My Recon Methodology (ep 1)

Recon is the process by which you collect more information about your target, like subdomains, links, open ports, hidden directories, service information, etc.

In this series, I will explain my Web Recon Methodology in my blog and separate it into parts

What is the purpose of recon?

Reconnaissance is the act of gathering information before attempting a hack. It involves identifying server information, hosting information, and WAF providers.

Map attack surface. More applications/features more bug

Some Important Notes

📌 NOTE for Hackers

If your bug bounty methodology relies on recon, then you’ll be getting a lot of duplicates. The top bug bounty hunters have moved away from the craze of relying on super duper recon frameworks. Now they’re looking for high-impact bugs that others overlook. I listened to a recent podcast episode with Youssef Sammouda, who regularly earns 30 to 60k bounties on Facebook/Meta for account takeover vulnerabilities. He doesn’t bother doing recon and said it results in low severity and duplicates.

Recon based scope

Depending on your security testing engagement (bounty, pentest, etc.) it’s important to understand your scope and what kind of testing you prefer to do.

Let’s Explain This

Bug bounty is theoretically not limited in time and The scope is Bigger than Pentest. If a hacker finds a vulnerability in a product subject to a bug bounty, he can submit a report throughout the year to claim a reward There is Some Bug bounty can’t count their assets in scope (so many assets)
they tell you any product of us is in scope
Like Sony, IBM ATT, Etc

sony

IBM

In pentest, on the other hand, is by nature time-bound. It is conducted over a period decided beforehand; most often 1 to 3 weeks depending on the scope.

Scope in Pentest can be A single test domain, not the main domain

The client creates a sub-domain like this for testing

testing.client.com

Or Give u VPN credentials to do pentest on the app

Some Recon Process In bug bounty activities can’t do it in Pentest

Like Subdomain-Enumeration or Discover new Assets because u have specific domains and can’t do any activities out of scope And

U can’t Use the archive machine in Crawling because this domain is new and created for the test so you can’t crawl via the archive

But there Are many processes included in both of them Like

Fuzzing, JS recon, Parameter Discovery, Port Scanning, Narrow Recon, Etc

narrow recon, which allows you to focus on specific technologies and infrastructure endpoints And Application Flow

After This long intro Let’s Start with the Recon process

Assets Discovery

More Assets More data

Acquisitions

an acquisition is a transaction wherein one company purchases most or all of another company’s shares to gain control of that company. Acquisitions are common in business and may occur with or without the target company’s approval.

So if we have A bug bounty program have a scope like this lovely scope

Any Asset = Any Product for the company

Suppose this company is a big company in its field she may have bought some of the companies to include

Okay, how to check the Acquisitions?

• Crunchbase

Crunchbase is a platform used for discovering and tracking innovative companies, startups, investors, and other related entities. It provides information about funding rounds, acquisitions, key personnel, and other relevant data about companies across various industries. Users can access Crunchbase to research market trends, identify investment opportunities, track competitors, and gather insights into the startup ecosystem. It’s widely used by entrepreneurs, investors, journalists, and analysts for market intelligence and networking purposes.

After Creating an account in Crunchbase Let’s choose a Random Company

You can See the Acquisitions when you just search about the company

tracxn.com

Tracxn is a platform that provides insights and data analytics related to startups, emerging companies, and sectors across the globe. It offers information on startups, including their funding details, products, technology stack, industry trends, and more. Tracxn’s platform caters to various stakeholders such as investors, corporates, and entrepreneurs who seek to understand the startup landscape and identify potential investment or partnership opportunities. It uses machine learning algorithms and human analysts to curate and update its database, providing users with comprehensive and up-to-date information on the startup ecosystem.

when you search about the company you will Acquisitions in the sidebar

• owler.com

Owler is a platform that offers real-time business insights and competitive intelligence about companies, including news, financial data, and industry trends. Users can access company profiles and competitive analysis to stay informed about the market landscape. Like Cruchbase and tracxn you can see the Acquisitions via it

Whois data

WHOIS data refers to information about domain name registrations.

When someone registers a domain name, they are required to provide contact information such as their name, address, email address, and phone number. This information is stored in a publicly accessible database called the WHOIS database.

Here’s how you can use WHOIS data for reconnaissance:

• Identifying domain ownership: WHOIS data can help you determine who owns a particular domain name. This information can be valuable when you need more root domains
• Gathering intelligence: WHOIS data can be used as part of reconnaissance efforts to gather information about organizations, individuals, or businesses. By analyzing WHOIS records, you can uncover relationships between different domains, identify potential targets for further investigation, or assess the legitimacy of a website or online presence.
• Detecting malicious activity: WHOIS data can help identify and investigate potentially malicious domains. By analyzing WHOIS records, they can look for suspicious patterns or inconsistencies that may indicate malicious intent.

Let’s Try it with whoisxmlapi.com

Login | WhoisXML API

tools.whoisxmlapi.com/whois-search

You can See domain name registration info

We Can Now do a reverse whois okay let’s explain

we say Above there is a “WHOIS database” The reverse WHOIS process is so simple

If you have data like these (Registrant Email, Registrant Organization ) search for this data in the public WHOIS database

and collect all Domains containing this data in his Whois data records

doing that by whoisxmlapi

Build current reverse whois report

And u can do this for Evrey's info in the Whois record

ASNs

An Autonomous System Number (ASN) is a set of Internet-routable IP prefixes belonging to a network or a collection of networks managed, controlled, and supervised by a single entity or organization. These ASNs will help us track down external IPs belonging to the organization we are performing the engagement. Just keep in mind that not all assets will be identified by these ASNs because of cloud environments like Azure, AWS, etc.

