In this article, I'll discuss my favourite recon tools which I often use in Bug Bounty. And a few years ago, I posted a Twitter post by sharing my RECON steps for Bug Bounty with essential tools and that Twitter post got some serious attention and people from all over the world from InfoSec community saw that post, and the thread got more than 40,000 views, till today also people are following that thread, really appreciated it.
So, I thought to make a blog post about it and explain my favourite recon tools, so it will be more helpful to everyone why RECON is essential during Bug Hunting? There are some new tools I have added to my RECON. I'll update this list once I explore new tools.
Let's discuss all the tooling.
- Amass - (Subdomain Enumeration, ASN Enumeration)
- Nmap - (Port Scanning, OS Detection and many more)
- Wappalyzer Chrome Extension - (Identify technologies on websites)
- FFuF/Dirsearch - (Content Discovery)
- Wordlists/Payloads - (SecLists & PayloadsAllTheThings)
- Turbo Intruder - (Race Condition/HTTP Request Smuggling)
- Param Miner - (Web cache poisoning)
- Burp Collaborator - (Blind SSRF Exploits & Command Injection)
- SQLmap - (SQL Injection)
During subdomain enumerations and information gathering about a target, I always use this tool because it has so many options to find out some serious information about the target like - ASNs information, Discovering IPv4/IPv6, Concurrent DNS queries, Brute force subdomains, Assets Discovery, etc. And this is the only tool you should spend more time during RECON and tried to collect as many subdomains as you can.
Identify subdomains by reading SSL/TLS certificates.
ASN Reverse Whois
Amass collects subdomains from various sources, and all these sources require API keys. And it would be great if you can set up an account from all of these platforms and get one API Key, then your chances are always high to collect a large number of subdomains.
Once your accounts are ready, put all of the API keys into a config.ini file, you can refer to the example config.ini file from here - Example Config.ini
These are the below Nmap commands mostly I am following during my scanning phase.
Checking target host is reachable
Scan all ports
Full TCP port scan to find out service version detection
Wappalyzer is one of the best tools to identify the technology behind a website. I'll highly recommend using this tool, and it's available for both Chrome & Firefox as an extension.
I use ffuf/dirsearch for content discovery, and both the tools are great and easy to use. I recommend using the SecLists wordlists repository during fuzzing.
It is one more burp extension coded by James Kettle - @albinowax. And the purpose of this tool is to send faster HTTP requests around (30,000 requests per second). The most exciting part the attacks are configured using python script.
I use this tool regularly to exploit Race Condition/HTTP Request Smuggling vulnerability.
It is one more burp extension coded by James Kettle - @albinowax
. And the purpose of this tool is to identify hidden, unlinked parameters. This tool is helpful to exploit the "Web Cache Positioning" vulnerability.
I use collaborator to exploit the Blind SSRF vulnerability. And I'll also recommend using this tool to exploit SQLi and Command Execution vulnerability.
I use sqlmap to exploit SQL injection vulnerability. And tamper scripts to bypass WAF.
General Tamper Scripts
MSSQL Tamper Scripts
MySQL Tamper Scripts
The above tools have always been my favourite tools which I use during my RECON phase. There are also many other tools, which I often use for information gathering, but the mentioned tools are also enough to gather as much information.
I hope the article gave you an insight into RECON tools. And I'll talk about some more different tools and techniques soon.
Please share this article on your social media, so others can also be aware of RECON by reading this post.