Medium and Large Scope Recon

Medium Scope Recon means our target surface will expand as there will be more subdomains to hunt for.

e.g — *.example.com, *.dev.com etc.

Note : We have to apply Small Scope Recon methodology in Medium as well as in Large Scope Recon.

Subdomain Enumeration — We have to dig deeper to find more subdomains of our given target

Tools used — Dorking, Subfinder, Amass, crt.sh

2. Filtering Live Domains — Now that we have gathered subdomains of our target we have to make sure which subdomains are live and can be exploited for vulnerabilities so we will filter our subdomains.

Tools used — httpx, httprobe and eyewitness

3. Template based scanning — It simply means creating our own template which will find vulnerabilities using automation. Instead of repeating steps to hunt for particular vulnerabilities. We can simply make our own template and run that so that we can save some time.

Tools used — Nuclei, nikto

4. OWASP TOP 10 — OWASP stands for Open web application security project and top 10 is basically the top critical web application security risks globally based on bug bounty report, security research and industry feedback and data in 4 years as OWASP TOP 10 is updated every 4 years.

Large Scope Recon means target surface will expand more and we will be hunting on whatever assets company is owning for vulnerabilities

Crunchbase — Crunchbase is useful for identifying third-party vendors associated with the target, which could have weaker security.

2. RECONFTW — This is an automated recon tool which will be helpful in performing all the task of Small scope as well as Medium scope recon. It helps map attack surfaces quickly and find potential weak points before deeper manual testing.

#CyberSecurity #BugBounty #Pentesting #EthicalHacking #Infosec #OSINT #RedTeam #CyberThreats