Discover and read the best of Twitter Threads about #Recon
Most recents (24)
ProjectDiscovery Recon Series 🔥
Your daily Sunday reading is brought to you by @pdiscoveryio with its Recon 101 Series.🧵👇
#Recon #AttackSurface #bugbounty #recontips #projectdiscovery
Your daily Sunday reading is brought to you by @pdiscoveryio with its Recon 101 Series.🧵👇
#Recon #AttackSurface #bugbounty #recontips #projectdiscovery
1 - Active and Passive Recon
Master both techniques to uncover target info stealthily.
blog.projectdiscovery.io/reconnaissance…
Master both techniques to uncover target info stealthily.
blog.projectdiscovery.io/reconnaissance…
Want to improve your network scanning skills with Nmap? 🕵️♀️💻
Check out these 5 quick tips to define targets, speed up scans, and scan with specific script categories! 🧵👇
#recon #recontips #AttackSurface #bugbounty #recontools #cybersecurity
Check out these 5 quick tips to define targets, speed up scans, and scan with specific script categories! 🧵👇
#recon #recontips #AttackSurface #bugbounty #recontools #cybersecurity
1/5 Let's start with how to define targets.
Define targets for nmap scan by specifying IP addresses, IP ranges, domain names, or using a target list file.
$ nmap <IP1> <IP2> …
$ nmap 192.168.0.1/24
$ nmap <domain name>
$ nmap -iL <target list file>
Define targets for nmap scan by specifying IP addresses, IP ranges, domain names, or using a target list file.
$ nmap <IP1> <IP2> …
$ nmap 192.168.0.1/24
$ nmap <domain name>
$ nmap -iL <target list file>
2/5 The Ippsec scan for basic coverage.
Perform a comprehensive network scan using nmap's Ippsec initial scan.
$ nmap 127.0.0.1 -sC -sV -oA initial_nmap_scan
Perform a comprehensive network scan using nmap's Ippsec initial scan.
$ nmap 127.0.0.1 -sC -sV -oA initial_nmap_scan
Google Dorks - Cloud Storage #2:
site:dev.azure.com "example[.]com"
site:onedrive.live.com "example[.]com"
site:digitaloceanspaces.com "example[.]com"
Find sensitive data and company assets
#recon #bugbountytips #infosec #seo
site:dev.azure.com "example[.]com"
site:onedrive.live.com "example[.]com"
site:digitaloceanspaces.com "example[.]com"
Find sensitive data and company assets
#recon #bugbountytips #infosec #seo
Combine:
site:dev.azure.com | site:onedrive.live.com | site:digitaloceanspaces.com "example[.]com"
Add something to narrow the results: "confidential" "privileged" "apikey"
site:dev.azure.com | site:onedrive.live.com | site:digitaloceanspaces.com "example[.]com"
Add something to narrow the results: "confidential" "privileged" "apikey"
More Cloud Dorks: infosecwriteups.com/uncover-hidden…
Google Dorks - File Storage:
site:dropbox.com/s "example[.]com"
site:box.com/s "example[.]com"
site:docs.google.com inurl:"/d/" "example[.]com"
Find sensitive data and company accounts
#recon #bugbountytips #infosec #seo
site:dropbox.com/s "example[.]com"
site:box.com/s "example[.]com"
site:docs.google.com inurl:"/d/" "example[.]com"
Find sensitive data and company accounts
#recon #bugbountytips #infosec #seo
Combine:
site:dropbox.com/s | site:box.com/s | site:docs.google.com "example[.]com"
Add something to narrow the results: "confidential" "privileged" "not for public release"
site:dropbox.com/s | site:box.com/s | site:docs.google.com "example[.]com"
Add something to narrow the results: "confidential" "privileged" "not for public release"
More Google Dorks: infosecwriteups.com/uncover-hidden…
My recent #aws threads always startet with creds, but how to get these creds will be the topic over the next days.
