THE ART OF RECONISM: HORIZONTAL RECON FOR PENETRATION TESTING:

7 months ago 60
BOOK THIS SPACE FOR AD
ARTICLE AD

Hacktivist-Attacker

Good Entry!!!. We are in this blog for know about Horizontal Recon In Pentesting. I hope you’re already familiar with Information Gathering/Recon.If not, you can know about it from Referring my blogs below…!!!

Well.That’s all.. In the before two blogs we can know about Recon in theory, but from this blog we will dive on practically and start our bug bounty Journey..!!!

The RECONISM Was divided in two Parts.In this blog we can see the First Part(HORIZONTAL RECON). On the next blog we will see the second part(VERTICAL RECON)

Horizontal Recon is all about finding the all Related Assets in our Target.Assets means not only the Domains , also the other integrated companies and Theirs Domains.

1.Domains Enumeration:

2. IP Addresses(Internet Protocol) Enumeration:

3. CIDR Range(Classless Inter-Domain Routing) Enumeration:

4. ASN Numbers(Autonomous System Numbers) Enumeration:

5.Reverse Whois Enumeration:

6.Reverse DNS Enumeration:->Reverse IP, Reverse NS, Reverse MX

In this stage i will give Introduction to basics of all the Topics and Techniques.If you know The basics Then you stop Swim into the “INTRODUCTION STAGE” and start dive into the “ENUMERATION STAGE

1.Domains:

Domains are unique understandable and string identifiers ,assigned to the IP addresses .They are used to access the content from the hosted computer to across word. The Domains mechanism was Client-Server Based.Simply, An Client Computer Request the Resource and the Server Computer would Return the Resource to the Client.

Form of the domains is: https://www.somedomainname.com/

2.IP (Internet Protocol) Address:

Protocols are set of rules to communication between computers.Internet Protocol(IP) was used for access the Resource from one Computer(server) to All computers(around the world). Every computer has an unique IP address number ,which is like humans names.The names are used to identify the peoples, Like that the IP address numbers are used to identify the computers.

Form Of the IP address Is: 0.0.0.0 →1.1.1.1 , 8.8.8.8

DNS(DOMAIN NAME SYSTEM) SERVERS:

DNS Servers Are used for allocate the IP to Names(Like Contacts , Numbers to Person Name).For example: “0.0.0.0” was assigned to the “somedomain.com”. The Assigned “IP to Domain Name” Information are called DNS’s “A” Record. The DNS contains not only “A” Record(IP to domain) also the Mail Records “MX(Mail to Email Server)”, Name server Records “NS(The Server That holds DNS Records)” and so many Records. The DNS Records Are Available In Public because of Routing the Clients to the specific domains based on the assigned Server Address.

3. CIDR Range(Classless Inter-Domain Routing):

CIDR Number is An Representation to collection of Of IP’s. We can easily Identify the Bunch of IP’s by referring it CIDR Range.

Form Of The CIDR : 1.1.1.1/24 — -> 1.1.1.0–1.1.1.255

4. ASN Numbers(Autonomous System Numbers):

ASN are used to represent the Group of CIDR’s. Autonomous System Number are identifiers of Network.The ASN also Contains Itself another ASNs.

Form Of the ASN : ASN1569 → 8.8.4.0/24 ,8.8.8.0/24 ,8.34.208.0/21 ,8.34.216.0/21 ,8.35.192.0/21 , 8.35.200.0/21 , 23.236.48.0/20 , 23.251.128.0/19 ,34.0.0.0/20 , 34.0.32.0/20 , 34.0.48.0/20, etc…

5.Reverse WHOIS:

WHOIS PROTOCOL:

WHOIS Protocol: WHOIS Protocol is an database that contains information about every registered domain,IP ,CIDR and ASN on the Internet. WHOIS is an Query and Response Based Protocol. We can make query by the domain name, IP, CIDR or ASN,After that the Query returns the Response , that contains information about queried domain name, IP, CIDR or ASN.

Reverse Whois:

Reverse Whois is an Technique, That will look for the Other Domains which they are registered with our Queried Target’s Information.

For example Google comapany has an WHOIS record ,that the information are same in google companies others domains,Like Youtube,Drive and all their company domains.

