Info Gathering - Intro

Introduction

Web Reconnaissance is the foundation of a thorough security assessment. This process involves systematically and meticulously collecting information about a target website or web application.

Types of Reconaissance

Active Reconnaissance

In active reconnaissance, the attacker directly interacts with the target system to gather information.

This includes:

  • Port Scanning (Nmap, Rustscan, Masscan) - Identifying open ports and services running on the target.

  • Vulnerability Scanning (Nessus, Nikto, OpenVAS) - Probing the target for known vulnerabilities, such as outdated software or misconfigurations.

  • Network Mapping (Traceroute, Nmap) - Mapping the target's network topology, including connected devices and their relationships.

  • Banner Grabbing (Netcat, curl) - Retrieving information from banners displayed by services running on the target.

  • OS Fingerprinting (Nmap, Xprobe2) - Identifying the operating system running on the target.

  • Service Enumeration (Nmap) - Determining the specific versions of services running on open ports.

  • Web Spidering (Burp Suite Spider) - Crawling the target website to identify web pages, directories, and files.

Passive Reconnaissance

It is done without directly intracting with the target.

It includes:

  • Search Engine Queries (Google, Bing, Shodan) - Utilising search engines to uncover information about the target, including websites, social media profiles, and news articles.

  • WHOIS Lookups (whois) - Querying WHOIS databases to retrieve domain registration details.

  • DNS (dig, nslookup, host, dnsenum, fierce, dnsrecon) - Analysing DNS records to identify subdomains, mail servers, and other infrastructure.

  • Web Archive Analysis (Wayback Machine) - Examining historical snapshots of the target's website to identify changes, vulnerabilities, or hidden information.

  • Social Media Analysis (Linkdein, Twitter, Facebook, OSINT tools) - Gathering information from social media platforms like LinkedIn, Twitter, or Facebook.

  • Code Repositories (Github, Gitlab) - Analysing publicly accessible code repositories like GitHub for exposed credentials or vulnerabilities.

PreviouscURLNextWhois

Last updated