Recon

Blog / Articles / Presentations / Videos:

• Recon and Discovery - https://www.youtube.com/watch?v=La3iWKRX-tE

• https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd

• Doing Recon Like a Boss - https://www.youtube.com/watch?v=1Kg0_53ZEq8

• https://blog.zsec.uk/ltr101-method-to-madness/

• Presentation -https://github.com/bugcrowd/bugcrowd_university/blob/master/Recon%20and%20Discovery/Bugcrowd%20University%20-%20Recon%20%26%20Discovery.pdf

• Recon Everything - https://medium.com/@maverickNerd/recon-everything-48aafbb8987

• Recon Notes - https://mavericknerd.github.io/knowledgebase/

• https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-2019/

• https://medium.com/@europa_/recoinnassance-7840824b9ef2

• https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21

• https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d

• https://bugbountytuts.files.wordpress.com/2018/02/dirty-recon.pdf

• https://blog.usejournal.com/web-application-security-bug-bounty-methodology-reconnaissance-vulnerabilities-reporting-635073cddcf2

• http://imsoley.tk/mofb/

• https://blog.detectify.com/2019/01/29/hacking-isnt-an-exact-science/

• Ben Presentation - https://docs.google.com/presentation/d/1xgvEScGZ_ukNY0rmfKz1JN0sn-CgZY_rTp2B_SZvijk/edit#slide=id.g3fc0937313_1_68

• 100 Ways to Discover - https://sylarsec.com/2019/01/11/100-ways-to-discover-part-1/

• Asset Enumeration - https://captmeelo.com/bugbounty/2019/09/02/asset-enumeration.html

• Hacking Process - Recon - https://www.youtube.com/watch?v=1bivJl0B_bs&feature=youtu.be

• https://medium.com/@shahjerry33/recon-my-way-or-high-way-58a18dab5c95

• https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/

• https://medium.com/@smhtahsin33/recon-one-step-advanced-with-otx-8827119566fd

• https://eslam3kl.medium.com/simple-recon-methodology-920f5c5936d4

• https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8

• Google Dorks - https://ahrefs.com/blog/google-advanced-search-operators/

  • https://github.com/HanPac/google-dorks-2018-2019/blob/master/dorks

  • https://twitter.com/s0md3v/status/1151759042785632256

  • Pagodo -https://twitter.com/search?q=pagodo%20recon&src=typed_query

  • https://twitter.com/intigriti/status/1116447376544280578

  • https://twitter.com/intigriti/status/1108365683069456385

  • Tools - https://github.com/ZephrFish/GoogD0rker/

  • https://github.com/1N3/Goohak

  • https://twitter.com/Th3G3nt3lman/status/1104111564632797186

  • https://blog.deesee.xyz/automation/osint/2020/01/07/semi-automation-dorking.html - Google Dorks

  • https://blog.ujwalkr.com/Google-Dorks-Recon/ - Goolgle Dork

  • https://github.com/BullsEye0/google_dork_list/blob/master/google_Dorks.txt

  • https://gist.github.com/stevenswafford/393c6ec7b5375d5e8cdc

  • DORK: inurl:wp-config-backup.txt

  • https://exploitway.com/github-dorks-for-penetration-testing/

  • https://gist.github.com/zbetcheckin/04e6a5d7f2d5ef8cfa3c298701f47f9c

  • https://www.boxpiper.com/posts/google-dork-list

  • https://pastebin.com/zYPZNbMK

  • Google Dork - https://github.com/SKVNDR/FastDork

Tools:

• AutoRecon - https://github.com/JoshuaMart/AutoRecon

• https://bugbountyforum.com/tools/recon/ https://github.com/eldraco/domain_analyzer http://www.spiderfoot.net/info/

• https://dnsdumpster.com/ https://github.com/codingo/Reconnoitre NerdyData BuitWith hunter.io

• https://github.com/michenriksen/aquatone Censys Robtex Shodan Whoxy https://github.com/DataSploit/datasploit

• https://github.com/reconned/domained -- has multiple tools inbuilt

• https://github.com/evilsocket/xray

• https://github.com/003random/003Recon

• https://dnstrails.com/

• https://github.com/shibli2700/Rekon

• Automation for Open Threat Exchange - https://github.com/remonsec/Pri0tx

• Simple tool for get domain relationship.. https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py… -@Jhaddix@TomNomNom@stokfredrik@NahamSec@Yassineaboukir #bugbountytips #BugBounty

