Recon: an important part of penetration test for finding vulnerabilities

Reconnaissance (aka Recon), a pen-testing process, is crucial in a Black Box Penetration test. A Recon is important for exploring an area to gather confidential information. A recon would provide detailed information and open doors to attackers for scanning and attacking. By using a recon, an attacker can directly interact with potential open ports, services running, etc., or attempt to gain information without actively engaging with the network.

Why do Recon?

The reason for recon is to gather information about your target. The more you know about your target, the better you can understand it, and the more vulnerability you can find. Reconnaissance increases your target surface area exponentially. More attacking area means more possibilities of getting vulnerabilities. Some people consider recon as some sort of automated testing. They think recon is just like automating the task to find bugs, but in my view, it is not like that. Automation and manual both play a critical role in recon.

My approach for target recon

1. Identifying the scope of the target – The first step entails finding how big the scope is. This is done based on the information the client gives.

2. Know the project timeline – This is an important part that people overlook, especially those who work or have worked in security firms. They think recon is only for bug bounty, but this is not true. Recon is good for penetration testing projects too, but here time is crucial.

Using these two factors,  I classify my targets into three categories-

1. small

2. medium

3. large

Small scope– one or two URL’s given, STAGING/Non-Prod/testing environments.

A small scope is best for penetration test projects where most of the time clients provide staging or preproduction environments. It is also good for small bug bounty programs where only one or two domains are present.               

ex.-> staging.example.com, https://example.com/, qa.example.com/

Modules Used:

-> Technology Fingerprinting

-> directory brute forcing

-> js and source code analysis

-> parameter finding/discovery

-> broken link hijacking

-> Wayback URL (can skip if URL is recently created)

-> search engine Dorking

-> Data Breach Analysis

-> cloud misconfig (if using the cloud)

Medium scope – one or two wildcard domains.

Generally found a case in bug bounty. Where one or two domains contain a wildcard, rarely seen in penetration test projects.
ex- *.example.com, *.test.com

Modules Used:

-> subdomain enumeration

-> subdomain takeover

-> probing

-> automated scanners

-> Technology Fingerprinting

-> directory brute-forcing

-> js and source code analysis

-> parameter finding/discovery

-> broken link hijacking

-> waybackurl (can skip if url is recently created)

-> search engine dorking

-> Data Breach Analysis

-> cloud misconfig (if using the cloud)

Large Scope: whole organisation including their Subsidiary & Acquisitions

Seen Only with big organisations like Google, Facebook, Verizon etc.

ex- whole internet presence of example tld.

modules used:

-> Subsidiary & Acquisition Enumeration

-> signature tracing

-> subdomain enumeration

-> subdomain takeover

-> probing

-> automated scanners

-> Technology Fingerprinting

-> directory brute forcing

-> js and source code analysis

-> parameter finding/discovery

-> broken link hijacking

-> waybackurl (can skip if url is recently created)

-> search engine dorking

-> Data Breach Analysis

-> cloud misconfig (if using cloud)

I have clubbed the tools in the modules according to their specialities. Modules are as follows:

1. Subsidiary & Acquisition Enumeration: Look as deep as you can. This will increase your attack surface drastically.

tools and website: Google, Wikipedia, Owler(free), Crunchbase(paid)

2. Signature Tracing– For this, your best tool is search engines.

3. Subdomain Enumeration – This is one of the starting points when dealing with wildcard and wide-scope domains. The main goal is to increase the attack surface to maximum

tools and websites: search engines, Sublist3r, Amass, Sodomy, Chaos, Asset-finder, Aquatone(slow), Spyse(paid), Dnsx(brute force)

4. Subdomain Takeover – this can be worth doing.

tools and websites: SubOver, Subjack, DNS record with the manual takeover

5. Probing – This will help you find the working, non-working, domains using HTTP and HTTPS protocols, etc.

tools: httpx, httprobe

6.  Automated Scanners– This can save your time but is not dependable

tools: Nuclei, Osmedeous, gf patterns, etc.

7.  Technology Fingerprinting: used for finding the technologies and versions used by them. This will help you to find known vulnerabilities in those technology versions. You can combine it with CVE’s if any application uses an older version containing previously known vulnerabilities.

tools and websites: Wappalyzer (Plugin), Whatweb, exploitdb(exploit_finder), searchsploit(exploit_finder), Metasploit

CVE WEBSITE:

• https://cve.mitre.org/
• https://www.cvedetails.com/
• https://www.exploit-db.com/
• https://snyk.io/
• https://www.cybersecurity-help.cz/vdb/

8. Directory Brute Forcing: Directory and file enumeration using bruteforcing can be fruitful. A great wordlist can help you in getting a good hit.

Tools and websites: Dirsearch, Dirb, FFUF, Gobuster, Seclist(collection of wordlists)

9. Js and Source Code Analysis: javascript can be a gold mine if analyzed properly, it may contain sensitive API keys, tokens, usernames, passwords, and any other sensitive information

10. Parameter Finding/Discovery: hidden and sensitive parameters are opened for many attacks like SSRF, lfi, Sensitive info disclosure, sqli, open redirect, etc.

tools and websites: param miner(burp extension), Arjun

11. Broken Link Hijacking: web site’s social media handles may be vulnerable to Broken link hijacking attacks.

tools: manual, broken link checker

12. Wayback URL:  You can often find URLs that may no longer be available through application workflow but are still accessible. Sometimes, sensitive pages are cached revealing interesting information, and you can also get a bunch of endpoints to test for various vulnerabilities.

tools: Wayback Machine, WaybackURl, gau(combination of all)

13. Search Engine Dorking: it can help us to dig more. we can find sensitive files, subdomains, and many other kinds of stuff using these

tools and websites: Shodan, Google, Bing, Duckduckgo, GHDB(contains dorks), Github, Githound(GitHub recon tool)

14. Data Breach Analysis: It can help you to find previously leaked credentials in data breaches

tools and websites: Intelx, hacking forums, Darkweb

15. Cloud Misconfigurations (if using the cloud): if the web application is using cloud services, it is recommended to check for security misconfiguration.

tools and websites:  AWS CLI

Conclusion

Reconnaissance is an important step in penetration test for finding vulnerabilities. A comprehensive recon process can make the difference between finding critical vulnerabilities and finding vulnerabilities. Reconnaissance maps the system to understand where the vulnerabilities might exist.