# Full Recon and Enumeration steps

## OSINT Framework:

* &#x20;<https://osintframework.com/>

## B**rands Info:**&#x20;

1. **wikipedia**&#x20;
2. **info & acquisition**: [https://www.crunchbase.com ](<https://www.crunchbase.com >)
3. **linked discovery**: using burp pro or other spider.

## Discovering ip range and TLD:&#x20;

1. **ASN'S:**

* <http://bgp.he.net>

2. **ARIN & RIPE:**

* &#x20;[https://whois.arin.net/ui/query.do ](<https://whois.arin.net/ui/query.do >)
* [https://apps.db.ripe.net/db-web-ui/#/fulltextsearch ](<https://apps.db.ripe.net/db-web-ui/#/fulltextsearch >)

## DNS recon & Research:

* <https://www.bigdomaindata.com/>             // \*\*\*
* <https://www.nslookup.io/>
* <https://dnsdumpster.com/>
* <https://mxtoolbox.com/SuperTool.aspx>
* <https://toolbox.googleapps.com/apps/dig/>
* <https://subdomainfinder.c99.nl/>
* <https://web-check.as93.net/>
* <https://viewdns.info/>
* [https://intelx.io/](https://intelx.io/tools?tab=domain)

## Trafic Analysis:

* <https://seranking.com/website-traffic-checker.html>
* <https://www.seoreviewtools.com/website-traffic-checker/>
* <https://ahrefs.com/traffic-checker/>

## Discovering connected Device ,Ip ,History And server:

* <https://www.shodan.io>
* <https://www.zoomeye.org/>
* <https://search.censys.io/search>
* <https://securitytrails.com/>
* <https://www.criminalip.io/>
* [https://intelx.io/](https://intelx.io/tools?tab=domain)

### Finding domanin by ip and subnet:

```bash
prips 173.0.84.0/24 | hakrevdns
```

## BuiltWith:

1. Builtwith website:  [https://builtwith.com/ ](<https://builtwith.com/ >)
2. **wappalizer** browser addons.
3. Retire.js   --Browser addons (for finding js libraries).
4. Check for powered by tag at the bottom trademark in google: like , following google dork,&#x20;

```
"tesla©2016" "tesla©2015" "tesla©2017" inurl:tesla.com
```

## WAF identification:

1. waffw00f
2. whatwaf

## Google Dorking:

<https://github.com/chr3st5an/Google-Dorking>

<https://dorkking.blindf.com/>

1. site:     `site:python.org`
2. inurl:   `inurl:"/course/jumpto.php"`
3. intitle:  `intitle:"index of"`
4. link:    `link:"https:// en.wikipedia.org/wiki/ReDoS"`
5. filetype:   `filetype:log`
6. Wildcard (\*)   `"how to hack * using Google"`
7. Quotes (" ")     used for exect match.  `intitle:"how to hack"`
8. Or (|)      `site:(reddit.com | stackoverflow.com)`
9. Minus (-)  used for excludes .     `"how to hack websites" -php`

### Some usefull dork.

```typescript
site:example.com inurl:app/kibana
site:s3.amazonaws.com COMPANY_NAME
site:example.com ext:log
site:example.com ext:php
site:example.com ext:txt password
```

## Github Dorking:

* <https://github.com/techgaun/github-dorks>
* <https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets>

## **Check Security Header Info:**

**cheat sheet:** <https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html>

Testing site: <https://securityheaders.com/>

#### header related issue:

1. **Clickjacking**&#x20;

absent of   **`X-Frame-Options:`**   `Content-Security-Policy: frame-ancestors <source>`; headers

2. **CORS**

present of `Access-Control-Allow-Origin: https://attacker.com` and `Access-Control-Allow-Credentials: true`  headers

## D*iscovering subdomain:*&#x20;

### s**ubdomain scraping**:&#x20;

1. **amass**

```bash
amass enum -d target.com
```

2. &#x20;**subfinder**

```bash
subfinder -d target.com
```

3. &#x20;**assetfinder**

```bash
assetfinder -subs-only google.com
```

4. &#x20;**VirusTotal**    &#x20;

```bash
python3 vt-subdomains.py google.com          #web scraper
```

5. **SecurityTrails**

```bash
echo "google.com" | haktrails subdomains       #web scraper                 
```

6. **censys**

```bash
censys subdomains lalamove.com    #censys api scraper tools called censys-python
```

### s**ubdomain bruteforcing :**&#x20;

1. **puredns**

```bash
puredns -r dnsresolve.txt bruteforce wordlist.txt target.com
```

2. **gobuster**

```bash
gobuster dns -d tesla.com -w awesome_wordlist.txt -i
```

&#x20;3\. **shuffleDNS**

```bash
shuffledns -d hackerone.com -w wordlist.txt -r resolvers.txt -mode bruteforce
```

4. **massDNS**

```bash
massdns -r lists/resolvers.txt -t AAAA -w results.txt domains.txt
```

## Port Scan:

1. &#x20;nmap
2. masscan
3. &#x20;Naabu

## V**isual identification:**

* eyewitness
* aquatone
* &#x20;httpscreenshot

## **Content discovery:**

1. httpx
2. wfuzz &#x20;
3. dirsearch&#x20;
4. gobuster&#x20;
5. ffuf &#x20;
6. dirb &#x20;
7. dirbuster&#x20;
8. kiterunner(kr)      //specially for api
9. meg     //for a wide number of target

## **Extract url, path from js file:**

* linkfinder   &#x20;
* jsparser. &#x20;
* GoLinkFinder&#x20;

## S**pidering:**

1. katana
2. AJAX Spider in zap

## U**RL Extraction from archive:**

* waymore  &#x20;
* gau
* waybackurls
* waybackunifier

## Parameter discover:

* ParamSpider&#x20;
* arjun
* GAP   -(burp extension)
* Param miner (burp extension)&#x20;
* parameth        //for bruteforcing&#x20;

## S**orting URLs:**

* gf

## C**redential bruteforce:**

1. hydra
2. brutespray

## Enumerating cloud service like s3,azure:

1. **cloud\_enum**

```bash
./cloud_enum.py -k lalamove 
```

## Subdomain Takeover:

1. #### Sub404 <a href="#sub404" id="sub404"></a>

```bash
python3 sub404.py -f /path/subdomains.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/recon-and-enumeration/full-recon-and-enumeration-steps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.