#hacking #recon #cloud
Lets start here:
👇
#hacking #recon #cloud
Lets start here:
👇
Definitions first:
#aws creds: classic name and passwords e.g for IAM, or aws access and secret keys
Outside: no creds, and no connections in any way to the org and its aws cloud to be tested
#aws creds: classic name and passwords e.g for IAM, or aws access and secret keys
Outside: no creds, and no connections in any way to the org and its aws cloud to be tested
As much as I love automation in recon, 98% of the findings in my pentests have nothing to do with it. Why? 👇
1. Inspired by @NahamSec recent video.
First, in a large majority of the web pentests, clients want me to focus only on their app and it's features. So, there's no need for subdomain enumeration/bruteforcing or any other large recon tactic.
First, in a large majority of the web pentests, clients want me to focus only on their app and it's features. So, there's no need for subdomain enumeration/bruteforcing or any other large recon tactic.
2. This doesn't mean that I don't use automation. I automate some of the boring and repetitive tasks via bash and python.
I pet a cat today and now my allergies are killing me, so obviously this calls for a follow up of, hey you found some #aws creds, what to do meow:
#cloud #hacking #Recon
👇
#cloud #hacking #Recon
👇
Step 1: First you gotta decide if this is more of a lazy space vibe kinda thing (A), or (B) calls for some illegal dirty acidcore and adjust your playlist accordingly:
A:
B: soundcloud.com/pitch1/i-can-h…
A:
B: soundcloud.com/pitch1/i-can-h…
next drop the keys in your .aws creds file. I typically name the first set initial and work with the --profile tag in the cli, so I can keep track on were I am. Then check who you are first, with:
aws sts get-caller-identity --profile initial
aws sts get-caller-identity --profile initial
First of all, S3 stands for serious summertime sadness
and allows the general operations of:
list
get
put
delete
An S3 is a bucket and within a bucket there are objects. Basically an object can be anyfile. Objects have keys assoziated
and allows the general operations of:
list
get
put
delete
An S3 is a bucket and within a bucket there are objects. Basically an object can be anyfile. Objects have keys assoziated
and a bucket nayme must be globally unique and not contain spaces or uppercase letters.
Example:
mrlee.s3.us-west-2.amazonaws.com/mafia/pizza.jpg
the bucket mrlee in the west region with an object pizza.jpg and a key of /mafia/pizza.jpg
Example:
mrlee.s3.us-west-2.amazonaws.com/mafia/pizza.jpg
the bucket mrlee in the west region with an object pizza.jpg and a key of /mafia/pizza.jpg
Step 1: Say kiitos to @DrAzureAD then install AADInternals, set your phasers to stun and your POWAHSHELL to german to ensure MAXIMUM efficiency
To import the modul you might have to set your execution pawliciy 🐾.
For maximum fun we can set this to
Set-ExecutionPolicy unrestricted
on our managed company super safe devices. Do some privesc first if needed 😀
For maximum fun we can set this to
Set-ExecutionPolicy unrestricted
on our managed company super safe devices. Do some privesc first if needed 😀
Google Dork - Apache Server Status Exposed:
site:*/server-status apache
Find sensitive GET requests w/ CSRF tokens & API keys.
#recon #bugbountytips #infosec #seo #bugbounty #hacking
site:*/server-status apache
Find sensitive GET requests w/ CSRF tokens & API keys.
