Forum Thread: What Should I Look for in Reconnaissance?

Title says it really. I found 2 IPs (different networks but linked in terms of company) and I know their operating systems and ports but they're just the standard email ports. What should I look for now? I know what they're running on the server side and the webserver version for one of them. Should I try to find the versions of php they're to see if there is any exploits? I know one of the websites has a reflected xss vulnerability but it filters out <script> Basically I just don't know how much recon is enough and what to look for. If someone has like a checklist/template (like you would use for doxing) or something to point me in the right direction that would be nice.

4 Responses

How did you find the XSS vulnerability? I've always been interested in this, but haven't been too good at it :/

As for the recon, any open ports, services, versions of services (especially), and just any general information. I might be (probably) missing a few things, but these are definitely necessary.

I just typed

<body onload=alert('test')>

Into the search bar

The information gathering stage can make or break a pentest. You want to gather a large list of information and then hone in from there.

Some things to look for, there's always more:
Can you physically goto their building?
Can you physically access their building easily?
What is the target, how do they operate?
What IP ranges do they have allocated?
What do they do for mail?
What do their DNS records show?
What subdomains do they have?
What's going on in their company?
Who works there? How do they assign login names? What's their password policy?
What do their networks look like?
Are any of the people who work there vulnerable to social engineering?
What employees are all over social media leaking information?
Does the company or any of it's employees have a public facing Github?
Did they leave any API keys or credentials somewhere for you to find them?
What employees in the company have had their data leaked?
If an employee had their data leaked in a big dump were passwords part of that?
Who seems non-technical?
What are there valuable assets?
Where do they store valuable assets?

Like I said there's always more. As you answer these questions more questions will pop up. You want to be thorough in your analysis. Leave no stone unturned. This will give you an idea of what hosts you want to target specifically. It will also help you dig through your collection of nmap logs a little faster, or narrow down the amount of scanning you have to do. There's no point in scanning a mx for a company if it's just hosted by Cisco.

Share Your Thoughts

  • Hot
  • Active