6.Reverse DNS : — >Reverse IP, Reverse MX, Reverse NS.

The Reverse DNS Techniques are Same as the Reverse WHOIS Technique. We can Make reverse lookup on our target DNS Records for Finding the other domains that they are contains the Same Registered Records.

Reverse IP: Looking for the Another Domains that Assigned with our Target’s IP.

1.Domains Enumeration:

Companies:

First of all we need to find our Target Domain.We can find our Target domain by the Company.For example, Facebook company has many domains but , Theirs main domain is facebook.com. This is one way we can find our target domains for Penetration Testing.However , like the Facebook , not all the company has bug bounty Policy .

Bug Bounty Platforms:

For this reason Some companies are arise as the Bug Bounty platform.The “Bug Bounty platform” are Managers of Taking the Responsibility to allow bug bounty hunters to perform Penetration Testing and Report the Vulnerability. After Identified the Vulnerability, They will Resolve it and Reward to ours.

Example to the Bug Bounty Platforms are: Bugcrowd, Hackerone and Intigriti and so on…

2. IP Address(Internet Protocol) Enumeration:

As the Penetration Tester , we are not only conduct Testing on Domains. We need to also perform testing on IP address(means the domain’s server). Some Of the companies in bug bounty platform has given the IP,Not all the Companies disclosed their IP’s.

$nslookup

Name Server Lookup Will Return the IP of the Given domain by Query the DNS “A” record.

nslookup example.com

After run this Command we will get the IP address of example.com.Now we got the IP and Domain Name Of the Target.

Actually, “THE ART OF RECONISM: HORIZONTAL RECON FOR PENETRATION TESTING:” Is starting From Here…!!!!!!

Surprise……

On The Above.., We Just Saw the Introduction and Basic Techniques of “HORIZONTAL RECON”. From now, Let’s we Start Advanced HORIZONTAL RECON Techniques.

3. CIDR Range(Classless Inter-Domain Routing) Enumeration:

Finding the CIDR Range from The IP Address:

asnmap -i 8.8.8.8s -silent

$asnmap -> https://github.com/projectdiscovery/asnmap

Install Asnmap:

go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest

Finding The CIDR Range From the Domain Name:

asnmap -d example.com -silent

Finding The CIDR Range From the Organization Name:

asnmap -org GOOGLE -silent

4. ASN Numbers(Autonomous System Numbers) Enumeration:

$Amass :

Finding The ASN Number From the Organization Name:

amass intel -org 'GOOGLE'

Install Amass:

go install -v github.com/owasp-amass/amass/v4/...@master

Okay.. In the first two Techniques (1.Domain Enumeration , 2. IP Enumeration) we Found the Target Domain and IP. We used the these Information to Gather more IP’s and Domains from ASN and CIDR.

Now , we Got CIDR Ranges and ASN Numbers of our Target. After we Confirmed that they are Scope in our Target Policy, We can convert the CIDR and ASN To IP an Domains.. Lets Go to the Past Steps and Enumerate The IP’s and Domains.

1)1. IP Address(Internet Protocol) Enumeration From ASN and CIDR:

Finding The IP Addresses From the ASN:

assmap -a ASN0000

Finding The IP Addresses From the CIDR:

cidr2ip → https://github.com/codeexpress/cidr2ip

cidr2ip 0.0.0.0/30

Install Cidr2ip:

go install github.com/codeexpress/cidr2ip@latest

1)2. Domains Enumeration From ASN and CIDR:

Finding The Domains from the CIDR:

$Asnrecon → https://github.com/orlyjamie/asnrecon

python asnrecon.py

Select an option:
[1] Full ASN scan
[2] Specific IPv4 range scan
2
0.0.0.0

Install asnrecon:

git clone 'https://github.com/orlyjamie/asnrecon.git' && cd asnrecon
chmod +x install.sh && ./install.sh

$hakrevdns →https://github.com/hakluke/hakrevdns

prips 173.0.84.0/24 | hakrevdns -t 10

Install:

sudo apt install prips
go install github.com/hakluke/hakrevdns@latest

Finding The Domains from the ASN:

I looked for tools to done the job.But temporarily i cannot finding any tool.But There are websites available to done the job..

https://bgp.he.net/ → just enter the ASN as the iput and you can explore all the informations , Not only the Domains also the CIDR and ASN. The domains also allow you to input the Domain name, IP , CIDR and ASN.

