Recon is an important first step of penetration testing and red teaming to gather publicly available information about a target. The document discusses recon and recon-lit, an updated version of the subdomain discovery tool Sublist3r. It outlines the stages of a recon including setting a target, enumerating subdomains, technologies, directories, endpoints, parameters, and open ports. Tools mentioned for each stage include Recon-lit, Amass, Crt.sh, Dirb, Dirsearch, Linkfinder, Parameth, Nmap, Masscan, and Nikto. The status updates provided an example recon against demo.paypal.com, discovering over 2,300 subdomains and obtaining source code, credentials, and other

1. RECON
By
Yash Goti
V1.0 [Basic]
recon is <3

2. Introduction
• Yash Goti
• Cyber Security Analyst
• Semi Developer
• Twitter : _YashGoti_
• LinkedIn : yashgoti

3. Agenda
• What is recon?
• What is recon-lit?
• Staging of recon
• Q & A

4. What is recon?
• Recon is an important step in exploring a target to grab a publicly
available information which is useful for further in pen testing.
• It also plays a key role in penetration testing as well as in red
teaming.

5. What is recon-lit?
• How this idea comes?
• Just an updated version of sublist3r.
• It scrap or find subdomains of domains from many search engines
archives.
• Then check the alive subdomains from them.
• Then follow redirection from that subdomain.
• Scan basic port scan along with service name.

6. Stage of recon [Web]
• First set your target
• Enumerate subdomains
• Enumerate Technologies
• Enumerate Directories
• Finding Endpoints
• Finding Hidden Parameters
• Find Open Ports
• Start Testing

7. Status
• We have target [*.paypal.com]

8. Subdomain discovery
• There are so many tools that can enumerate subdomains.
• From many sources you can find subdomains.

9. Tools for enumerate subdomains
Tools
• Sublist3r
• Recon-lit
• Aquatone
• Amass
• Findomains
Websites
• Crt.sh
• Findsubdomains.com
• Dnsdumpster.com
• Searchdns.netcraft.com

10. Status
• Subdomains [from recon-lit] : 2326
python3 reconlit.py -d demo.paypal.com
• Target : demo.paypal.com

11. Now what?
• Take screenshot of every subdomains
• Identify technologies were used by target
• Finding endpoints

12. Identify technologies
• Wappalyzer
• Built-with
• what’s-run
• Google & Mozilla extensions

13. Enumeration directories
• Dirb
• Dirbuster
• Dirsearch
• Gobuster

14. Status
• Dirb
dirb https://demo.paypal.com
• Dirsearch
python3 dirsearch.py -u https://demo.paypal.com -e *

15. Finding endpoints and hidden parameters
• Linkfinder
• Parameth

16. Find open ports
• Nmap
• Masscan
• AutoNSE
• Shodan
• Nessus – Pro
• Nikto
• OpenVAS

17. Status
• Nmap
nmap -Pn -v3 -p- -sV -sT -sU -O -A -T4 demo.paypal.com --script=* --
script-args "shodan-api.key=<SHODAN API KEY>" -e eth0
• AutoNSE
./autonse.sh
n
demo.paypal.com

18. Finally
• Here is what I got
• Source code download
• Developer sandbox creds
• 7 different accounts creds
• and many more.

19. Q & A
Thank You