#recon #bugbountytips #infosec #seo #bugbounty #hacking
Medium article w/ Apache server-status breakdown by @ghostlulz: medium.com/@ghostlulzhack…
Google dorks basics for bug bounty recon:
thegrayarea.tech/5-google-dorks…
thegrayarea.tech/5-google-dorks…
Google Dorks - Cloud Storage:
site:s3.amazonaws.com "target[.]com"
site:blob.core.windows.net "target[.]com"
site:googleapis.com "target[.]com"
site:drive.google.com "target[.]com"
Find buckets and sensitive data
#recon #bugbountytips #infosec #seo
site:s3.amazonaws.com "target[.]com"
site:blob.core.windows.net "target[.]com"
site:googleapis.com "target[.]com"
site:drive.google.com "target[.]com"
Find buckets and sensitive data
#recon #bugbountytips #infosec #seo
Combine:
site:s3.amazonaws.com | site:blob.core.windows.net | site:googleapis.com | site:drive.google.com "target[.]com"
Add something to narrow the results: "confidential” “privileged" “not for public release”
site:s3.amazonaws.com | site:blob.core.windows.net | site:googleapis.com | site:drive.google.com "target[.]com"
Add something to narrow the results: "confidential” “privileged" “not for public release”
How I do subdomain enumeration by aggregating multiple tools in a bash script. The script contains the following tools:
(thread)
(thread)
2. assetfinder @TomNomNom
- takes: $1, looks for -subs-only, sorts unique, and appends to the above file
- takes: $1, looks for -subs-only, sorts unique, and appends to the above file
At #IWCON2022, we have 15+ amazing #cybersecurity speakers from around the world 🌍
To share unique methods and findings with y’all 😍🙌
Get ready with your questions. Our experts will answer you live 🔥
Book your ticket: iwcon.live
Meet our speakers 🧵👇
To share unique methods and findings with y’all 😍🙌
Get ready with your questions. Our experts will answer you live 🔥
Book your ticket: iwcon.live
Meet our speakers 🧵👇
#1 Gabrielle Hempel @gabsmashh, #security engineer @Netwitness 🥳
Her topic: #Threat hunting in #cloud environments 🌩️
Time: 17th Dec, 7:30 pm IST
Want to attend this talk? 😍
Book your ticket here: iwcon.live
#cloudhunting #threathunting
Her topic: #Threat hunting in #cloud environments 🌩️
Time: 17th Dec, 7:30 pm IST
Want to attend this talk? 😍
Book your ticket here: iwcon.live
#cloudhunting #threathunting
#2 Luke Stephens @hakluke, founder of @haksecio 🔥
His topic: How I used #recon techniques to identify a prolific #scammer 👊
Time: 17th Dec, 6:30 pm IST ❤️
Don't wanna miss it?
Register today: iwcon.live
#infosec #hacking #hackingthehacker
His topic: How I used #recon techniques to identify a prolific #scammer 👊
Time: 17th Dec, 6:30 pm IST ❤️
Don't wanna miss it?
Register today: iwcon.live
#infosec #hacking #hackingthehacker
🧵 Here we are! Katana, a new web Crawler by @pdiscoveryio
Let's see how it works. A thread 👇🧵
#recontips #recon #projectdiscovery #hackwithautomation #bugbounty
Let's see how it works. A thread 👇🧵
#recontips #recon #projectdiscovery #hackwithautomation #bugbounty
1/7 - Quick Start - Crawling Mode
You can crawl websites in Standard mode or Headless mode (-hl). Add -jc for JS Crawling
$ katana -u http://testphp.vulnweb. com
$ katana -u http://testphp.vulnweb. com -hl
$ katana -list url_list.txt -jc
You can crawl websites in Standard mode or Headless mode (-hl). Add -jc for JS Crawling
$ katana -u http://testphp.vulnweb. com
$ katana -u http://testphp.vulnweb. com -hl
$ katana -list url_list.txt -jc
2/7 - Filters - 1
You can filter results to show only urls,path,file, and much more
$ katana -u http://testphp.vulnweb. com -fields path
$ katana -u http://testphp.vulnweb. com -fields file
$ katana -u http://testphp.vulnweb. com -fields dir
You can filter results to show only urls,path,file, and much more
$ katana -u http://testphp.vulnweb. com -fields path
$ katana -u http://testphp.vulnweb. com -fields file
$ katana -u http://testphp.vulnweb. com -fields dir
12 #recon tools you NEED to know about! 🧵
Recon, the gathering of information about your target, is becoming more and more important! 🧠
Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others 👇
Recon, the gathering of information about your target, is becoming more and more important! 🧠
Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others 👇