• https://github.com/hackerspider1/EchoPwn

• https://github.com/eslam3kl/3klCon

• https://github.com/cspshivam/easyrecon

• deksterecon

• https://github.com/remonsec/SEF

• https://github.com/chvancooten/BugBountyScanner

• https://github.com/Anon-Artist/R3C0Nizer

• https://github.com/dirsoooo/Recon

• https://github.com/gokulapap/Reconator

• https://github.com/Huntinex/rauton

Recon Cheatsheet:

• https://pentester.land/cheatsheets/2019/04/15/recon-resources.html

• https://github.com/0xhelloworld/public/blob/master/recon%20cheatsheet

• Awesome Asset Discovery - https://github.com/redhuntlabs/Awesome-Asset-Discovery

• Asset Discovery - https://0xpatrik.com/asset-discovery/?source=post_page---------------------------

Twitter Threads:

• Getting info about Domains than subdomains - https://twitter.com/gwendallecoguic/status/1187000587612762112

• If the scope is http://example.com only - https://twitter.com/imhaxormad/status/1118289299152072706

• https://twitter.com/hackermaderas/status/1181970321588572160

• https://twitter.com/nullenc0de/status/1166539906832879616

• ASN - https://twitter.com/C1h2e11/status/1163806579474329600

• ASN - oneliner to retrieve ASN numbers of a company. #bugbountytips (ls /tmp/GeoLite2-ASN-CSV.zip||wget --quiet -P /tmp "https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip…") 2>&1|grep X; unzip -c /tmp/GeoLite2-ASN-CSV.zip|grep -i airbnb|cut -d ',' -f 2|sort -fu https://pastebin.com/G44mnY2x

• https://twitter.com/hakluke/status/1199266508280434689 - ASN - whois -h http://whois.cymru.com $(dig +short http://tesla.com)

• ASN - https://twitter.com/akita_zen/status/1169792876554969089

• ASN - https://twitter.com/_harleo/status/1198210924395597824

• ASN - https://twitter.com/hakluke/status/1225264234675597312

• Quickly get the ASN of an IP address, along with the associated company name and location: curl http://ipinfo.io<ip> This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)

• CRT.sh - https://twitter.com/Dondata4/status/1226535287930654720

• Asset Discovery - https://twitter.com/nullenc0de/status/1226982642295459846 // https://github.com/cihanmehmet/sub.sh/blob/master/sub.sh

• Massscan - Take a list of subdomains, resolve them to an IP, remove duplicates and scan each with masscan.

  masscan --rate 10000 -p1-65535 $(<subdomains.txt xargs -I % getent hosts % | awk {'print $1'} | sort -u | tr '\n' ',' | sed 's/,$//')

• saw this a while ago it might help someone. curl -fsSL "https://crt.sh/?CN=%25.%25.att.com&exclude=expired …" | pup 'td :contains(".att.com") text{}' | sort -n | uniq -c | sort -rn | column -t > /root/Desktop/att-recon/ok.txt

https://twitter.com/Vulkey_Chen/status/1178323315892449281twitter.com

ASN, CIDR => amass intel => enumeration script 'amass with api keys, findomain with api keys, and subfinder' => massDNS => httprobe => sort live and dead hosts => run a subtakeover script => hakcrawler

Post Recon - https://twitter.com/jobertabma/status/998769037445230592

https://twitter.com/aish_kendle/status/1259909336274518016

• Asset Discovery tool -https://twitter.com/NahamSec/status/1260639679696629760

• https://github.com/bonino97/LemonBooster-v2

• https://github.com/carlospolop/hacktricks/blob/master/external-recon-methodology.md

• https://github.com/Quikko/Recon-Methodology

DNS tools:

-viewdns.info
-dnslytics.com
-dnsspy.io
-leafdns.com
-dnsdumpster.com
-intodns.com
-www.zonecut.net/dns
-xip.io
-nip.io
-ptrarchive.com
-www.whatsmydns.net
-ceipam.eu/en/dnslookup.php
-spyse.com/tools/dns-lookup
-www.buddyns.com/delegation-lab

• Recon Roadmap - https://ahmdhalabi.medium.com/ultimate-reconnaissance-roadmap-for-bug-bounty-hunters-pentesters-507c9a5374d