Advanced Recon Guide

To everyone that asked for it, Here is my recon guide I put together from multiple sources and refined over the past few months. It is kind of Advanced if you are new to recon, and no links to tools/sources will be provided however a quick google search will find you all the tools used.

Quick and dirty version, straight from my notes, sorry if it's confusing.

ROOT DOMAIN:

1. TLD= Top Level Domain ( site.com ) This will scan for site.com, site.ca, site.co.uk etc... ./tld_scanner.py -s -n -f -d site -m plain -o site-tld.txt <-------REMOVE http:// and https:// in notepad after 1-A G.S.A.N: gsan -o site-gsan.txt -f text site.com --->only single domain. put in site-tld.txt

2. ASN numbers
   ./asnlookup.py -o site (outputs file to asnlookup/output) rename to site-cidr-range.txt

3. Hurricane Electric. https://bgp.he.net/ <--- search company name (site) no .com or anything. copy ASN from search results and ranges (make site-asn.txt Don't copy the AS just the number ex: AS13457 <---- only 28551)

4. AMASS for cidr ranges. amass intel -org site | tee -a site-intel-org.txt ( take asn and put in site-asn.txt -- take cidr and put in site-cidr-range.txt) 4-A feed cidr-range list to amass intel with for loop: for i in $(cat site-cidr-range.txt); do echo"";echo "cidr $i";echo "";amass intel -cidr $i;echo "";done | tee -a site-cidr-range-scanned.txt

5. NMAP: nmap -T4 -Pn -p 80,4443,4080,443 --script=ssl-cert -iL site-cidr-range.txt -oX site-cidr-ssl-cert-scanned.xml --open nmap -T4 -Pn -p 80,4443,4080,443 --script=banner -iL site-cidr-range.txt -oX site-cidr-banner-scanned.xml --open nmap -T4 -Pn -p 80,4443,4080,443 --script=http-title -iL site-ip.txt -oX site-ip-title-scanned.xml --open

6-A. NMAP PARSE: ./nmap-parse-output /site-cidr-ssl-cert-scanned.xml hosts | tee -a site-ip.txt NMAP PARSE: ./nmap-parse-output /site-cidr-banner-scanned.xml hosts | tee -a site-ip.txt NMAP PARSE: ./nmap-parse-output /site-ip-title-scanned.xml hosts | tee -a site-ip.txt

7. site-ip.txt to amass for sub/domain ---> for i in $(cat site-ip.txt); do echo"";echo "IP $i";echo "";amass intel -addr $i;echo "";done | tee -a site-ip- scanned.txt cleaner output---> for i in $(cat site-ip.txt); do amass intel -addr $i; done | tee -a site-ip-scanned.txt

8. feed site-asn.txt to amass intel with for loop ex: for i in $(cat site-asn.txt); do echo"";echo "ASN $i";echo "";amass intel -active -asn $i;echo "";done | tee -a site-asn-scanned.txt

9. massdns -r resolvers.txt -o S -w site-root.txt site-tld.txt (--hashmap-size 7500 if it slows down internet)

10. Combine 1. site-root.txt and 2.site-tld.txt 3. site-asn-scanned.txt and 4. site-cidr-range-scanned.txt 5. site-ip-scanned.txt into ONE file, sort and unique. and start subdomain enum. site-ready-for-sub-enum.txt (make sure http:// and https:// are removed from all txt files!!!!!!!)

Tip for sort and unique easy do: vim site-ready-for-sub-enum.txt press : type %sort u --press enter you will see how many dupes were found. press : and wq

Now all the Root Domains are found (and a few subs too) Now it's time for SubDomain Enum. Next Article (another 12 steps ) Happy Hunting, Prime.