12 #recon tools you NEED to know about! ๐งต
Recon, the gathering of information about your target, is becoming more and more important! ๐ง
Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others ๐
Recon, the gathering of information about your target, is becoming more and more important! ๐ง
Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others ๐
[1๏ธโฃ] DNS
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups ๐
Often, you have a huge list of IP addresses ๐
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! ๐
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups ๐
Often, you have a huge list of IP addresses ๐
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! ๐
[2๏ธโฃ] Amass
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. ๐ธ
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! ๐
Let's find them! ๐
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. ๐ธ
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! ๐
Let's find them! ๐
[3๏ธโฃ] @nmap
Nmap stands for "Network Mapper" and that's precisely what it does.
This 25-year-old tool is FAR from outdated!
Let's use Nmap to find out what's actually running on those endless machines you've enumerated so far! ๐
Nmap stands for "Network Mapper" and that's precisely what it does.
This 25-year-old tool is FAR from outdated!
Let's use Nmap to find out what's actually running on those endless machines you've enumerated so far! ๐
[4๏ธโฃ] VHostScan
This Python scanner by @codingo_ is an excellent tool for finding virtual hosts! ๐จโ๐ป
What's that? Unlike subdomains, vhosts allow multiple applications to be hosted on a single server. ๐ฅ
This slightly esoteric feature means not many hunters are looking for this! ๐
This Python scanner by @codingo_ is an excellent tool for finding virtual hosts! ๐จโ๐ป
What's that? Unlike subdomains, vhosts allow multiple applications to be hosted on a single server. ๐ฅ
This slightly esoteric feature means not many hunters are looking for this! ๐
[5๏ธโฃ] Httprobe
All this recon has given us many subdomains, but what now? ๐คทโโ๏ธ
This tool by @TomNomNom will help us find all the web servers running on these subdomains! ๐
All this recon has given us many subdomains, but what now? ๐คทโโ๏ธ
This tool by @TomNomNom will help us find all the web servers running on these subdomains! ๐
[6๏ธโฃ] Waybackurls
Another tool by @TomNomNom can help us continue.
Instead of opting for active directory fuzzing, let's use the power of history to see what we can find on a target's website!
This tool uses the @waybackmachine to find new endpoints passively! ๐
Another tool by @TomNomNom can help us continue.
Instead of opting for active directory fuzzing, let's use the power of history to see what we can find on a target's website!
This tool uses the @waybackmachine to find new endpoints passively! ๐
[7๏ธโฃ] S3enum
This Go tool by @koenrh automates AWS S3 bucket enumeration.
Using this tool, you may be able to find the next big misconfiguration or overly permissive S3 bucket! ๐
This Go tool by @koenrh automates AWS S3 bucket enumeration.
Using this tool, you may be able to find the next big misconfiguration or overly permissive S3 bucket! ๐
[8๏ธโฃ] EyeWitness
If you're overwhelmed with endpoints, that's okay!
Let's bring some order to this madness using this tool by @FortyNorthSec ๐ช
It allows you to organize endpoints depending on their return value quickly. Screenshots of the page are a bonus! ๐ผ
If you're overwhelmed with endpoints, that's okay!
Let's bring some order to this madness using this tool by @FortyNorthSec ๐ช
It allows you to organize endpoints depending on their return value quickly. Screenshots of the page are a bonus! ๐ผ
[9๏ธโฃ] Relative URL extractor
JavaScript files are recon goldmines! They sometimes reference very interesting relative URLs that you need to know about! ๐ง
But manually going through 1000s of JS files, no! ๐ช
Use this great tool by @jobertabma ๐
JavaScript files are recon goldmines! They sometimes reference very interesting relative URLs that you need to know about! ๐ง
But manually going through 1000s of JS files, no! ๐ช
Use this great tool by @jobertabma ๐
[1๏ธโฃ0๏ธโฃ] TruffleHog
If you're lucky, you may have found a git repository during your recon! ๐
Let's use this tool by @trufflesec to dig into it and uncover all secrets the repo has to hold! ๐
If you're lucky, you may have found a git repository during your recon! ๐
Let's use this tool by @trufflesec to dig into it and uncover all secrets the repo has to hold! ๐
[1๏ธโฃ1๏ธโฃ] Arjun
Let's talk about enumerating GET parameters!
If you were thinking of brute-forcing thousands of them, then check out Arjun by @s0md3v ๐
It can check for thousands of GET params in under 50 requests! ๐คฏ
Let's talk about enumerating GET parameters!
If you were thinking of brute-forcing thousands of them, then check out Arjun by @s0md3v ๐
It can check for thousands of GET params in under 50 requests! ๐คฏ
[1๏ธโฃ2๏ธโฃ] Wappalyzer
One last trick we'll give you is fingerprinting everything you find using @Wappalyzer ๐
This way, you know what you're dealing with and what exploit might or might not work! ๐ช
One last trick we'll give you is fingerprinting everything you find using @Wappalyzer ๐
This way, you know what you're dealing with and what exploit might or might not work! ๐ช
๐งต And that's a wrap!
Note that there are alternatives to the tools we've showcased here, and looking around for something you like is highly recommended! ๐
Be sure to like this tweet and follow @intigriti if you want more of these threads! ๐
Happy hacking! ๐ฉโ๐ป
Note that there are alternatives to the tools we've showcased here, and looking around for something you like is highly recommended! ๐
Be sure to like this tweet and follow @intigriti if you want more of these threads! ๐
Happy hacking! ๐ฉโ๐ป
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