[1️⃣] DNS
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups 👀
Often, you have a huge list of IP addresses 📜
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! 👇
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups 👀
Often, you have a huge list of IP addresses 📜
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! 👇
[2️⃣] Amass
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. 🕸
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! 🐛
Let's find them! 👇
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. 🕸
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! 🐛
Let's find them! 👇
Hey #OSINT, you might have heard about @spiderfoot, let's try to learn what it does the best. #ThreatHunting #threatintelligence #recon #infosec
A thread👇
A thread👇
SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
#ThreatHunting #threatintelligence #recon #infosec #OSINT
You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
#ThreatHunting #threatintelligence #recon #infosec #OSINT
6 easy steps to master httpx. A thread 👇🧵
httpx (from @pdiscoveryio) is a fast and multi-purpose HTTP toolkit. Let's find out how it works
👇
#recon #httpx #bugbountytips #bugbounty #AttackSurfaceManagement #recontips
httpx (from @pdiscoveryio) is a fast and multi-purpose HTTP toolkit. Let's find out how it works
👇
#recon #httpx #bugbountytips #bugbounty #AttackSurfaceManagement #recontips
1/6 Standard use
httpx can be used with a target list or piped with other tools:
$ httpx -list subdomains.txt
$ subfinder -d ups. com | httpx -silent
$ httpx -l subs.txt -ports 8080 -threads 100
httpx can be used with a target list or piped with other tools:
$ httpx -list subdomains.txt
$ subfinder -d ups. com | httpx -silent
$ httpx -l subs.txt -ports 8080 -threads 100
2/6 Specific Path or file:
It's possible to request a specific file or path useful for searching misconfiguration on multiple targets:
$ httpx -l subs.txt -silent -path “/.git/” -fr -mc 200
It's possible to request a specific file or path useful for searching misconfiguration on multiple targets:
$ httpx -l subs.txt -silent -path “/.git/” -fr -mc 200
ffuf is used by hundreds of people
But only a few use the tool effectively.
Here are 9 tips you want to know right away 👇 🧵
#bugbountytips #bugbounty #recon #ffuf
But only a few use the tool effectively.
Here are 9 tips you want to know right away 👇 🧵
#bugbountytips #bugbounty #recon #ffuf
1/9 Standard mode
c: color
ac: auto calibration
r: follow redirects
$ ffuf -u https://ups[.]com/FUZZ -w ~/wordlists/common.txt -r
$ ffuf -c -u https://ups[.]com/FUZZ -w ~/wordlists/common.txt -ac
c: color
ac: auto calibration
r: follow redirects
$ ffuf -u https://ups[.]com/FUZZ -w ~/wordlists/common.txt -r
$ ffuf -c -u https://ups[.]com/FUZZ -w ~/wordlists/common.txt -ac
2/9 Throttle Speed
t: threads
p: seconds of delay between requests (or range e.g. 0.1-1)
$ ffuf -u https://ups[].com/FUZZ -t 20 -p 0.2 -w ~/wordlists/common.txt
t: threads
p: seconds of delay between requests (or range e.g. 0.1-1)
$ ffuf -u https://ups[].com/FUZZ -t 20 -p 0.2 -w ~/wordlists/common.txt
Hi Friends #bugbountytips #recon #bugbountytip
Here is a good thread of my brother @tabaahi_
Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing
Below is thread 🧵🧵🧵🧵
Here is a good thread of my brother @tabaahi_
Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing
Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain
2. Sort and Unique mean merge them to all-subdomains.txt
3. Resolve those subdomains - is ip/domain live?
4. check for alive subdomains -> httpx or httprobe -> prefer httpx
2. Sort and Unique mean merge them to all-subdomains.txt
3. Resolve those subdomains - is ip/domain live?
4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500
6. visual recon on these subdomains -> gowitness, eyewitness, aquatone
7. Port scans on these subdomains => naabu + nmap
8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
6. visual recon on these subdomains -> gowitness, eyewitness, aquatone
7. Port scans on these subdomains => naabu + nmap
8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
I got around 10+ messages last week asking me for the tools I use in Bug Bounty.
