Recon like a pro

- Jaimin Gohel

About Speaker

• MCA(GLSICT)
• Bug hunter
• Developer @Qloo IT Solutions

@jaimin_gohel

What is Reconnaissance?

Five Phases of a Pentest

• Phase 1 | Reconnaissance
  • Active (touching) or passive (indirect) data gathering on target
• Phase 2 | Scanning
  • Manual and automatic tools used to learn more about the infrastructure
• Phase 3 | Gaining Access
  • Taking control, extracting data, pivoting to attack other targets.
• Phase 4 | Maintaining Access
  • Persist, remain stealthy / don’t get caught and extract as much data as possible
• Phase 5 | Covering Tracks
  • Any changes, authorizations, etc. all must return to a state of non-recognition.

Types of Reconnaissance

• Passive reconnaissance

  • DNS information

  • Sniffing through regular traffic

  • WHOIS database

• Active reconnaissance

  • OS scans
  • Port scans
  • Discover running services
  • Programming languages used

Methods of Reconnaissance

• Recon through search engines
• DNS footprinting
• WHOIS lookup
• Through social networking sites/ people search services
• Advanced google hacking techniques
• Find services used by target host
• Website recon

Recon through search engines (Shodan.io)

Recon through search engines (Shodan.io)

DNS footprinting (http://ping.eu/nslookup/)

WHOIS lookup

• Domain name details
• Contact details of domain owner
• Domain name server
• When a domain has been created
• Expiry records

WHOIS lookup (https://who.is)

WHOIS lookup (https://who.is) cont.

Through social networking sites/ people search services

• Social networking sites are great source of personal and organizational information
• Information about an individual can be found at various people search websites
• Eg. Linkedin.com, pipl.com

Social site (https://pipl.com)

Advanced google hacking techniques

• Google hacking refers to creating complex search queries in order to extract sensitive hidden information
• It helps attacker to find possible vulnerable targets
• It used advanced google search operators to locate specific strings of text within the search result

Advanced google hacking techniques

• intitle:
  • intitle:Admin login
• intext:
  • intext:email
• inurl:
  • inurl:view/view.php
• site:
  • site:example.com

Advanced google hacking techniques

• site:example.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
• site:example.com ext:sql | ext:dbf | ext:mdb
• site:example.com ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup
• site:example.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near"

Advanced google hacking techniques

Find services used by target host

• wappalyzer
  • Wappalyzer is a browser extension that uncovers the technologies used on websites. It detects content management systems, eCommerce platforms, web servers, JavaScript frameworks, analytics tools and many more.
• bultwith.com
  • Demo
• nmap
  • NMAP(network mapper) used to discover hosts and services on a computer network, thus building a "map" of the network.

Namp example

Website recon

• Web data extractors
  • httrack
• Wayback machine
  • archive.org
• Examine html source code
• subdomain finder
  • sublister, knockpy

Web data extractors(httrack)

Wayback machine(https://archive.org)

Subdomain scanning (Sublist3r)

Questions?