This article in the series contains a high-level overview of different tools and techniques used for automating reconnaissance processes to make them more efficient and effective. The purpose of recon for bug bounty hunting is to provide a comprehensive understanding of the target system, identify vulnerabilities, and gather information that can be used for security testing. Bug bounty hunters use several advanced methods for gathering information about a target system, such as using social media, search engines, and other online resources to uncover information about the target organization and its employees, as well as techniques for identifying and exploiting vulnerabilities in the target system.
Reconnaissance Techniques Overview
In general, reconnaissance techniques are used to gather information about a target or potential target. Some common reconnaissance techniques include:
Passive reconnaissance involves gathering information about a target without actively interacting with it. Examples include using search engines, social media, and public records to gather information about an organization or individual.
Active reconnaissance is interacting with a target to gather information. Examples include port scanning, vulnerability scanning, and social engineering tactics such as phishing. Reconnaissance is important for both cyber security professionals and attackers as they provide valuable information about a target’s vulnerabilities and weaknesses.
Preparing for Recon
Setting up the environment for reconnaissance involves preparing the necessary tools and resources to conduct reconnaissance. The following are some steps that can be taken to set up the environment:
Gathering tools and resources may include software such as Maltego as well as data sources such as search engines, social media, and public records.
Set up a virtual environment can be done by using a virtual machine or a cloud-based environment to help prevent any ethical or legal issues.
Configure the tools and resources once they have been gathered, they need to be configured to ensure they are set up correctly and are ready to be used. This may include installing software, setting up accounts, and configuring settings.
Test the tools and resources to ensure they are working correctly by running a few test scans or searches to check for any errors or issues.
Create a plan or a methodology to ensure that it is conducted in a systematic and organized manner and will also help to keep track of the information that is gathered.
Keep in mind the legal aspects and ethical standards because It’s not legal to perform reconnaissance on systems or networks that you do not have permission to access, and it’s not ethical to use the information gathered for malicious purposes.
By following these steps, the environment for reconnaissance can be set up in a way that ensures that it is conducted in a safe, legal, and ethical manner.
Common Tools for the Trade 12 common active and passive reconnaissance tools are:
Recon-ng is a web reconnaissance framework that can be used for domain, network, employee, website, and integration with other tools.
Nmap (Network Mapper) is a widely-used network exploration tool that can be used to scan for open ports and services on a target system. It works by sending various types of packets to a target system and analyzing the responses to determine what ports and services are running on the system.
Maltego: A data visualization and analysis tool that can be used to gather information about a target’s relationships and connections.
Shodan is a search engine for internet-connected devices that can be used to find open ports and services on a target system.
Wayback Machine is a digital archive of the Internet that allows users to view historical versions of websites.
Censys is a search engine that allows you to find specific types of devices and systems that are connected to the internet and view detailed information about their configuration and security.
LeakIX is designed to make it easy for users to find and view leaked/breach information, and it also provides tools for searching and filtering results.
Hunter.io can can be used to find email addresses associated with a specific domain, as well as information about the company’s employees and technology stack.
Sublist3r allows security researchers and penetration testers to gather information about a target web infrastructure by using search engines to identify subdomains.
theHarvester is a tool for gathering email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines, PGP key servers and the Shodan computer search engine.
Whois is a tool that can be used to look up information about domain ownership and registration. Specifically, it can be used for identifying the name of the registrant, contact information, and the date of registration hosting provider and physical location of a target website.
Search Engines (dorking) allows users to utilize search engines using specific operators and keywords to find specific types of files or information.
These tools are widely used by security researchers. They can help to gather valuable information about a target’s network and infrastructure, as well as information about the target’s people and processes. It’s important to use these tools only for legal and ethical purposes, and to have the necessary authorization.
Passive Reconnaissance Techniques Passive reconnaissance is used to gather information about a target without actively interacting with it. These techniques are used to gather information about a target’s network and infrastructure, as well as information about the target’s people and processes. Some common passive reconnaissance techniques include: Search engine reconnaissance can include searching for information about the target’s domain, IP addresses, and email addresses.
Social media reconnaissance involves using social media to gather information about a target. This usually includes searching for information about the target’s employees, customers, and partners.
Public records reconnaissance is when you use public records to gather information about a target. This can include searching for information about the target’s business, finances, and ownership.
WHOIS lookups are performed when the researcher want to utilize the WHOIS database to gather information about a target’s domain. This can include information about the domain’s registration, expiration date, and contact information.
OSINT (Open-Source Intelligence) is about gathering information from publicly available sources such as news articles, social media, and government websites.
Passive reconnaissance techniques are useful for gathering information about a target’s network and infrastructure, as well as information about the target’s people and processes. It is important to note that passive reconnaissance does not involve any interaction with the target, and so is considered less invasive and less likely to trigger security alerts.
Active Reconnaissance Techniques
Active reconnaissance techniques are methods used to gather information about a target by actively interacting with it. These techniques are used to gather information about a target’s network and infrastructure, as well as information about the target’s security measures. Some common active reconnaissance techniques include:
Vulnerability scanning can provide information about the target’s software, configuration, and potential opportunities for exploitation.
Domain Name System (DNS) recon and enumeration involves gathering information about the DNS records of a target organization. You are able to retrieve information such as the IP addresses associated with a domain, the names of subdomains, and the email servers used by the organization.
Subdomain enumeration is used to to identify potential attack vectors and areas of the target organization’s infrastructure that may be more vulnerable. This can be done manually or using automated tools to identify all the subdomains associated with a target domain.
Network mapping and port scanning is a technique use to create a map of a target organization’s network infrastructure, including identifying all the devices and services running on it. It also involves identifying open ports and services running on the devices and servers, which could be potential attack vectors.
Web spidering and crawling involves using automated tools to scan a target organization’s website, identifying all the pages and links within it. This can be useful in identifying hidden or restricted areas of a website that may be vulnerable.
Content discovery is used to identify sensitive information that is publicly available on a target organization’s website or network to gather sensitive data such as financial information, customer data, or confidential business information.
File and directory enumeration is useful in identifying areas of the server that may be vulnerable to attack, such as misconfigured file permissions.
Tool Spotlight: Real-World Shodan It is fairly easy to you create an account on the Shodan website. Feel free to follow along with me I demonstrate some methods of recon within the Shodan platform using filters.
I wonder what’s going in Miami today, let’s see:
Whoa! I wonder how many are windows hosts? Let’s filter this a bit more:
“Ehhh, What’s up Doc?” Mr. Bugs Bounty and the world sees you and your outdated security today!
Using Shodan in the CLI:
After creating an account, you will have your an API key that corresponds with your individual usage of Shodan.
Ensure to copy your API key and paste with terminal command:
shodan init <APIkey>
Note: The CLI usage of this tool is powerful and can be used for custom scripting during the recon phase.
Now let’s look for all Microsoft IIS 4.0 instances. This version is definitely end-of-support so no one is using it right? Nah.
Reconnaissance techniques are important for assisting organizations with identifying and addressing vulnerabilities in their systems and applications.
Reading blogs and articles of successful bug hunters, attending online and offline security conferences, and discussing with peers in the cybersecurity community can be a great way to learn and improve your reconnaissance techniques.
Get out there and do some recon!