So I thought why not make a thread on it.
Here's a list of my most used tools.
🧵👇
PS: This is my only my personal preference and I always experiment.
#bugbounty #infosec #recon #cybersecurity
So I thought why not make a thread on it.
Here's a list of my most used tools.
🧵👇
PS: This is my only my personal preference and I always experiment.
#bugbounty #infosec #recon #cybersecurity
1. Proxy
-> BurpSuite Community Edition
You really don't need BurpSuite Pro as a beginner. The community edition does almost everything you'd want to do. The only thing I've felt bad is not being able to save a project.
-> BurpSuite Community Edition
You really don't need BurpSuite Pro as a beginner. The community edition does almost everything you'd want to do. The only thing I've felt bad is not being able to save a project.
2. Fetch all subdomains
-> Amass
Quick Tip: Search with config file. Do more than just amass enum -d target.com
Link to config file: github.com/OWASP/Amass/bl…
-> Amass
Quick Tip: Search with config file. Do more than just amass enum -d target.com
Link to config file: github.com/OWASP/Amass/bl…
We mostly use amass enum and forget the rest.
But did you know you can do something more?
Did you know that you can track scan requests?
Read more 👇
#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
But did you know you can do something more?
Did you know that you can track scan requests?
Read more 👇
#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
Where do the scans you normally do on amass get stored?
Well, every single scan you do with amass get's stored in the computer you run the scan on.
Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
Well, every single scan you do with amass get's stored in the computer you run the scan on.
Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
But how do you do this?
For example let's say that you've run amass enum -d tesla.com last month and you wish to see the changes in scan request on the same domain.
You can simply do amass track -d https://t.co/1oT7xWHZR8 and it'd show you fresh targets.
For example let's say that you've run amass enum -d tesla.com last month and you wish to see the changes in scan request on the same domain.
You can simply do amass track -d https://t.co/1oT7xWHZR8 and it'd show you fresh targets.
1/
R3C0Nizer is the first ever CLI based menu-driven automated web application B-Tier recon framework ...
github.com/Anon-Artist/R3…
#Recon #BugBounty
#100BugBountySecrets
🧵👇
R3C0Nizer is the first ever CLI based menu-driven automated web application B-Tier recon framework ...
github.com/Anon-Artist/R3…
#Recon #BugBounty
#100BugBountySecrets
🧵👇
2/
scant3r is a module-based web security tool, our goal is to make customizable tool with providing many functions and features that what you need for write a security module....
github.com/knassar702/sca…
#Recon #BugBounty
#100BugBountySecrets
🧵👇
scant3r is a module-based web security tool, our goal is to make customizable tool with providing many functions and features that what you need for write a security module....
github.com/knassar702/sca…
#Recon #BugBounty
#100BugBountySecrets
🧵👇
My speculation is that NATO Europe rn is in a Chamberlain moment: arms racing, stockpiling , mass propaganda & recons en masse. Espionage is at its peak of the century.
📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens
tldrsec.com/blog/tldr-sec-…
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens
tldrsec.com/blog/tldr-sec-…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today. hopin.com/events/executi…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr Tool for secret management at @elastic
github.com/elastic/harp
Repo of Google's security advisories and accompanying PoCs
github.com/google/securit…
@xntrik: Document your threat models in HCL
github.com/xntrik/hcltm
@daniel_bilar With 👆, you can now lint your TMs with Semgrep
github.com/elastic/harp
Repo of Google's security advisories and accompanying PoCs
github.com/google/securit…
@xntrik: Document your threat models in HCL
github.com/xntrik/hcltm
@daniel_bilar With 👆, you can now lint your TMs with Semgrep
