10 Best Recon Tools for Bug Hunting
In this article, I thought to write about 10 important Tools that can use for Bug Hunting Journey or pen-testing process.
Information Gathering or Reconnisence is the most important part of penetration testing. It is important to know about the information of target scope such as IP addresses, subdomains, DNS information, available open ports, etc.
- Nmap
Nmap is a free and open-source network mapping tool that can use for network discovery and security auditing. This is used to determine what hosts are available on the network, the services running on those hosts, information about the operating system (OS version).
Nmap includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, and more.
Basic command:
root@kali:~# nmap -v -A -sV 192.168.1.1
More Details about Nmap: https://nmap.org/
2. Amass
The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names, and reverse DNS sweeping.
Additionally, it uses the IP addresses obtained during resolution to discover associated netblocks and ASNs. All the information is then used to build maps of the target networks.
Information Gathering Techniques Used:
- DNS: Basic enumeration, Brute forcing (upon request), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (upon request)
- Scraping: Ask, Baidu, Bing, CommonCrawl, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, Yahoo
- Certificates: Active pulls (upon request), Censys, CertDB, CertSpotter, Crtsh, Entrust
- APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, DNSDB, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal
- Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback
More Details: https://github.com/OWASP/Amass/blob/master/doc/install.md
Installation and Guide: https://kalilinuxtutorials.com/amass-dns-enumeration-network-mapping/
3. Dirb
Dirb is a powerful web content scanner tool that can use to find hidden and existing files on the web application. It basically works with directory brute-forcing attack against a web server and analyzes the response.
In default, Dirb comes with set of predefined wordlists (/usr/share/wordlists/dirb).
Basic Command:
dirb http://192.168.1.224/ /usr/share/wordlists/dirb/common.txt
4. Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Subdomain enumeration is one of the main parts of information gathering. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
Basic command:
root@kali:~# sublist3r -d kali.org -t 3 -e bing
More Details: https://github.com/aboul3la/Sublist3r
5. DNS Recon
DNS Recon is a tool that can use for Domain Name System (DNS) enumeration. In simply, it’s the act of detecting and gain information about all possible records from a domain name. These may be hostnames, DNS records names, DNS record types, TTLs, IP addresses, and more. Also, We can use this tool for reverse lookup against an IP range, Domain brute force enumeration, cache snooping against name servers, standard records enumeration, etc.
Basic command:
root@kali:~# dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std — xml dnsrecon.xml
6. Google Dork
This is a technique to identify security bugs in a web application through the Google search. With the help of Google, dork security researchers can crawl the website and can gather information like username, password, etc.
We can use commands like site, cache, related.
site: www.example.com
cache: www.example.com
related: www.example.com
Google Dork Cheatsheet: https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06
7. Shoden
Shoden is more like a search engine for Internet-connected devices. From using Shaden we can gather lots of information like IP address, web server information, banner details, SSH, FTP, etc.
See More Details: https://www.shodan.io/
8. Censys
Censys is also helping to get information and analyze the devices that are accessible from the Internet. Mostly, it helps to probe every public address, domain names, etc.
Website: https://censys.io/
9. Wafw00f
Wafw00f is a tool that uses to detect Web Application Firewalls(WAF). And also this provides Reconnaissance, Identification & Fingerprinting. It can detect around the Top 22 web application firewall, so wafw00f is a phase of information gathering initially.
Basic command:
root@kali:~#wafw00f http://www.victim.org/
More Details: https://github.com/sandrogauci/wafw00f
10. WayBack URLs
Waybackurls returns a list of all the URLs that the Wayback Machine knows about for a domain. It may be archived images, URLs, or maybe interesting information like sensitive information.
More Details: https://github.com/tomnomnom/waybackurls
So, Thank you, everyone. Meet you next time👋.
References:
