Title says it really. I found 2 IPs (different networks but linked in terms of company) and I know their operating systems and ports but they're just the standard email ports. What should I look for now? I know what they're running on the server side and the webserver version for one of them. Should I try to find the versions of php they're to see if there is any exploits? I know one of the websites has a reflected xss vulnerability but it filters out <script> Basically I just don't know how much recon is enough and what to look for. If someone has like a checklist/template (like you would use for doxing) or something to point me in the right direction that would be nice.
Forum Thread: What Should I Look for in Reconnaissance?
- Hot
- Active
-
Forum Thread:
How to Track Who Is Sms Bombing Me .
4
Replies
1 mo ago -
Forum Thread:
Removing Pay-as-You-Go Meter on Loan Phones.
1
Replies
2 mo ago -
Forum Thread:
Hydra Syntax Issue Stops After 16 Attempts
3
Replies
2 mo ago -
Forum Thread:
moab5.Sh Error While Running Metasploit
17
Replies
3 mo ago -
Forum Thread:
Execute Reverse PHP Shell with Metasploit
1
Replies
4 mo ago -
Forum Thread:
Install Metasploit Framework in Termux No Root Needed M-Wiz Tool
1
Replies
5 mo ago -
Forum Thread:
Hack and Track People's Device Constantly Using TRAPE
35
Replies
5 mo ago -
Forum Thread:
When My Kali Linux Finishes Installing (It Is Ready to Boot), and When I Try to Boot It All I Get Is a Black Screen.
8
Replies
6 mo ago -
Forum Thread:
HACK ANDROID with KALI USING PORT FORWARDING(portmap.io)
12
Replies
7 mo ago -
Forum Thread:
Hack Instagram Account Using BruteForce
208
Replies
7 mo ago -
Forum Thread:
Metasploit reverse_tcp Handler Problem
47
Replies
9 mo ago -
Forum Thread:
How to Train to Be an IT Security Professional (Ethical Hacker)
22
Replies
9 mo ago -
Metasploit Error:
Handler Failed to Bind
41
Replies
9 mo ago -
Forum Thread:
How to Hack Android Phone Using Same Wifi
21
Replies
10 mo ago -
How to:
HACK Android Device with TermuX on Android | Part #1 - Over the Internet [Ultimate Guide]
177
Replies
10 mo ago -
How to:
Crack Instagram Passwords Using Instainsane
36
Replies
10 mo ago -
Forum Thread:
How to Hack an Android Device Remotely, to Gain Acces to Gmail, Facebook, Twitter and More
5
Replies
10 mo ago -
Forum Thread:
How Many Hackers Have Played Watch_Dogs Game Before?
13
Replies
10 mo ago -
Forum Thread:
How to Hack an Android Device with Only a Ip Adress
55
Replies
11 mo ago -
How to:
Sign the APK File with Embedded Payload (The Ultimate Guide)
10
Replies
11 mo ago
-
How To:
Crack Password-Protected Microsoft Office Files, Including Word Docs & Excel Spreadsheets
-
How To:
Dox Anyone
-
How To:
Easily Detect CVEs with Nmap Scripts
-
The Hacks of Mr. Robot:
How to Hack Bluetooth
-
How To:
Find Identifying Information from a Phone Number Using OSINT Tools
-
How To:
Spy on Traffic from a Smartphone with Wireshark
-
How To:
Exploit EternalBlue on Windows Server with Metasploit
-
How To:
The Hacks Behind Cracking, Part 1: How to Bypass Software Registration
-
How To:
Leverage a Directory Traversal Vulnerability into Code Execution
-
Hack Like a Pro:
How to Remotely Install a Keylogger onto Your Girlfriend's Computer
-
How To:
Crack Any Master Combination Lock in 8 Tries or Less Using This Calculator
-
BT Recon:
How to Snoop on Bluetooth Devices Using Kali Linux
-
How To:
Write an XSS Cookie Stealer in JavaScript to Steal Passwords
-
How To:
Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack Using Airgeddon
-
How To:
Control Network Traffic with Evil Limiter to Throttle or Kick Off Devices
-
How to Hack Wi-Fi:
Cracking WPA2-PSK Passwords with Cowpatty
-
Hack Like a Pro:
Abusing DNS for Reconnaissance
-
Hacking Windows 10:
How to Create an Undetectable Payload, Part 2 (Concealing the Payload)
-
How to Hack Wi-Fi:
Cracking WEP Passwords with Aircrack-Ng
-
How To:
Enable Offline Chat Communications Over Wi-Fi with an ESP32
4 Responses
How did you find the XSS vulnerability? I've always been interested in this, but haven't been too good at it :/
As for the recon, any open ports, services, versions of services (especially), and just any general information. I might be (probably) missing a few things, but these are definitely necessary.
I just typed
Into the search bar
The information gathering stage can make or break a pentest. You want to gather a large list of information and then hone in from there.
Some things to look for, there's always more:
Can you physically goto their building?
Can you physically access their building easily?
What is the target, how do they operate?
What IP ranges do they have allocated?
What do they do for mail?
What do their DNS records show?
What subdomains do they have?
What's going on in their company?
Who works there? How do they assign login names? What's their password policy?
What do their networks look like?
Are any of the people who work there vulnerable to social engineering?
What employees are all over social media leaking information?
Does the company or any of it's employees have a public facing Github?
Did they leave any API keys or credentials somewhere for you to find them?
What employees in the company have had their data leaked?
If an employee had their data leaked in a big dump were passwords part of that?
Who seems non-technical?
What are there valuable assets?
Where do they store valuable assets?
Like I said there's always more. As you answer these questions more questions will pop up. You want to be thorough in your analysis. Leave no stone unturned. This will give you an idea of what hosts you want to target specifically. It will also help you dig through your collection of nmap logs a little faster, or narrow down the amount of scanning you have to do. There's no point in scanning a mx for a company if it's just hosted by Cisco.
Thanks man
Share Your Thoughts