An introduction to hacking is a broad overview of the practice of using technical skills to gain unauthorized access to systems or networks, or to secure unauthorized access to information. Hacking has been around for decades and has evolved over time, with the rise of the internet and the proliferation of connected devices. While some hacking is legal and done for legitimate purposes, such as security research, hacking without permission is generally illegal and can result in criminal charges. Hackers can be classified as white hat, black hat, or gray hat, depending on their motivations and methods. White hat hackers are ethical hackers who use their skills to improve security, while black hat hackers are malicious hackers who use their skills to gain unauthorized access or steal information. Gray hat hackers are somewhere in between, often disclosing vulnerabilities to organizations but sometimes also exploiting them for personal gain. There are many techniques and tools that hackers can use, including reconnaissance, social engineering, and exploitation. It is important for individuals and organizations to protect themselves from hackers by using strong passwords, keeping software up to date, and using security measures like firewalls and antivirus software.

Welcome to this article! This article is about some cool recon techniques every hacker misses! Tighten your belts as we walk you through these beautiful techniques.

Technique 1: Active subdomain enumeration

A very common technique but a lot of researchers rely on passive subdomain enumeration rather than active subdomain enumeration. Lets talk about active subdomain enumeration:

There are 2 ways you can perform using active subdomain enumeration

a. Bruteforcing subdomains using wordlist: In this technique we use a DNS wordlist to bruteforce a particular subdomain. This can easily be done using FFuF and Best DNS Wordlist.

Command: ffuf -u “https://FUZZ.target.com” -w <path_to_wordlist> -mc 200,301,302,403

b. Permutation Bruteforce: In this technique we create a new resolved subdomain list from already known subdomains/domains by using permutation, mutation, and alteration with a wordlist. This can easily be done using altdns

Command: altdns -i hackerone.txt -o data_output -r -s final.txt -w words.txt

Discover: Chronological list of Resources to Learn Ethical Hacking from Complete Beginner to Advanced Level

Technique 2: Favicon Hashes

Favicons are icons that serve as branding to your website. Each Favicon has some unique hash values which can be used to gather domains with the same hash function. Favicon hashes are simple to calculate. FavFreak is one of the best tools which does this work for us.

Command: cat urls.txt | python3 favfreak.py

Once the hash is calculated, you can use the same on internet search engines such as shodan to get the mass websites.

You can read more about FavFreak here

Technique 3: Nrich

A brilliant command line tool, Nrich, can be used to analyze IPs in a file for CVEs and open ports and vulnerabilities.

(NOTE : Nrich only accepts IP address as input and not domain names . Hence the problem of finding IP addresses of hostnames can be easily solved using the tool called as dnsx.)

Command: cat subdomains.txt | dnsx -a -resp-only | nrich –

Technique 4: Choosing the right target

Assume you have a medium scope application with a lot of subdomains. It is challenging to choose a subdomain and start hunting on this. No worries we have got you covered. You can use the interestingsubs gf pattern list to find interesting subdomains you can hunt upon.

Command: cat urls.txt | gf interestingsubs

Technique 5: Reverse Whoislookup

This test will return WHOIS registration results for a DOMAIN name which can be used to gather all assets belonging to an organization.

Steps :

  1. Perform whoislookup on target domain and look for Tech Email.
whoislookup

2. Visit drs.whoisxmlapi.com and Signup/Login (Initially you will get 500 free credits )

Now Search with the Tech Email to discover all the assets belonging to target organization

All domains via whoislookup

You can also Export all the above results using a Export CSV option.

Technique 6: Uncover

Uncover is a beautiful tool developed by the team Projectdisovery. Uncover allows you to quickly discover exposed hosts on the internet. It finds hosts using shodan, censys and fofa. All you need is API Keys to be configured.

So what can be done?? Find subdomains and give them to nuclei to automate vulns, Find exposed panels, Mass hunt CVEs, and Find services. Basically, automate everything related to internet search engines.

To use this effectively, create a dorks list as shown in the below image and feed it to uncover.

Command: cat dorks.txt | uncover

Technique 7: Finding hidden paths using meg

Hidden paths or Directory bruteforcing is an important recon technique. Meg is a powerful tool that allows you to find hidden paths/directories very quickly without flooding traffic.

Command: meg paths.txt hosts.txt output

List of files created for the host example.com with the request and the response
An example of a request been sent

You can also add custom headers to the request. Meg also supports RawHTTP.

Technique 8: Finding open ports and services

Every web application might have some other ports which are open and the services on these might be vulnerable. One should always look for these open ports and services running on them. But this might be time-consuming. Naabu is a fast port scanner that can help you find these ports and services. The best thing is using naabu you can also run nmap scans as well.

Command: naabu -host target.com

We hope that these recon techniques might help you to add and update your methodology. Do tell your recon methodology in the comments section.

Happy Hunting!

Conclusion

In conclusion, reconnaissance is an important part of the hacking process, as it involves gathering information about a target in order to identify vulnerabilities that can be exploited. There are many techniques that can be used for reconnaissance, including passive techniques like footprinting and active techniques like scanning and network mapping. Advanced tools like Google dorking and Maltego can also be useful for gathering information. It is important to always follow the law and ethical guidelines when conducting reconnaissance or any other hacking activities.

The credit link for authors are as follows:
Vaibhav Lakhani:
https://www.linkedin.com/in/vaibhav-lakhani
https://twitter.com/vlakhani28

Dhir Parmar:
https://www.linkedin.com/in/dhir-parmar-925b171a4
https://twitter.com/dhirparmar

Some Projects:

Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *