Discover and read the best of Twitter Threads about #recon

Most recents (24)

ProjectDiscovery Recon Series 🔥

Your daily Sunday reading is brought to you by @pdiscoveryio with its Recon 101 Series.🧵👇

#Recon #AttackSurface #bugbounty #recontips #projectdiscovery Image
1 - Active and Passive Recon

Master both techniques to uncover target info stealthily.

blog.projectdiscovery.io/reconnaissance…
2 - Subdomain Enumeration

Unveil hidden web assets.

blog.projectdiscovery.io/recon-series-2/
Read 6 tweets
Want to improve your network scanning skills with Nmap? 🕵️‍♀️💻

Check out these 5 quick tips to define targets, speed up scans, and scan with specific script categories! 🧵👇

#recon #recontips #AttackSurface #bugbounty #recontools #cybersecurity
1/5 Let's start with how to define targets.

Define targets for nmap scan by specifying IP addresses, IP ranges, domain names, or using a target list file.

$ nmap <IP1> <IP2> …
$ nmap 192.168.0.1/24
$ nmap <domain name>
$ nmap -iL <target list file>
2/5 The Ippsec scan for basic coverage.

Perform a comprehensive network scan using nmap's Ippsec initial scan.

$ nmap 127.0.0.1 -sC -sV -oA initial_nmap_scan
Read 7 tweets
Google Dorks - Cloud Storage #2:

site:dev.azure.com "example[.]com"
site:onedrive.live.com "example[.]com"
site:digitaloceanspaces.com "example[.]com"

Find sensitive data and company assets

#recon #bugbountytips #infosec #seo
Combine:

site:dev.azure.com | site:onedrive.live.com | site:digitaloceanspaces.com "example[.]com"

Add something to narrow the results: "confidential" "privileged" "apikey"
Read 6 tweets
Google Dorks - File Storage:

site:dropbox.com/s "example[.]com"
site:box.com/s "example[.]com"
site:docs.google.com inurl:"/d/" "example[.]com"

Find sensitive data and company accounts

#recon #bugbountytips #infosec #seo
Combine:

site:dropbox.com/s | site:box.com/s | site:docs.google.com "example[.]com"

Add something to narrow the results: "confidential" "privileged" "not for public release"
Read 6 tweets
My recent #aws threads always startet with creds, but how to get these creds will be the topic over the next days.
#hacking #recon #cloud

Lets start here:
👇
Definitions first:
#aws creds: classic name and passwords e.g for IAM, or aws access and secret keys
Outside: no creds, and no connections in any way to the org and its aws cloud to be tested
Interaction Point: Any potential point, application ressource, system, vulnerabilty etc, where there is a pawsibilty to gain #aws creds, can be a lot of things

lets do outside first: #hackers are cold, let them in.
Read 13 tweets
As much as I love automation in recon, 98% of the findings in my pentests have nothing to do with it. Why? 👇
1. Inspired by @NahamSec recent video.

First, in a large majority of the web pentests, clients want me to focus only on their app and it's features. So, there's no need for subdomain enumeration/bruteforcing or any other large recon tactic.
2. This doesn't mean that I don't use automation. I automate some of the boring and repetitive tasks via bash and python.
Read 9 tweets
I pet a cat today and now my allergies are killing me, so obviously this calls for a follow up of, hey you found some #aws creds, what to do meow:

#cloud #hacking #Recon
👇
Step 1: First you gotta decide if this is more of a lazy space vibe kinda thing (A), or (B) calls for some illegal dirty acidcore and adjust your playlist accordingly:
A:
B: soundcloud.com/pitch1/i-can-h…
next drop the keys in your .aws creds file. I typically name the first set initial and work with the --profile tag in the cli, so I can keep track on were I am. Then check who you are first, with:
aws sts get-caller-identity --profile initial
Read 11 tweets
So you found #aws creds to an S3, lets do some #cloud #hacking #recon:

👇
First of all, S3 stands for serious summertime sadness
and allows the general operations of:

list
get
put
delete

An S3 is a bucket and within a bucket there are objects. Basically an object can be anyfile. Objects have keys assoziated
and a bucket nayme must be globally unique and not contain spaces or uppercase letters.
Example:
mrlee.s3.us-west-2.amazonaws.com/mafia/pizza.jpg

the bucket mrlee in the west region with an object pizza.jpg and a key of /mafia/pizza.jpg
Read 10 tweets
So you wanna do some #azure #recon:

I give you a few pointers.
👇
Step 1: Say kiitos to @DrAzureAD then install AADInternals, set your phasers to stun and your POWAHSHELL to german to ensure MAXIMUM efficiency german powershell screenshot
To import the modul you might have to set your execution pawliciy 🐾.
For maximum fun we can set this to
Set-ExecutionPolicy unrestricted
on our managed company super safe devices. Do some privesc first if needed 😀
Read 9 tweets
Google Dork - Apache Server Status Exposed:

site:*/server-status apache

Find sensitive GET requests w/ CSRF tokens & API keys.

#recon #bugbountytips #infosec #seo #bugbounty #hacking Image
Medium article w/ Apache server-status breakdown by @ghostlulz: medium.com/@ghostlulzhack…
Google dorks basics for bug bounty recon:
thegrayarea.tech/5-google-dorks…
Read 4 tweets
Google Dorks - Cloud Storage:

site:s3.amazonaws.com "target[.]com"
site:blob.core.windows.net "target[.]com"
site:googleapis.com "target[.]com"
site:drive.google.com "target[.]com"

Find buckets and sensitive data

#recon #bugbountytips #infosec #seo
Combine:

site:s3.amazonaws.com | site:blob.core.windows.net | site:googleapis.com | site:drive.google.com "target[.]com"

Add something to narrow the results: "confidential” “privileged" “not for public release”
Nice list of google dorks from @Haax9_ :
cheatsheet.haax.fr/open-source-in…
Read 5 tweets
How I do subdomain enumeration by aggregating multiple tools in a bash script. The script contains the following tools:

(thread)
1. findomain @FindomainApp

- takes: -t $1 and adds the findings to a new file
2. assetfinder @TomNomNom

- takes: $1, looks for -subs-only, sorts unique, and appends to the above file
Read 8 tweets
At #IWCON2022, we have 15+ amazing #cybersecurity speakers from around the world 🌍

To share unique methods and findings with y’all 😍🙌

Get ready with your questions. Our experts will answer you live 🔥

Book your ticket: iwcon.live

Meet our speakers 🧵👇 Image
#1 Gabrielle Hempel @gabsmashh, #security engineer @Netwitness 🥳

Her topic: #Threat hunting in #cloud environments 🌩️

Time: 17th Dec, 7:30 pm IST

Want to attend this talk? 😍

Book your ticket here: iwcon.live

#cloudhunting #threathunting Image
#2 Luke Stephens @hakluke, founder of @haksecio 🔥

His topic: How I used #recon techniques to identify a prolific #scammer 👊

Time: 17th Dec, 6:30 pm IST ❤️

Don't wanna miss it?

Register today: iwcon.live

#infosec #hacking #hackingthehacker Image
Read 18 tweets
🧵 Here we are! Katana, a new web Crawler by @pdiscoveryio

Let's see how it works. A thread 👇🧵

#recontips #recon #projectdiscovery #hackwithautomation #bugbounty
1/7 - Quick Start - Crawling Mode

You can crawl websites in Standard mode or Headless mode (-hl). Add -jc for JS Crawling

$ katana -u http://testphp.vulnweb. com

$ katana -u http://testphp.vulnweb. com -hl

$ katana -list url_list.txt -jc
2/7 - Filters - 1

You can filter results to show only urls,path,file, and much more

$ katana -u http://testphp.vulnweb. com -fields path

$ katana -u http://testphp.vulnweb. com -fields file

$ katana -u http://testphp.vulnweb. com -fields dir
Read 9 tweets
12 #recon tools you NEED to know about! 🧵

Recon, the gathering of information about your target, is becoming more and more important! 🧠

Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others 👇
[1️⃣] DNS
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups 👀
Often, you have a huge list of IP addresses 📜
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! 👇
[2️⃣] Amass
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. 🕸
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! 🐛
Let's find them! 👇
Read 14 tweets
Hey #OSINT, you might have heard about @spiderfoot, let's try to learn what it does the best. #ThreatHunting #threatintelligence #recon #infosec

