Web Reconnaissance Notes

Introduction

Web reconnaissance is the systematic collection of information about target websites/web applications, forming the foundation of security assessments and penetration testing.

Methodology

1. Initial Information Gathering

• Passive Reconnaissance

  • WHOIS lookups

  • DNS enumeration

  • Search engine discovery

  • Certificate transparency logs

  • Web archives analysis

  • Social media research

  • Code repository analysis

• Active Reconnaissance

  • Port scanning

  • Service enumeration

  • Banner grabbing

  • Vulnerability scanning

  • Web spidering

  • Network mapping

2. Domain & DNS Analysis

1. WHOIS Lookup

   Copy

   whois domain.com

2. DNS Enumeration

   Copy

   # Basic DNS lookup
   dig domain.com
   
   # MX records
   dig domain.com MX
   
   # Zone transfer attempt
   dig axfr @nameserver domain.com

3. Subdomain Enumeration

   Copy

   # Using dnsenum
   dnsenum --enum domain.com -f wordlist.txt -r
   
   # Certificate transparency logs
   curl -s "https://crt.sh/?q=domain.com&output=json" | jq -r '.[] | .name_value' | sort -u

3. Virtual Host Discovery

# Using Gobuster
gobuster vhost -u http://target_IP -w wordlist.txt --append-domain

4. Fingerprinting

# Banner grabbing
curl -I domain.com

# WAF detection
wafw00f domain.com

# Comprehensive scan
nikto -h domain.com -Tuning b

5. Web Crawling & Content Discovery

# Using robots.txt
curl domain.com/robots.txt

# Using Scrapy
python3 ReconSpider.py http://domain.com

Essential Tools

1. DNS & Subdomain Tools

• dig: DNS lookup utility

• dnsenum: Comprehensive DNS enumeration

• subfinder: Modern subdomain discovery

• amass: In-depth DNS enumeration and asset discovery

2. Web Scanning Tools

• Nikto: Web server scanner

• Wappalyzer: Technology stack identification

• wafw00f: Web Application Firewall detector

• Burp Suite: Comprehensive web application testing platform

3. Crawling & Content Discovery

• Scrapy: Python-based web crawling framework

• Burp Suite Spider: Web application crawler

• OWASP ZAP: Security testing proxy with crawling capabilities

4. Automation Frameworks

• FinalRecon: All-in-one web reconnaissance tool

• Recon-ng: Web reconnaissance framework

• theHarvester: Email, subdomain, and people gathering tool

• SpiderFoot: OSINT automation tool

Google Dorks for Reconnaissance

Common search operators:

site:domain.com          # Limit to specific domain
inurl:login             # Find login pages
filetype:pdf            # Search for file types
intitle:"index of"      # Directory listing

Well-Known URIs to Check

/.well-known/security.txt
/.well-known/change-password
/.well-known/openid-configuration

Best Practices

1. Start Passive, Then Active

   • Begin with non-intrusive methods

   • Escalate to active scanning only when necessary

2. Document Everything

   • Record all findings

   • Note unusual responses or behavior

   • Track discovered assets

3. Legal & Ethical Considerations

   • Obtain proper authorization

   • Follow scope limitations

   • Respect robots.txt when appropriate

   • Monitor resource usage to avoid DoS

4. Validation & Verification

   • Cross-reference findings from multiple tools

   • Verify discovered vulnerabilities

   • Document false positives

Reporting Tips

1. Organization

   • Group findings by category

   • Prioritize based on risk

   • Include evidence and screenshots

2. Technical Details

   • Document commands used

   • Include tool versions

   • Note any special configurations

3. Remediation

   • Provide clear fixing steps

   • Include references to best practices

   • Suggest testing procedures