2. What is Reconnaissance?
• A Recon is an important step in exploring an area to steal confidential information. It also plays a
key role in penetration testing.
• A proper recon would provide detailed information and open doors to attackers for scanning and
attacking all the way. By using a recon, an attacker can directly interact with potential open ports,
services running and underlying applications etc. or attempt to gain information without actively
engaging with the network.
• It can provide all the critical information, which helps gain access to the networks beyond the
internet. In short, a recon is an endless treasure of information prone to attack.
3. Why
Reconnaissance..?
Penetration testing -You get a loose scope for your assessment. Your first goal should be to find
what machines and services do your target expose properly.
Bug bounty hunting -The same as one above. Some bug bounty programs don't explicitly list all
targets (usually domains). You often need to do it yourself.
• Seeing what is on the "other side of the hill" is crucial to decide what type of attack to launch.
• Generally, goals of reconnaissance on a target network are to discover:
- IP addresses of hosts
- Accessible ports (Open ports and underlying applications)
- OS type and other Assets(subdomains info, vulnerable components)
4. Types of
Reconnaissance:
• Active Reconnaissance
Active reconnaissance is a type of computer attack in which an intruder engages
with the targeted system to gather information about vulnerabilities.
• Passive Reconnaissance
Passive reconnaissance is an attempt to gain information about targeted computers and
networks without actively engaging with the systems.
5. Reconnaissance Techniques and
Various Tools(Scripts):
• Information gathering
- Whois Information(http://whois.domaintools.com/)
- IP range(https://bgp.he.net/dns/hackerone.com#_ipinfo)
- Subdomains
- S3 Buckets
- Dir info
- Social accounts, OSINT etc.(https://osintframework.com/)
- Component information(https://www.wappalyzer.com/)
8. Github For
Recon:
• Github is extremely helpful in finding Sensitive information
regarding the targets. Access-keys, password, open endings, s3
buckets, backup files, etc. can be found on public GitHub
repositories.
11. JS files and web archive For Recon:
• AWS or Other services Access keys
• AWS S3 buckets or other data storage buckets with read/write permissions.
• Open backup sql database endpoints
• Open endpoints of internal services.
• API info
• default username,password,keys etc.
13. Burp Suite Plugins and other Tools:
• Waybackmachine
• ParamSpider
https://github.com/devanshbatham/ParamSpider
• Arjun
https://github.com/s0md3v/Arjun
• Burp Bounty
https://github.com/wagiro/BurpBounty
Source of Presentation: Google and other sites.
15. Whoami
• Ashish Patel
- Keen To learn about Technology
- EX-EY Cyber security consultant
- Currently working for 1 of Dubai based MNC (security consultant)
- Part time bug hunter ;)
Keep In Touch
Facebook: https://www.facebook.com/Patel.ashish874
Linkdin: https://www.linkedin.com/in/patelashish874/
Email: patel.ashish874@gmail.com