A thread👇
SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
Read 6 tweets
6 easy steps to master httpx. A thread 👇🧵

httpx (from @pdiscoveryio) is a fast and multi-purpose HTTP toolkit. Let's find out how it works

👇

#recon #httpx #bugbountytips #bugbounty #AttackSurfaceManagement #recontips
1/6 Standard use

httpx can be used with a target list or piped with other tools:

$ httpx -list subdomains.txt

$ subfinder -d ups. com | httpx -silent

$ httpx -l subs.txt -ports 8080 -threads 100
2/6 Specific Path or file:

It's possible to request a specific file or path useful for searching misconfiguration on multiple targets:

$ httpx -l subs.txt -silent -path “/.git/” -fr -mc 200
Read 8 tweets
ffuf is used by hundreds of people

But only a few use the tool effectively.

Here are 9 tips you want to know right away 👇 🧵

#bugbountytips #bugbounty #recon #ffuf
1/9 Standard mode

c: color
ac: auto calibration
r: follow redirects

$ ffuf -u https://ups[.]com/FUZZ -w ~/wordlists/common.txt -r

$ ffuf -c -u https://ups[.]com/FUZZ -w ~/wordlists/common.txt -ac
2/9 Throttle Speed

t: threads
p: seconds of delay between requests (or range e.g. 0.1-1)

$ ffuf -u https://ups[].com/FUZZ -t 20 -p 0.2 -w ~/wordlists/common.txt
Read 11 tweets
Hi Friends #bugbountytips #recon #bugbountytip

Here is a good thread of my brother @tabaahi_


Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing

Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain

2. Sort and Unique mean merge them to all-subdomains.txt

3. Resolve those subdomains - is ip/domain live?

4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500

6. visual recon on these subdomains -> gowitness, eyewitness, aquatone

7. Port scans on these subdomains => naabu + nmap

8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
Read 22 tweets
I got around 10+ messages last week asking me for the tools I use in Bug Bounty.

So I thought why not make a thread on it.

Here's a list of my most used tools.

🧵👇

PS: This is my only my personal preference and I always experiment.
#bugbounty #infosec #recon #cybersecurity
1. Proxy

-> BurpSuite Community Edition

You really don't need BurpSuite Pro as a beginner. The community edition does almost everything you'd want to do. The only thing I've felt bad is not being able to save a project.
2. Fetch all subdomains

-> Amass

Quick Tip: Search with config file. Do more than just amass enum -d target.com

Link to config file: github.com/OWASP/Amass/bl…
Read 11 tweets
We mostly use amass enum and forget the rest.

But did you know you can do something more?
Did you know that you can track scan requests?

Read more 👇

#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
Where do the scans you normally do on amass get stored?

Well, every single scan you do with amass get's stored in the computer you run the scan on.

Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
But how do you do this?

For example let's say that you've run amass enum -d tesla.com last month and you wish to see the changes in scan request on the same domain.

You can simply do amass track -d https://t.co/1oT7xWHZR8 and it'd show you fresh targets.
Read 5 tweets
1/

R3C0Nizer is the first ever CLI based menu-driven automated web application B-Tier recon framework ...
github.com/Anon-Artist/R3…

#Recon #BugBounty
#100BugBountySecrets
🧵👇
2/

scant3r is a module-based web security tool, our goal is to make customizable tool with providing many functions and features that what you need for write a security module....
github.com/knassar702/sca…

#Recon #BugBounty
#100BugBountySecrets
🧵👇
Read 11 tweets
My speculation is that NATO Europe rn is in a Chamberlain moment: arms racing, stockpiling , mass propaganda & recons en masse. Espionage is at its peak of the century.
Image
Read 109 tweets
📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens

tldrsec.com/blog/tldr-sec-…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today. hopin.com/events/executi…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr Tool for secret management at @elastic
github.com/elastic/harp

Repo of Google's security advisories and accompanying PoCs
github.com/google/securit…

@xntrik: Document your threat models in HCL
github.com/xntrik/hcltm

@daniel_bilar With 👆, you can now lint your TMs with Semgrep
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!