Scribd
Upload
107 views2 pages

Web App Direction

This document provides instructions for performing passive and active reconnaissance, using tools like the Wayback Machine, Fierce, dig, theHarvester, OSRFramework, Whois, DNSenum, dnsdumpster, Reverse IP lookups, Nmap, subbrute, WhatWeb, Recon-NG, and dirb. It also includes tips for Google dorking, fingerprinting web application frameworks, identifying HTTP methods, and URL encoding. The goal is to gather as much open source intelligence and information about the target as possible through passive and active methods.

Uploaded by

student
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
107 views2 pages

Web App Direction

This document provides instructions for performing passive and active reconnaissance, using tools like the Wayback Machine, Fierce, dig, theHarvester, OSRFramework, Whois, DNSenum, dnsdumpster, Reverse IP lookups, Nmap, subbrute, WhatWeb, Recon-NG, and dirb. It also includes tips for Google dorking, fingerprinting web application frameworks, identifying HTTP methods, and URL encoding. The goal is to gather as much open source intelligence and information about the target as possible through passive and active methods.

Uploaded by

student
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Passive recon

-------------

1.waybackMachine-master -> python waybackMachine.py target.com


2.fierce -> fierce --domain target.com
3.dig -> dig target.com ns
4.theHarvester -> theHarvester -d target.com -b google [many more as
google source checkout theHarvester -h]
5.osrframework -> [ domainfy.py ; domainfy.py --whois -n
targetname ; mailfy.py -n targetname ; searchfy.py -q targetname ; usufy.py -n
targetname ; etc]
6.whois -> whois target.com
7.DNSenum -> dnsenum target.com
8.dnsdumpster -> dnsdumpster.com
9.Reverse IP -> yougetsignal.com

Active recon
------------

1.NMap -> nmap --script dns-brute --script-args dns-


brute.domain=target.com
2.NMap -> nmap -sV -p 80 --script http-enum target-ip
3.subbrute -> ./subbrute.py [Time taken]
4.WhatWeb -> WhatWeb target.com

Google Dorks
------------

1.sql error -> "SQL Server Drive][SQL Server]Line 1:Incorrect


syntax near" site:target.com
2.filetype -> site:target.com filetype:pdf
3.word -> intitle:admin or inurl:admin site:target.com
4.extension -> ext:pdf site:target.com
5.particular word in path -> inurl:/download site:target.com
6.intitle -> intitle:"user login" site:target.com
7.backup.sql -> backup.sql intext:"SELECT" ext:sql site:target.com
8.signature -> intext: "target signature"
site:com/net/in/co.in/etc
9.index of -> intitle:"index of" pdf remote code execution

Recon-Ng
--------

-> modules load recon/domains-hosts/hackertarget


-> options set SOURCE target.com
-> run

from bing search


----------------

-> modules load bing_domain_web


-> options set SOURCE target.com
-> run
-> show hosts
Fingerprinting web app framework
--------------------------------

-> whatweb -v target.com


-> Response from requested web server in browser network area and by using burp.
-> Comments in HTML page also revil framework

Identifying HTTP methods using Nmao


-----------------------------------

->nmap --script http-methods -p80,443,8080 target.com

Directory Brute force


---------------------

-> dirb https://target.com

->https://securitytrails.com/
URLS
----

https://pentester.land/list-of-bug-bounty-writeups.html

encoder
-------
https://www.w3schools.com/tags/ref_urlencode.ASP

You might also like