Reconnaissance is essential for every penetration tester or security engineer working on a pen-testing project. Knowing the right tools to find or discover specific information makes it easy for the pentester to learn more about the target. This article will look at a list of online tools security professionals could use to find specific information and exploit the target. Find the technology stack of the target.Before finding or discovering email addresses and other external information related to the target, it is necessary to find the target’s technology stack. For instance, knowing that the target is built with PHP Laravel and MySQL helps the pentester to figure out which type of exploit to use against the target. BuiltWithBuiltWith is a technology lookup or profiler. It provides pentesters with real-time information of target via the domain API and domain live API. The domain API feeds pentesters with technical information such as analytics service, embedded plugins, frameworks, libraries, etc. The domain API relies on a BuiltWith database to provide current and historical technology information about the target. The Lookup search bar retrieves the same information provided by the domain API. On the other hand, the domain live API performs an extensive lookup on the domain or URL provided immediately or in real-time. It is possible to integrate both API’s into a security product to feed end-users with technical information. WappalyzerWappalyzer is a technology profiler used to extract information related to the technology stack of the target. If you want to find out what CMS or libraries the target is using and any framework, Wappalyzer is the tool to use.  There are different ways to use – you can access information on the target by using the Lookup API. This method is mostly used by security engineers or infosec developers to integrate Wappalyzer as a technology profiler in a security product. Otherwise, you can install Wappalyzer as a browser extension for Chrome, Firefox, and Edge. Discover subdomains of the targetA domain is the name of a website. A subdomain is an additional part of the domain name. Usually, the domain is associated with one or more subdomains. Hence, it is essential to know how to find or discover subdomains related to the target domain. DnsdumpsterDnsdumpster is a free domain research tool that can discover subdomains related to the domain of target. It performs subdomain discovery by relaying data from Shodan, Maxmind, and other search engines. There is a limit to the number of domains you are allowed to search. If you want to overcome this limit, you can try their commercial product called domain profiler. The way domain profiler performs domain discovery is quite similar to Dnsdumpster. However, the domain profiler includes additional information, such as DNS records. Unlike Dnsdumpster, the domain profiler is not free. It requires a full membership plan. Both Dnsdumpster and domain profiler service belongs to hackertarget.com. nmmappernmmapper leverages native reconnaissance tools such as Sublister, DNScan, Lepus, and Amass to search for subdomains. NMMAPER got plenty of other tools like ping test, DNS lookup, WAF detector, etc. Find email addressesTo effectively test whether a company is vulnerable to phishing or not, you need to find email addresses of workers working for the target company. HunterHunter is a popular email finder service. It allows anyone to search for email addresses via the domain search method or email finder method. With the domain search method, you can search for an email address via domain name. Hunter also offers API. EmailCrawlrGUI or API – your choice. EmailCrawlr returns a list of email addresses in a JSON format. SkrappAlthough Skrapp is suited for email marketing, it can search email addresses via the domain search feature. There is another feature known as bulk email finder. It allows you to import a CSV file with the names of employees and companies. It returns email addresses in bulk. There is a rest API available for those who prefer to search for email addresses programmatically. Explore more Email finder tools. Find Folders and FilesIt is important to know which type of files or folders are hosted on the target web server in a pentest project. You will usually find sensitive information in files and folders such as administrator password, GitHub key, and so on a web server. URL FuzzerUrl Fuzzer is an online service by Pentest-Tools. It uses a custom-built wordlist for discovering hidden files and directories. The wordlist contains more than 1000 common names of known files and directories. It allows you to scan for hidden resources via a light scan or full scan. The full scan mode is only for registered users. Pentest Tools got more than 20 tools for information gathering, website security testing, infrastructure scanning, and exploit helpers. Miscellaneous InformationIn a situation where we need information on internet-connected devices such as routers, webcams, printers, refrigerators, and so on, we need to rely on Shodan. ShodanWe can rely on Shodan to feed us with detailed information. Like Google, Shodan is a search engine. It searches the invisible parts of the internet for information on internet-connected devices. Although Shodan is a search engine for cybersecurity, anybody interested in knowing more about these devices can use it. For instance, you can use the Shodan search engine to find how many companies use the Nginx web server or how many apache servers are available in Germany or San Fransico. Shodan also provides filters to narrow down your search to a specific result. Exploit Search ToolsIn this section, we look at different online exploit search tools or services available for security researchers. Packet StormAlthough packet storm is an information security service known for publishing current and historical security articles and tools, it also publishes current exploits to test CVE’s. A group of cybersecurity professionals operates it. Exploit-DBExploit-DB is the most popular free database exploit. It is a project from Offensive security to collect exploits submitted by the public for penetration testing purposes. Vulnerability-LabVulnerability-Lab provides access to a large database of vulnerability with exploits and proofs-of-concept for research purposes. You need to register an account before you can submit exploits or make use of them. ConclusionI hope the above tools help you with your research work. They are strictly meant to use for educational purposes on your asset or have permission to run the test on a target. Next, explore forensic investigation tools. What is an example of reconnaissance?Examples of reconnaissance include patrolling by troops (skirmishers, long-range reconnaissance patrol, U.S. Army Rangers, cavalry scouts, or military intelligence specialists), ships or submarines, crewed or uncrewed reconnaissance aircraft, satellites, or by setting up observation posts.
Which of the following tools can be used for active reconnaissance?Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments.
What is commonly used in reconnaissance attacks?Some common examples of reconnaissance attacks include packet sniffing, ping sweeps, port scanning, phishing, social engineering, and internet information queries. It is worth noting that these attacks can be preventable as well. These can be examined further by breaking them into two categories: Logical, and Physical.
What is reconnaissance technique?In the context of cybersecurity, reconnaissance is the practice of covertly discovering and collecting information about a system. This method is often used in ethical hacking or penetration testing.
|