NOTE:We need to find the IP’s from the ASN or CIDR, Based on our Comapny Scope Policy. Big companies are allow our to Pentest their ASN and CIDR . But , Small Domains did not allow to pentest because they are not big Company and they did hold ASN or CIDR. They just rendered some IP’s from the Providers.

Yeah …We found Out bunch of IPs and Domains .We Don’t Stop here ,Not all the domains are registered in One ASN. There’s a chances to Registered the domain from out of ASN. But, Registered with Same Registration Information.(ex. Name server,Email address and other Personal Informations).For this Reason We will explore more assets from more other Techniques.More Ways…!!!!

The Ways are always Beautiful, If we Love what we are Doing…!!!!!! →Hacktivist-Attacker

5.Reverse Whois Enumeration: → Conducting Reverse Information Search.

revwhoix →https://github.com/Sybil-Scan/revwhoix.git

revwhoix -k "Google"

Install And Setup:

git clone 'https://github.com/Sybil-Scan/revwhoix'
cd revwhoix
pip install .
The Tool Requries whoisxmlapi API KEY.

1.Create an account at https://main.whoisxmlapi.com.
2.Navigate to user.whoisxmlapi.com/products and obtain API Key.
3.Paste the API key in " ~/.config/whoisxml.conf " file.

6.Reverse DNS Enumeration:->Reverse IP,Reverse NS,Reverse MX:

i)Reverse IP Lookup: — ->Look for the Domains which they are Registered In Same IP Address.

$revIPLookup → https://github.com/1uffyD9/revIPLookup

revIPLookup -i 0.0.0.0 or 0.0.0.0/24
revIPLookup -f IPListFile.txt

Install and Setup:

git clone 'https://github.com/1uffyD9/revIPLookup.git' && cd revIPLookup
pip3 install -r requirements.txt
chmod +x revIPLookup.py && ln -sf `pwd`/revIPLookup.py /usr/local/bin/revIPLookup

ii)Reverse NS Lookup: →Look for the Domains which they are Registered In Same Name Server.

Tools are not available at the Time.But the domains are available to do Reverse NS Lookup.

https://reverse-ns.whoisxmlapi.com/ →Enter your Target Name Server Then you need find your target related domains.you can Find Your target Name Server by just Enter $nslookup Command.

iii)Reverse MX Lookup: →Look for the Domains which they are Registered In Same MAIL Address.

revwho →https://github.com/0xc0d/revwho.git

revwho -t "Register Name" "Register@mail.com" -o output.txt -q

Install:

git clone https://github.com/aggr3ssor/revwho.git && cd revwho
chmod +x setup.py && sudo ./setup.py install

$knockknock → https://github.com/harleo/knockknock.git

knockknock -n Register@mail.com -o output.txt -p

After Done The “HORIZONTAL RECON” We could have lot of information(IP and Domains). Its Very important to Find which they are In our Target’s Scope. Once you found Out the IP and Domains, you can ask the company to Test these Scopes. If they are Out of Scope, Just Leave Them And Focus on Scopes Targets. But, If you Granted Access to Conduct pentest on these Scopes , You’re the Minimum person who Conduct Pentesting on these Scopes.By Doing these you can Explore More Bugs, Because These Scopes are not Visible For All.

Yeah…!! We came to the End…!!

Yeah…! We came to The end of The “THE ART OF RECONISM: HORIZONTAL RECON FOR PENETRATION TESTING”(The Outer Play Game).. We Just Completed the first Step In Our Bug Bounty Journey. After this , We Could Dive Into the “VERTICAL RECON” → Gathering Information In The Target(The Inner Play Game).

I hope this Blog helped You to Learn Something New or Know Extra More Things about already known by You. I Shared Everything i know about HORIZONTAL RECON. If I missed any Techniques Please comment out And Help the blog to Become Greater. I am Very Thankful to You for Reading My blog. I Hope This blog Is value’s your Time . Okay.., Thanks to All.. We Will Meet on the Next Blog…“THE ART OF RECONISM: VERTICAL RECON FOR PENETRATION TESTING”….

We Are Friends,Not An Community,…!!!!!!!
Read Entire Article