1.External Recon and Enumeration Principles

Core Principles

  • Passive vs. Active Reconnaissance:

    • Passive: Gathering information without directly interacting with the target's systems (e.g., searching public databases, social media).

    • Active: Directly interacting with the target's systems (e.g., scanning ports, probing services).

  • Scoping: Defining the boundaries of the engagement to avoid unintended consequences.

  • Information Gathering: The primary goal is to collect as much relevant information as possible about the target.

  • Iterative Process: Reconnaissance is not a one-time event; it's an ongoing process throughout the penetration test.

  • OSINT (Open-Source Intelligence): Utilizing publicly available information to gather intelligence.

Key Data Points:

  • IP Space: Identifying the target's network ranges and ASNs.

  • Domain Information: Discovering domain names, subdomains, DNS records, and registrars.

  • Schema Formats: Understanding naming conventions for usernames, email addresses, and other identifiers.

  • Data Disclosures: Finding publicly accessible documents, files, and other data that may contain sensitive information.

  • Breach Data: Identifying compromised credentials and other leaked data.

Essential Techniques:

  • DNS Enumeration: Querying DNS servers to discover domain information.

  • Social Media Analysis: Gathering information from social media platforms.

  • Website Analysis: Examining the target's website for information and vulnerabilities.

  • Google Dorking: Using advanced search operators to find specific information.

  • Credential Hunting: Searching for leaked credentials in breach data sources.

  • Subdomain Enumeration: Discovering subdomains associated with the target domain.

  • ASN lookups: Discovering the owner of IP address blocks.

Key Tools:

  • nslookup/dig: For DNS queries.

  • whois: For domain registration information.

  • BGP Toolkit: For ASN and IP address information.

  • Shodan/Censys: For discovering exposed devices and services.

  • Dehashed/HaveIBeenPwned: For checking breach data.

  • Sublist3r/Amass: For subdomain enumeration.

  • Trufflehog: For finding secrets in code repositories.

  • Domaintools/Viewdns.info: For domain information.

Ethical Considerations:

  • Staying Within Scope: Adhering to the agreed-upon boundaries of the engagement.

  • Obtaining Authorization: Ensuring that you have explicit permission to perform reconnaissance and penetration testing.

  • Protecting Sensitive Information: Handling any sensitive information that you discover responsibly.

  • Avoiding Unintended Harm: Taking precautions to avoid disrupting the target's systems or services.

Previous1.Initial EnumerationNext1.initial-enumeration-of-the-domain

Last updated