Essential RECON Tools

In this article, I'll discuss my favourite recon tools which I often use in Bug Bounty. And a few years ago, I posted a Twitter post by sharing my RECON steps for Bug Bounty with essential tools and that Twitter post got some serious attention and people from all over the world from InfoSec community saw that post, and the thread got more than 40,000 views, till today also people are following that thread, really appreciated it.

So, I thought to make a blog post about it and explain my favourite recon tools, so it will be more helpful to everyone why RECON is essential during Bug Hunting? There are some new tools I have added to my RECON. I'll update this list once I explore new tools.

Let's discuss all the tooling.

Tools

Amass - (Subdomain Enumeration, ASN Enumeration)
Nmap - (Port Scanning, OS Detection and many more)
Wappalyzer Chrome Extension - (Identify technologies on websites)
FFuF/Dirsearch - (Content Discovery)
Wordlists/Payloads - (SecLists & PayloadsAllTheThings)
Turbo Intruder - (Race Condition/HTTP Request Smuggling)
Param Miner - (Web cache poisoning)
Burp Collaborator - (Blind SSRF Exploits & Command Injection)
SQLmap - (SQL Injection)

Amass

During subdomain enumerations and information gathering about a target, I always use this tool because it has so many options to find out some serious information about the target like - ASNs information, Discovering IPv4/IPv6, Concurrent DNS queries, Brute force subdomains, Assets Discovery, etc. And this is the only tool you should spend more time during RECON and tried to collect as many subdomains as you can.

Essential Commands

amass enum -d example.com
amass enum -active -d example.com -p 80,443,8080
amass enum -ipv4 -d example.com
amass enum -ipv6 -d example.com
amass enum -brute -min-for-recursive 3 -d example.com

Reverse Whois

amass intel -d example.com -whois

Identify subdomains by reading SSL/TLS certificates.

amass intel -active -cidr  93.184.216.34/24

ASNs

amass intel -org "Twitter"

amass intel -active -asn 54888

ASN Reverse Whois

amass intel -asn 54888 -whois  -d twitter.com

APIs

Amass collects subdomains from various sources, and all these sources require API keys. And it would be great if you can set up an account from all of these platforms and get one API Key, then your chances are always high to collect a large number of subdomains.

Data Sources

AlienVault, Anubis, BinaryEdge, BGPView, BufferOver, C99, Chaos, CIRCL, Cloudflare, CommonCrawl, DNSDB, GitHub, HackerTarget, Hunter, IPinfo, Mnemonic, NetworksDB, 
PassiveTotal, RADb, ReconDev, Robtex, SecurityTrails, ShadowServer, Shodan, SonarSearch, Spyse, Sublist3rAPI, TeamCymru, ThreatBook, ThreatCrowd, ThreatMiner, 
Twitter, Umbrella, URLScan, VirusTotal, WhoisXMLAPI, ZETAlytics, ZoomEye

Once your accounts are ready, put all of the API keys into a config.ini file, you can refer to the example config.ini file from here - Example Config.ini

Config Command

amass enum -d example.com -config config.ini

GitHub Project - OWASP/Amass

Nmap

These are the below Nmap commands mostly I am following during my scanning phase.

Checking target host is reachable

nmap -sn 93.184.216.34/24

Scan all ports

nmap -p 1-65535 www.example.com

Full TCP port scan to find out service version detection

nmap -p 1-65535 -sV -sS -T4 www.example.com

Wappalyzer

Wappalyzer is one of the best tools to identify the technology behind a website. I'll highly recommend using this tool, and it's available for both Chrome & Firefox as an extension.

Extenstions

Chrome
Firefox

FFuF/Dirsearch

I use ffuf/dirsearch for content discovery, and both the tools are great and easy to use. I recommend using the SecLists wordlists repository during fuzzing.

GitHub Projects

Wordlists/Payloads

SecLists

Payloads

Turbo Intruder

It is one more burp extension coded by James Kettle - @albinowax. And the purpose of this tool is to send faster HTTP requests around (30,000 requests per second). The most exciting part the attacks are configured using python script.

I use this tool regularly to exploit Race Condition/HTTP Request Smuggling vulnerability.

GitHub Project - turbo-intruder

Param Miner

It is one more burp extension coded by James Kettle - @albinowax. And the purpose of this tool is to identify hidden, unlinked parameters. This tool is helpful to exploit the "Web Cache Positioning" vulnerability.

GitHub Project - param-miner

Burp Collaborator

I use collaborator to exploit the Blind SSRF vulnerability. And I'll also recommend using this tool to exploit SQLi and Command Execution vulnerability.

Collaborator

SQLMap

I use sqlmap to exploit SQL injection vulnerability. And tamper scripts to bypass WAF.

GitHub Project - sqlmap

General Tamper Scripts

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,
nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL Tamper Scripts

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,
space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL Tamper Scripts

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,
modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,
space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

The above tools have always been my favourite tools which I use during my RECON phase. There are also many other tools, which I often use for information gathering, but the mentioned tools are also enough to gather as much information.

I hope the article gave you an insight into RECON tools. And I'll talk about some more different tools and techniques soon.

Please share this article on your social media, so others can also be aware of RECON by reading this post.

#Bug Bounty #RECON #Web Security