Recon
Last updated
Was this helpful?
Last updated
Was this helpful?
Blog / Articles / Presentations / Videos:
Recon and Discovery -
Doing Recon Like a Boss -
Presentation -
Recon Everything -
Recon Notes -
Ben Presentation -
100 Ways to Discover -
Asset Enumeration -
Hacking Process - Recon -
DORK: inurl:wp-config-backup.txt
Tools:
Recon Cheatsheet:
Twitter Threads:
Massscan - Take a list of subdomains, resolve them to an IP, remove duplicates and scan each with masscan.
masscan --rate 10000 -p1-65535 $(<subdomains.txt xargs -I % getent hosts % | awk {'print $1'} | sort -u | tr '\n' ',' | sed 's/,$//')
ASN, CIDR => amass intel => enumeration script 'amass with api keys, findomain with api keys, and subfinder' => massDNS => httprobe => sort live and dead hosts => run a subtakeover script => hakcrawler
Google Dorks -
Pagodo -
Tools -
- Google Dorks
- Goolgle Dork
Google Dork -
AutoRecon -
NerdyData BuitWith hunter.io
Censys Robtex Shodan Whoxy
-- has multiple tools inbuilt
Automation for Open Threat Exchange -
Simple tool for get domain relationship.. -
Awesome Asset Discovery -
Asset Discovery -
Getting info about Domains than subdomains -
If the scope is only -
ASN -
ASN -
- ASN - whois -h $(dig +short )
ASN -
ASN -
ASN -
Quickly get the ASN of an IP address, along with the associated company name and location: curl <ip> This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)
CRT.sh -
Asset Discovery - //
saw this a while ago it might help someone. curl -fsSL "" | pup 'td :contains(".att.com") text{}' | sort -n | uniq -c | sort -rn | column -t > /root/Desktop/att-recon/ok.txt
Post Recon -
Asset Discovery tool -
Recon Roadmap -