Skip to content

Instantly share code, notes, and snippets.

@miscme

miscme/recon.md

Last active December 10, 2024 05:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save miscme/63c59dafe7053a660b8090dd7b33dfba to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save miscme/63c59dafe7053a660b8090dd7b33dfba to your computer and use it in GitHub Desktop.
Download ZIP
Recon notes for work and bugbounties
Raw
recon.md

Todo

  • Make init version look nice
  • Sort tools notes and links ( make propper links )
  • Include mindmaps from own process

Discovering IP Space

bgp.he.net whois.arin.net/ui/query.do apps.db.ripe.net/db-web-ui/#/fulltextsearch reverse.report shodan.io (Keyword org:"") viewdns.info

Discovering New Targets

###For Acqusitions

crunchbase.com wikipedia.com

Linked Discovery

BurpSpider Builtwith Add-on -> Relationships Trademark in Google: " Tesla©2019 inurl:tesla.com"

Subdomains

Scraping:

Yahoo! Google Robtex! Ask.com Baidu bing censys CertDB sslmate crt.sh DNSDB Search Netcraft PassiveTotal Hacker Target F-Secure Riddler dnsdumpster.com PTRarchive.com SecurityTrails dogpile Threatminer virustotal waybackmachine threatcrowd

Tools: https://github.com/caffix/amass https://github.com/ice3man543/subfinder https://github.com/guelfoweb/knock

BruteForcing:

gobuser massdns

wordlist: https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 penterster-io/commonspeak seclist

Auxiliary: dnssec, nsec, nsec3 walking -> ldnsutils, nsec3walker, nsec3map

github recon

dorking: ads key, priv pol, tos, aws, s3

Enumeration

Port Scanning: nmap masscan

masscan -> nmap service scan -oG (version scan)-> brutespray.py, credential bruteforce

Visual Identification Tool: EyeWittness, aquatone, httpscreenshot

Waybackmachine tomnomnom/waybackurls

Platform identification and cve searching

Retire.js Wappalycer builtwith bulp-vulners-scanner

Parsing JS

ZAP Ajax Spider JSparser Linkfinder https://github.com/GerbenJavado/LinkFinder?source=post_page-----82b7e5f62e21----------------------

To feed: burp -> engagement tools -> find scripts -> copy selected urls, and pass to tool

Content Discovery / Directoy Bruting

Gobuster github.com/maurosoria/dirsearch Burp Content Discovery danielmiessler/robotsdisallowd -> wordlist jhaddix/content_discovery_all.txt -> wordlist https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10

Patameter Bruting

maK-/parameth PortSwigger/backslash-powered-scanner

XSS

LewisArdern/bXSS ssl/ezXSS

SSRF

jhaddix/cloud_metadata.txt -> https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

IDOR MFLAC

Look for ids hashes emails

Subdomain takeover

Check for cnames that resolve to these services, if the service has lapsed, regeister and profit EdOverflow/can-i-take-over-xyz -> Documentation wich server with what fingerprint is able

Robbing Misconfigured AWS sa7mon/S3scanner

https://digi.ninja/projects/bucket_finder.php?source=post_page-----82b7e5f62e21---------------------- https://github.com/gwen001/s3-buckets-finder?source=post_page-----82b7e5f62e21----------------------

Notes:

Xmind

From the web:

  1. Burp-Suite - (Param Miner)
  2. Dirsearch
  3. Burp-Collaborator - SSRF exploits
  4. sqlmap - SQLi exploits
  5. amass - subdomain enumeration
  6. Nmap & Nikto - Information Gathering

https://www.xssstar.pro/

AWS CLI is useful for verifying or testing the permissions of the AWS S3 buckets, Creating Buckets and Read other buckets data. AWS Account needed to use CLI. https://aws.amazon.com/cli/?source=post_page-----82b7e5f62e21----------------------

Github recon

https://edoverflow.com/2017/github-for-bugbountyhunters/?source=post_page-----82b7e5f62e21----------------------

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment