INTIGRITI Profile picture
Oct 18 β€’ 14 tweets β€’ 8 min read
12 #recon tools you NEED to know about! 🧡

Recon, the gathering of information about your target, is becoming more and more important! 🧠

Here are the tools to help you spot subdomains, vhosts, S3 buckets, parameters and more faster and more effective than the others πŸ‘‡
[1️⃣] DNS
This DNS toolkit by @pdiscoveryio can do a lot! But let's focus on reverse DNS lookups πŸ‘€
Often, you have a huge list of IP addresses πŸ“œ
Just like resolving a domain to an IP, you can also try doing the opposite using PTR records!
Et voila! Domains to continue recon! πŸ‘‡
[2️⃣] Amass
This network mapping tool by @owasp is incredible, but let's hone in on doing subdomain enumeration. πŸ•Έ
The main domains companies use are often well-secured. But what about the domain that nobody knows about? Those can be riddled with bugs! πŸ›
Let's find them! πŸ‘‡
[3️⃣] @nmap
Nmap stands for "Network Mapper" and that's precisely what it does.
This 25-year-old tool is FAR from outdated!
Let's use Nmap to find out what's actually running on those endless machines you've enumerated so far! πŸ‘‡
[4️⃣] VHostScan
This Python scanner by @codingo_ is an excellent tool for finding virtual hosts! πŸ‘¨β€πŸ’»
What's that? Unlike subdomains, vhosts allow multiple applications to be hosted on a single server. πŸ–₯
This slightly esoteric feature means not many hunters are looking for this! πŸ”
[5️⃣] Httprobe
All this recon has given us many subdomains, but what now? πŸ€·β€β™‚οΈ
This tool by @TomNomNom will help us find all the web servers running on these subdomains! πŸ‘‡
[6️⃣] Waybackurls
Another tool by @TomNomNom can help us continue.
Instead of opting for active directory fuzzing, let's use the power of history to see what we can find on a target's website!
This tool uses the @waybackmachine to find new endpoints passively! πŸ‘‡
[7️⃣] S3enum
This Go tool by @koenrh automates AWS S3 bucket enumeration.
Using this tool, you may be able to find the next big misconfiguration or overly permissive S3 bucket! πŸ‘‡
[8️⃣] EyeWitness
If you're overwhelmed with endpoints, that's okay!
Let's bring some order to this madness using this tool by @FortyNorthSec πŸ’ͺ
It allows you to organize endpoints depending on their return value quickly. Screenshots of the page are a bonus! πŸ–Ό
[9️⃣] Relative URL extractor
JavaScript files are recon goldmines! They sometimes reference very interesting relative URLs that you need to know about! 🧠
But manually going through 1000s of JS files, no! πŸͺ“
Use this great tool by @jobertabma πŸ‘‡
[1️⃣0️⃣] TruffleHog
If you're lucky, you may have found a git repository during your recon! πŸ€
Let's use this tool by @trufflesec to dig into it and uncover all secrets the repo has to hold! πŸ‘‡
[1️⃣1️⃣] Arjun
Let's talk about enumerating GET parameters!
If you were thinking of brute-forcing thousands of them, then check out Arjun by @s0md3v πŸ›‘
It can check for thousands of GET params in under 50 requests! 🀯
[1️⃣2️⃣] Wappalyzer
One last trick we'll give you is fingerprinting everything you find using @Wappalyzer πŸ‘‡
This way, you know what you're dealing with and what exploit might or might not work! πŸ’ͺ
🧡 And that's a wrap!

Note that there are alternatives to the tools we've showcased here, and looking around for something you like is highly recommended! πŸ›’

Be sure to like this tweet and follow @intigriti if you want more of these threads! πŸ’œ

Happy hacking! πŸ‘©β€πŸ’»

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with INTIGRITI

INTIGRITI Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @intigriti

Jun 25, 2021
πŸ”΄LIVE MENTOR SESSION (starting now):
@zseano
will answer your questions for the next 4 hours!
πŸ’¬ Comment with your question! πŸ‘‡ Image
@Devil79830787 wants to know: "How can a complete noob (non-techie) enter the world of bug bounty(or hacking) in 2021. Top resources techniques and where to start and how to start advices"
@zseano @waters_ro asked: "What’s the bug you’ll never forget and why?"
Read 24 tweets
Jun 12, 2020
πŸ”΄LIVE MENTOR SESSION: @Agarri_FR will answer your questions for the next 4 hours!
πŸ’¬ Comment with your question! πŸ‘‡
Question from @aroly:
"What are the features you look at when searching for SSRF ? The places where you look first ?"
Question from @aroly:
"What do you try with external blind SSRF ? For example you can trigger a GET to the URL of the HTTP "Referer" header but that's it... What do you do in such situation ?"
Read 18 tweets
May 8, 2020
πŸ”΄LIVE MENTOR SESSION: @TomNomNom will answer your #BugBounty and tooling questions for the next 4 hours! Comment with your question! πŸ‘‡
Question from @amalmurali47:
"Among the tools that you've created, which one is your favorite?"
Question from @KarimPwnz:
"Do you think there should be more dynamic automation through browser extensions?"
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(