Your Guide to Web Reconnaissance: Mastering the Art of Information Gathering

Hello everyone! we back with another blog, and if you remember our first post, you know we love diving into the essentials of bug hunting. This time, we are focusing on web reconnaissance, or simply recon. It’s the crucial first step in any bug hunting journey, where we gather information to uncover hidden details and potential vulnerabilities. Let’s dive into the world of recon and see how mastering this skill can set you up for success

Web reconnaissance, or “recon web,” is the initial and essential step in understanding a target’s online presence. The goal is to gather insightful information about a target website or organization to uncover vulnerabilities and map the infrastructure. Reconnaissance is typically divided into two categories:

Passive Reconnaissance
This involves gathering information from public sources without interacting directly with the target. Common techniques include scanning social media profiles, public databases, and search engines.Active Reconnaissance
Here, you directly interact with the target to gather detailed information. Techniques include port scanning, vulnerability scanning, and even social engineering.

Why is Web Reconnaissance So Important?

Identifying Vulnerabilities:
Web reconnaissance helps identify weak points in web infrastructure that attackers might exploit.

Understanding Infrastructure:
It provides an overview of the target’s setup, including servers, subdomains, and network components, forming the foundation for further analysis.

Strengthening Security:
By uncovering potential attack vectors, security professionals can enhance the security posture of a website or network.

Foundation for Ethical Hacking:
Reconnaissance forms the groundwork for ethical hacking and penetration testing, ensuring that vulnerabilities are systematically identified and mitigated.

Basic Techniques in Web Reconnaissance

Basic Techniques in Web Reconnaissance

WHOIS Search
This technique is useful for gathering information about the domain owner, such as contact details, email addresses, phone numbers, and registration information. WHOIS data can provide insights into the organization behind the domain and its administrative structure.

Tools: Whois.com

DNS Lookup
By examining DNS records, you can map the domain structure and spot potential DNS-related vulnerabilities, such as zone transfers or misconfigured records that could expose sensitive data.

Tools: Dnsenum, Dnsrecon, Fierce.

Company Acquisitions
Researching domains that the target organization has acquired can reveal additional in-scope assets for testing. For example, Google’s acquisitions include multiple companies, which means that all their acquired domains might also have vulnerabilities that are worth investigating.

Technique: Google Dorking.

Subdomain Enumeration
Identify subdomains using both passive and active methods, creating separate lists for each phase. This comprehensive enumeration helps locate more endpoints associated with the target domain.

Tools: Amass, Assetfinder, Subfinder, crt.sh.

Live Subdomain Enumeration
Filter and verify live subdomains from your lists and consolidate them into a single file. Helpful here to check the live status of each subdomain.

Tools: Httpx, Httprobe.

Subdomain Takeover Detection
Using DNS results, check for any misconfigured or unclaimed subdomains that might be vulnerable to takeover attacks.

Tools: Subzy, dnsReaper.

Extracting IP Addresses
Gather IP addresses associated with each subdomain for further scanning. This set of IPs can then be used for deeper investigation into exposed services and open ports.

Tools: Nabbu, Shodan-cli.

Port Scanning
Perform mass scans across all collected IP addresses to identify backend services and open ports. If any vulnerable services are found, proceed with testing for potential exploits.

Tools: Nmap, Unicornscan, Zenmap.

Shodan & Censys Search
Using tools like Shodan and Censys, you can search for specific vulnerabilities and exploits linked to your collected IP addresses. These platforms help find potentially exposed and vulnerable servers.Directory Brute-Forcing
Discover hidden directories, files, and endpoints by brute-forcing paths on the target. Using custom fuzzing parameters or tailored wordlists can increase accuracy and yield better results.

Tools: Dirbuster, Dirsearch, Gobuster, Wfuzz.

Wayback Machine Search
Retrieve cached information, including URLs, endpoints, and parameters, from archived versions of the target site. This historical data can be invaluable for testing a range of vulnerabilities, such as XSS, SQL injection, hidden directories, SSRF, and more.

Tools: waybackurls-cli, web.archive.org.