Scanning and Recon

From Enlace Hacktivista
Revision as of 08:41, 16 October 2023 by Booda (talk | contribs) (→‎Reconnaissance)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests. Using APIs will advance your scanning but may cost $$$.

NOTE: This is not an exhaustive list.

WAF detect

Your target may have a web application firewall (WAF) which might try to prevent scanning, exploitation and other security tests. It's important that we can identify what WAF is in place so we can try and bypass it. Some targets might be vulnerable and normally an exploit would work however the WAF is preventing the exploit from popping the box. You can try to encode the payload (Burpsuite is good for this) amongst other things to bypass the WAF.


Automated recon scripts which automates a lot of the boring aspects of recon for you. They can be used to run some cursory automated vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers. Also can perform passive and active recon testing such as subdomain enumeration, credential bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records and directory fuzzing, dorking, ports scanning, screenshots, nuclei scanning on your targets and more. The best one is reconFTW but we provide others for comparison.

Vulnerability scanners

To quickly cover a lot of ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.

Subdomain enumeration

Enumerate your targets top level domain (TLD) as part of your recon to identify entry points in your targets infrastructure. Pay special attention to interesting subdomains such as test, dev, backup, etc. Your targets subdomains may also be running out of date software, subdomains might not be behind a WAF where the main page will be, less or no authentication where there should be and more vulnerabilities may exist as opposed to the TLD.

Subdomain screenshot

Screenshot subdomains during your recon process to quickly sift through and identify different subdomains without needing to load each one

Subdomain takeover

A subdomain takeover allows us to gain control over a misconfigured or abandoned subdomain. This is done by exploiting vulnerabilities in DNS settings, expired or deleted services, or incomplete migrations. Once control is established, we can employ social engineering tactics such as phishing, this could be hosting phishing pages on legitimate company subdomains that are already trusted by employees.

Subdomain monitoring

Monitor your target for new subdomains whenever they pop up. Sometimes developers will create a new and temporary subdomain for testing and development, be notified whenever this happens. Include vulnerability scanners into the below bash script such as nuclei to automate some security testing as well.

while true
  subfinder -silent -dL domains.txt -all | anew subdomains.txt | notify
  sleep 3600

Be notified when your target updates their website.

while true
  cat subdomains.txt -silent | httpx -sc -cl -location -title -silent | anew changes.txt | notify
  sleep 15

Content discovery

Find endpoints, URLs, Parameters, Resources and much more with content discovery.


Word Lists

Word lists can be used in your content discovery when performing directory bruteforcing and subdomain bruteforcing.

Port scanners

When performing a port scan pay special attention to non-standard ports.

Technology scanners

NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.

When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working public exploits.

Web Crawlers

Crawl a website, extract all URL endpoints and save them for further analysis. Useful for digging up parameters on websites to test for common vulnerabilities (XSS, SQLi, IDOR, LFI/RFI, etc)

ASN scanners

Map out an organizations network ranges using ASN information.

Google hacking

Refine your google searches (also works on Bing and DuckDuckGo) to discover paths, files, vulnerabilities, endpoints, login portals and technology.

Intercepting proxies


For automatic exploit tools and payloads, see exploitation.