There are multiple ways to get these ASNs and their IP prefixes. One way of obtaining them is by visiting Hurricane Electric Internet Services web page:

https://bgp.he.net/

We then just write the organization’s name in the search bar

Hurricane Electric BGP Toolkit

An alternative method for obtaining ASNs and IP prefixes is by employing the “intel” subcommand within amass.

The ‘intel’ Subcommand

The intel subcommand can help you discover additional root domain names associated with the organization you are investigating. The data source sections of the configuration file are utilized by this subcommand in order to obtain passive intelligence, such as reverse whois information.

By using amass, we got a few new IP ranges that we didn’t know about. So now, we can add them to our notes and prepare ourselves to find root domains.

amass intel -org “<target>

Okay, what Can do with this Number?

Get IP ranges from an ASN by using asnmap (tool by project discovery)

https://blog.projectdiscovery.io/asnmap/

This output is Cdir Ranges

CIDR, or Classless Inter-Domain Routing, is a method used for allocating IP addresses and routing IP packets. It allows for more flexible allocation of IP addresses than the older class-based addressing systems.

A CIDR range IP address is represented by a network address and a prefix length that specifies how many bits are used for the network portion of the address. For example, the CIDR notation “192.168.1.0/24” represents a network address of 192.168.1.0 with a prefix length of 24 bits, meaning the first 24 bits represent the network portion and the remaining 8 bits represent the host portion.

CIDR notation allows for efficient use of IP address space and simplifies routing by aggregating IP addresses into larger blocks. It is widely used in modern networking and is essential for managing IP address allocations on the internet.

And you can get an Subdomains or domains form CDIR by using hakrevdns

U Can using amass

U can use whoisxmalapi

Obtain a comprehensive list of all the domains and subdomains hosted on the same IP address.

Find domain names revolving to the same given IP address.

Find domain names using the same given Mail Server.

Find domain names using the same given Name Server.

We Used Ips to get domain names from their TLS certificates!

In today’s interconnected digital landscape, safeguarding online security stands as a paramount concern. With our increasing reliance on the internet, ensuring the privacy and integrity of our communications becomes imperative. This is where SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) step in.

Think of SSL and TLS as the secret codes of the internet, facilitating a secure handshake between your browser and the websites you visit. Through this encrypted connection, they ensure that any data transmitted remains shielded from prying eyes and tampering attempts.

Yet, their role extends beyond mere protection; SSL and TLS also serve as trust indicators. That familiar padlock icon in your browser’s address bar signifies not just security but also authentication. It confirms the legitimacy of a website, shielding users from potential phishing scams.

What is TLSx

TLSx is a quick and configurable tool that acts as a Swiss army knife for finding TLS misconfigurations and performing reconnaissance. It is yet another feature-rich command-line tool which can help automate the recon and vulnerability scanning for the SSL/TLS certificates. It supports various features, including:

1. Misconfiguration scanning: It can check for multiple vulnerabilities in SSL and TLS certificates, such as expired certificates, and others.
2. SAN and CNs detection: It helps detect and extract the SANs and CNs fields from an SSL/TLS certificate.
3. Certificate parsing: TLSX can parse SSL and TLS certificates and extract information such as the expiration date, the issuing authority, and the encryption algorithms.
4. JARM/JA3 Fingerprinting: TLSX can generate JARM and JA3 fingerprints of SSL and TLS connections to identify the specific software and versions used on a website.
5. Reporting capability: TLSX can generate reports with the extracted information and the vulnerabilities found, making it easy to analyze the results.
   The installation process for this tool is straightforward, and detailed instructions can be found at: https://github.com/projectdiscovery/tlsx.

Certificate transparency logs

Certificate transparency logs are public append-only logs that store information about SSL/TLS certificates. They are used to increase transparency and improve the security of the applications by allowing anyone to monitor the certificate issuance process and detect mis-issuance.

They are maintained by independent organizations and are verifiable by anyone via public key infrastructure. Furthermore, they allow for detection if a certificate has been issued improperly.

Read More @ https://blog.projectdiscovery.io/a-hackers-guide-to-ssl-certificates-featuring-tlsx/

GitHub - projectdiscovery/tlsx: Fast and configurable TLS grabber focused on TLS based data…

Shodan

Shodan is essentially a search engine designed to locate and index internet-connected devices and systems. It differs from traditional search engines by focusing on finding specific types of devices, such as webcams, servers, routers, and more, rather than indexing web pages. Users can use Shodan to discover vulnerabilities, misconfigurations, and potential security risks across the internet.

In Shodan, “Facebook Inc.” refers to the various internet-connected devices and systems associated with the company Facebook Inc.

This could include servers, routers, root domains, and other devices that are owned or operated by Facebook Inc.

Shodan indexes information about these devices, such as their IP addresses, open ports, and potentially other details, allowing users to search for and analyze the online presence of Facebook Inc.’s infrastructure.

See You Soon In The Next Ep (part2)

My Linkedin

https://www.linkedin.com/in/micro0x00/

My Twitter

https://twitter.com/micro0x00