Web Pentest - Recon

 
Refer to Simple WebPentest Checklist

Subdomain Enumeration

git clone https://github.com/TheRook/subbrute.git
python subbrute.py domain.com > subdomains.txt

git clone https://github.com/infosec-au/altdns.git
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

#paste the list into Bulk URL HTTP Status Code, Header & Redirect Checker | httpstatus.io
# this will give live hosts status

make sure to check subdomain of the sub-domains 

#Other Tools 
amass enum -passive -norecursive -noalts –df domin.txt -o  subs-1.txt
amass enum -passive -norecursive -noalts –df subs-1.txt -o  all-sub.txt

Fetching URLS for a domain

#Use GAU to get all urls  
download from https://github.com/lc/gau/releases
or 
go install github.com/lc/gau/v2/cmd/gau@latest

printf example.com | gau
cat domains.txt | gau --threads 5
gau example.com google.com
gau --o example-urls.txt example.com
gau --blacklist png,jpg,gif example.com

Recon Automation 

#Better use https://github.com/smicallef/spiderfoot 
- this automates most of the basic tasks 

#Does a good amount of Recon
GitHub - blacklanternsecurity/bbot: The recursive internet scanner for hackers. 🧡

#use ReconFTW
git clone https://github.com/six2dez/reconftw
cd reconftw/
./install.sh
./reconftw.sh -d target.com -r

#or Setup a container 
docker pull six2dez/reconftw:main
docker run -it --rm \
-v "${PWD}/OutputFolder/":'/reconftw/Recon/' \
six2dez/reconftw:main -d example.com -r

Find origin IPs to Bypass waf via match & replace in burp

shodan.io 🡺 Ssl.cert.subject.CN:"domain/subdomain"
en.fofa.info 🡺 normal search for domain/subdomain
search.censys.io 🡺 normal search for domain/subdomain
securitytrails.com 🡺 normal search for domain/subdomain

Finding Hidden paths
go to urlscan.io/search
domain.com -www.domain.com -auth.domain.com
Google Dorks
Ignore known domains and search for new endpoints/domains 
site:domain.com -site:duplicate.domain.com
go to https://en.fofa.info/ 
search for a domain and select the favicon of the company
it shows the hash of the favicon 
use this query to find domains with favicon hash - `http.favicon.hash:-1243154474` 

Finding SPF Records
-all (Hard Fail): Strict rejection of emails from unauthorized servers.
~all (Soft Fail): Flag or mark emails from unauthorized servers as suspicious.
+all (Allow All): Allows emails from any server, effectively disabling SPF checks.
?all (Neutral): No strong recommendation; recipient decides.while read -r domain; do echo "$domain:"; dig txt "$domain" | grep "include:_spf"; done < domains.txt

Checking DMarc Records

- Start with p=none, review reports to ensure legitimate senders are authenticated, and then move to stricter policies (p=quarantine or p=reject).

Example: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;

dig txt _dmarc.example.com

while read -r domain; do echo "$domain:"; dig txt "_dmarc.$domain" | grep "DMARC"; done < domains.txt