Recon

Recon Tools & Frameworks

Acquisitions: good to know what it acquired

ASN Enumeration: [bgp.he.net]

ASN: A top level number given to org when network is big enough..and shows all ips org have.

  • Tools:

    • ASNLookup

    • bgp.he.net

    • amass

Using amass:

docker build -t amass https://github.com/OWASP/Amass.git (docker run amass intel -asn ASN_NUM,1,2,3)

Reverse WHOIS: whoxy.com (lets you search).

  • Good for API

  • Free Credits

DOMLink: recursively go through all whoxy output

Ad/Analytics Relationships: Builtwith.com

Google-Fu "<some search string>" inurl:<domain>

Shodan: Infrastructure spider. domain scanning. Free API.

Finding Subdomains: linked and js discovery:

  • Linked Discovery

    • gospider

    • hakrawler

  • Subdomain Enumeration:

    • subdomainizer

    • subscraper

Google FU:

exclusion example: site:<rootdomain> -www.<rootdomain>

(e.g: minus out subdomains; i.e pull out of some sub-domain)

Subdomain Scraping: Amass amass -d <domain>

  • Tools

    • subfinder:

    • github-subdomains.py

    • shosubgo (golang)

Subdomain Bruting

Amass:

amass enum -brute -d <domain> -src

amas enum brute -d <domain> -rf resolvers.txt -w bruteforce.list

suffleDNS:

PreviousWeb ReconnaissanceNextPort Scanning

Last updated