Bug Bounty 10-Day Complete Free Training: Day5 – Starting Reconnaissance

Leave a Comment / By /

Hello, HackingBlogs team! Welcome to the 10-Day Bug Bounty Bootcamp’s fifth day! My name is Dipanshu Kumar, and I can not wait to continue moving forward on this thrilling adventure with each and every one of you.

Reconnaissance is the first step in our bug hunting journey today. (The act of discovering more about a target in order to spot potential weaknesses is called reconnaissance.) We will study recon over the course of the next two days because it is a large topic. Lookups, WHOIS lookups, DNS records, reverse IP and name server lookups, mail server lookups, and automating the process with tools like Amass will be the main topics of discussion today.

Reconnaissance
Table of Contents

    “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

    Abraham Lincoln

    Reconnaissance : horizontal and vertical correlation

    • Finding all assets connected to a business, such as purchases, CIDR ranges, and domains held by the same individual, is known as horizontal correlation.
    • On the other hand, vertical correlation seeks to identify every subdomain that falls under a single domain.

    Example on explaining horizontal and vertical correlation using HackingBlogs as an example:

    Let’s Talk About : CIDR (Classless Inter-Domain Routing)

    A more flexible and effective way to express IP addresses and the network mask that goes with them is through CIDR (Classless Inter-Domain Routing). By using a prefix that defines the number of bits utilised for the network component, CIDR enables you to specify the range of IP addresses rather than the conventional class-based method (such as Class A, B, and C networks).

    Don’t Worry Here is one good example that will clear your doubts

    CIDR notation, 192.168.1.0/24
    The IP address 192.168.1.0 is the base address.

    /24 denotes that the network part takes up the first 24 bits, with host addresses occupying the following 8 bits.The subnet mask, which determines how much of the IP address is used for the network vs the hosts, is specified by / (as an example, 24).

    /24 What The Hell ?

    It might be a little unclear, but I need to provide this information to make things obvious. If you tell me, I will be creating a free networking course in a few days.

    The subnet mask, which shows the network part (the first 24 bits) and the host part (the last 8 bits), is 255.255.255.0. With 192.168.1.0 serving as the network address and 192.168.1.255 as the broadcast address, this enables you to have 256 IP addresses, ranging from 192.168.1.0 to 192.168.1.255. The IP addresses that are valid are 192.168.1.1 through 192.168.1.254.

    Tools You Can User For Cidr Enumeration

    Nmap

    -sn: Tells Nmap to perform a ping scan (host discovery) without port scanning, just to find live hosts in the given CIDR range.

    Fping

    • -a: Only show hosts that are alive (responding to ping).
    • -g: Generate a list of IPs to ping in the given CIDR range.

    ASN’S : Autonomous System Number

    Each Autonomous System (AS) is uniquely identified by its Autonomous System Number (ASN). A group of IP networks and routers managed by a single entity that offers the internet a common routing policy is known as an autonomous system. To decide how to route traffic between various autonomous systems, routers use ASNs.

    Types of ASNs:

    • Private ASNs: These run from 64512 to 65534 and are just for private usage; they are not routable on the global internet.
    • Large enterprises, ISPs, and other organizations use public ASNs for routing.

    ASN Lookup: Discover ASN Information

    Tool: WHOIS Lookup for ASN

    The IP address 8.8.8.8, which is owned by Google, has the ASN AS15169.

    Websites : ipinfo.io, bgp.he.net

    Reverse Lookup : What Are you Waiting For

    Reverse WHOIS Lookup

    You execute a query using a known piece of information, such as a name, email address, or organization name.The search results display all the domains that have been registered with that piece of information.

    Reverse DNS

    A Reverse DNS (rDNS) Lookup is the process of finding the domain name associated with an IP address. This is the opposite of a standard DNS query, which maps domain names to IP addresses. Given an IP address, it queries the PTR record in the DNS database, which maps the IP back to a domain name.Given an IP address, it queries the PTR record in the DNS database, which maps the IP back to a domain name.

    Reverse Name server And Reverse Mail Server

    Using Nslookup : -type=MX (MailServer)

    Using Nslookup : -type=NX (NameServer)

    Automating Our Recon With Amass

    To Install Amass On Linux

    Automating Subdomain Discovery with Amass : Passive Subdomain Enumeration

    -passive: Instructs Amass to use passive data sources only (i.e., no direct interaction with the target domain). -d example.com: Specifies the domain for which you want to discover subdomains.

    Automating Subdomain Discovery with Amass : Active Subdomain Enumeration

    Combining Passive and Active Enumeration

    ASN Discovery

    About The Author

    Related Posts

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Scroll to Top