"Different methodology to Recon your targets" is a technical session which presented at CAT Reloaded CyberSecurity circle.
Eslam Akl
Penetration tester
3. Hunting & Penetration testing Steps.
Recon Types.
Before & After Recon.
Recon based on SCOPE.
Small Scope required information
Medium Scope required information
Large Scope required information
Recommended options.
Simple Methodology
Automation framework 3klcon v1.0
Practice on real target.
Juicy links and resources.
$~:Agenda
5. Recon Types:
1. Passive Recon
Collecting information about the target without any type
of interaction with it.
> Scan web application itself ! We don’t do that here D:
2. Active Recon
Scan the web application domain, subdomains,
acquisitions, servers, etc
> Actually, we do that here :)
6. Before Recon After Recon
Company name
Available scope
User credentials
to login (more
than account)
Overview about the
company business,
works and logic
Information from
program page
related to
security purposes
Subdomains
ASN&Acquisitions
Service info
Database info
Backend technology
used
Information
Exposure
Interesting
directories&
Endpoints
Juicy links which
may be vulnerable
More and more
7. Recon based SCOPE
Small Scope Target > domain or subdomain
Ex. target.com / support.target.com / api.target.com
Medium Scope Target > list of subdomains
Ex. *.target.com
Large Scope Target > All website related to the
company is in scope
8. Small Scope required information
! All processes here will be performed on specific subdomain
Directory enum.
GitHub Dorking
Server enum.
Database enum.
Google dorking for
sensitive files
Extract juicy
vulnerable links by
GF-Patterns
Waybackurls enum.
Parameter discovery
Automation vulnerability
scanning
JS file analysis
Backend enum.
WAF detection
GitHub search links
Port scan
9. Medium Scope required information
! All processes here will be performed on all subdomains
List of subdomains
Subdomains takeover
Misconfiguration in
Storage vuln (S3
buckets)
Directory enum.
GitHub Dorking
GitHub search links
Server enum.
Google dorking for
sensitive files
Database enum.
Waybackurls enum.
Parameter discovery
Automation vulnerability
scanning
JS file analysis
Backend enum.
Search Engine
discovery(Shodan, Spyse,
Censys, etc)
Port scan
WAF detection
10. Large Scope required information
! All processes here will be performed on all targets
Seeds/Roots
ASN to get IP ranges
Acquisitions
DNS & SSL enum.
List of subdomains
Subdomains takeover
Misconfiguration in
Storage vuln (S3
buckets)
Directory enum.
GitHub Dorking
GitHub search links
sensitive files
Waybackurls enum.
Parameter discovery
Automation vulnerability
scanning
JS file analysis
Backend enum.
Search Engine discovery
(Shodan, Spyse, Censys, etc)
Port scan
WAF detection
Database enum.
Server enum.
Google dorking for
12. Recommended options
Don’t perform all this steps MANUALLY!
Automate it <3
Let your remote machine discover
vulnerabilities while sleeping. VPS machines
via Amazon or Google
Stay in touch with new tools and technologies
to update your framework! Update it every week
<3
Use bash or python to script any process which
may take much time like using regex to extract
special pattern of data