Basic recon
Basic reconnaisance flows.
Automation
Acquisitions
We need to find the other companies which are owned by the target company.
ASN
An autonomous system number (ASN) is a collection of connected IP routing prefixes under the control of network operators. It is assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA). Border Gateway Protocol (BGP) is used to notify the routing policy to the other AS or routers. We can also find IP ranges belonging to the ASN.
WHOIS
whois is used to find information about the registered users of the domain.
Archived Web Pages
Wayback Machine is an online tool that archives a lot of websites.
Subnet Scan
You need only the ping scan (skip port scan) by adding the option "-sP".
Port Scan
See Port Scan for details.
Subdomains
See also Subdomain Discovery, DNS Pentesting.
Google Search
For example, input site:facebook.com in the search form. We should see a list of subdomains for the facebook.com.
VirusTotal
For example, input "facebook.com" in the search form of the URL section. We shoud see a list of subdomains for the facebook.com in the RELATIONS section.
Subdomain Takeover
It allows an adversary to claim and take control of the victim's subdomain.
Resource: OWASP
Social Accounts
We can get more information if the organization uses social platforms as below.
Discord
Facebook
GitHub
Mastodon
Reddit
Twitter
Trace Route Packets
To track the route packets from our IP to target host, run the following command.
Find Vulnerabilites
Automation
Nuclei
Nuclei is a vulnerability scanner based on simple YAML based DSL.
Exploit DB
You can search vulnerabilites written in Exploit-DB by using "searhsploit".
If you found vulnerabilities of target, copy them to current directory. For example,
Exploit-DB is a database of exploits. Find the exploit and download it. For example:
Format the exploit code for UNIX.
References
Last updated