.png)
2 weeks ago
24 BOOK THIS SPACE FOR AD
ARTICLE AD
In Part 2 of the “Mastering Reconnaissance” series, we’re stepping up our recon game. This guide will cover port scanning, service identification, content discovery, OSINT techniques, and advanced automation, giving you deeper insights and helping you uncover high-impact vulnerabilities faster.
Port scanning helps identify open doors (ports) and running services on a target, revealing potential attack vectors.
💼 Essential Tools:
Nmap: The ultimate network scanner.Masscan: For ultra-fast, large-scale scans.📌 Key Techniques:
Stealth Scan with Nmap:
nmap -sS -Pn -T4 -p- target.com-sS: Stealth scan (avoids detection).-Pn: Skips host discovery (faster).-T4: Aggressive timing for quicker scans.Service Detection and Script Scanning:
nmap -sV -sC --script vuln target.com-sV: Service version detection.--script vuln: Runs vulnerability detection scripts automatically.Large-Scale Scanning with Masscan:
masscan -p1-65535 target.com --rate=1000Masscan scans are extremely fast but require tuning the --rate based on your network capacity.💡 Pro Tip:
Use Nmap’s NSE scripts (--script http-*) to find specific vulnerabilities like XSS, SQLi, or misconfigurations.
Once you have open ports, it’s time to identify the services running behind them. Knowing the software and version helps in finding specific exploits.
🔧 Tools:
WhatWeb: Identifies web technologies.Wappalyzer CLI: Detects CMS, libraries, and frameworks.Netcat for Banner Grabbing:nc target.com 80HEAD / HTTP/1.1
Use this for a quick service banner check.
Advanced Technique:
Using Shodan for Passive Service Recon:shodan search "port:22 product:ssh"Leverage Shodan to discover specific services and known vulnerable versions across the Internet.
Content discovery uncovers hidden files, directories, and endpoints that may not be easily visible, offering more attack surfaces.
🔧 Essential Tools:
Dirsearch: A powerful directory brute-forcer.FFUF: Fast and flexible fuzzing tool.GoSpider: Efficient crawler for finding hidden URLs and endpoints.🚀 Key Techniques:
Directory Bruteforcing with Dirsearch:
dirsearch -u https://target.com -e php,html,js -w /path/to/wordlist.txtCustomize the extensions and use a comprehensive wordlist for better results.Fuzzing with FFUF for Parameter Discovery:
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200The -mc flag filters results based on HTTP response codes, helping identify interesting files.Parameter Discovery with ParamSpider:
python3 paramspider.py -d target.com --exclude jpg,png,cssFinds GET parameters that may be susceptible to injection attacks.💡 Pro Tip:
Combine these tools with custom wordlists from SecLists for better coverage, especially when targeting large applications.
OSINT (Open Source Intelligence) helps you gather publicly available information, providing valuable insights without touching the target’s server directly.
📜 Tools:
theHarvester: Collects emails, subdomains, IPs, and more.SpiderFoot: Automated OSINT framework.Amass: For deep network mapping and enumeration.Practical Examples:
theHarvester Command for Comprehensive Recon:
theHarvester -d target.com -b google,bing,linkedinCollects data from multiple sources for a holistic view.SpiderFoot for Automated Recon:
spiderfoot -s target.com -m allEnables all modules for in-depth analysis, including data breaches and infrastructure info.Automation is the key to efficient reconnaissance. It helps you gather data faster and reduces manual work.
Top Tools:
Recon-ng: A powerful recon framework.Nuclei: Template-based vulnerability scanning.Custom Python Scripts: Automate repetitive tasks and integrate multiple tools.Building an Automation Pipeline:
Example Pipeline Script:
subfinder -d target.com | httpx -silent | nuclei -t cves/ -o results.txtThis pipeline:Finds subdomains (subfinder).Checks for live hosts (httpx).Scans for known vulnerabilities (nuclei).Nuclei for Automated Scanning:
nuclei -u https://target.com -t exposures/ -o scan_results.txtUse custom templates from the Nuclei repository for tailored scanning.💡 Pro Tip:
Create your own recon automation script with Python to integrate multiple tools and streamline your process.
By mastering these advanced techniques, you’re not only sharpening your recon skills but also preparing for higher success rates in bug bounties. Remember, a solid recon phase is what separates an average report from a stellar, impactful one.
In Part 3, we’ll delve into exploitation techniques, focusing on how to leverage your recon findings to identify high-severity bugs.
Follow Me for More Tips and Insights:
X (Twitter): @myselfakash20LinkedIn: Akash GhoshStay tuned for more content, and happy hunting! 🕵️♂️🚀
Bengali (Bangladesh) · 
English (United States) ·