Methodology To Recon Your Targets

  • 1. DIFFERENT METHODOLOGY TO RECON TARGETS CAT RELOADED ~$Eslam Akl 2020
  • 2. $~:whoami 
 eslam3kl
 Penetration tester CAT Reloaded Cyber Security member Python script lover, Technical blogger and Vuln machine attacker
  • 3. Hunting & Penetration testing Steps. Recon Types. Before & After Recon. Recon based on SCOPE. Small Scope required information Medium Scope required information Large Scope required information Recommended options. Simple Methodology Automation framework 3klcon v1.0 Practice on real target. Juicy links and resources. $~:Agenda
  • 4. Hunting & Penetration testing Steps: Recon / Information Gathering Scanning Vuln. Assessment Post-Exploitation Reporting
  • 5. Recon Types: 1. Passive Recon Collecting information about the target without any type of interaction with it. > Scan web application itself ! We don’t do that here D: 2. Active Recon Scan the web application domain, subdomains, acquisitions, servers, etc > Actually, we do that here :)
  • 6. Before Recon After Recon Company name Available scope User credentials to login (more than account) Overview about the company business, works and logic Information from program page related to security purposes Subdomains ASN&Acquisitions Service info Database info Backend technology used Information Exposure Interesting directories& Endpoints Juicy links which may be vulnerable More and more
  • 7. Recon based SCOPE Small Scope Target > domain or subdomain Ex. target.com / support.target.com / api.target.com Medium Scope Target > list of subdomains Ex. *.target.com Large Scope Target > All website related to the company is in scope
  • 8. Small Scope required information ! All processes here will be performed on specific subdomain Directory enum. GitHub Dorking Server enum. Database enum. Google dorking for sensitive files Extract juicy vulnerable links by GF-Patterns Waybackurls enum. Parameter discovery Automation vulnerability scanning JS file analysis Backend enum. WAF detection GitHub search links Port scan
  • 9. Medium Scope required information ! All processes here will be performed on all subdomains List of subdomains Subdomains takeover Misconfiguration in Storage vuln (S3 buckets) Directory enum. GitHub Dorking GitHub search links Server enum. Google dorking for sensitive files Database enum. Waybackurls enum. Parameter discovery Automation vulnerability scanning JS file analysis Backend enum. Search Engine discovery(Shodan, Spyse, Censys, etc) Port scan WAF detection
  • 10. Large Scope required information ! All processes here will be performed on all targets Seeds/Roots ASN to get IP ranges Acquisitions DNS & SSL enum. List of subdomains Subdomains takeover Misconfiguration in Storage vuln (S3 buckets) Directory enum. GitHub Dorking GitHub search links sensitive files Waybackurls enum. Parameter discovery Automation vulnerability scanning JS file analysis Backend enum. Search Engine discovery (Shodan, Spyse, Censys, etc) Port scan WAF detection Database enum. Server enum. Google dorking for
  • 12. Recommended options Don’t perform all this steps MANUALLY! Automate it <3 Let your remote machine discover vulnerabilities while sleeping. VPS machines via Amazon or Google Stay in touch with new tools and technologies to update your framework! Update it every week <3 Use bash or python to script any process which may take much time like using regex to extract special pattern of data
  • 13. 3klcon v2.0 Automation Recon framework Link: https://github.com/eslam3kl/3klCon
  • 15. GitHub Dorking https://www.bugcrowd.com/resources/webinars/github-recon-and- sensitive-data-exposure/ Js analysis https://blog.appsecco.com/static-analysis-of-client-side- javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 Just another recon methodology from jhaddix Just another Recon Guide for Pentesters and Bug Bounty Hunters | Offensity Bug bounty hunting methodology v4.0 from jhaddix (Recommended) https://www.youtube.com/watch?v=p4JgIu1mceI Active recon by using Nmap, Metasploit, etc https://www.infopulse.com/blog/pentesters-training-and-practice- recon-active-information-gathering-and-vulnerability-search/ Juicy references and resources.
  • 16. Don’t forget ! Google Is your friend <3
  • 17. Thank you <3 Stay in Touch ! Medium Blog | GitHub | Twitter