Title says it really. I found 2 IPs (different networks but linked in terms of company) and I know their operating systems and ports but they're just the standard email ports. What should I look for now? I know what they're running on the server side and the webserver version for one of them. Should I try to find the versions of php they're to see if there is any exploits? I know one of the websites has a reflected xss vulnerability but it filters out <script> Basically I just don't know how much recon is enough and what to look for. If someone has like a checklist/template (like you would use for doxing) or something to point me in the right direction that would be nice.
Forum Thread: What Should I Look for in Reconnaissance?
- Hot
- Active
-
Forum Thread: When My Kali Linux Finishes Installing (It Is Ready to Boot), and When I Try to Boot It All I Get Is a Black Screen. 8 Replies
1 day ago -
Forum Thread: HACK ANDROID with KALI USING PORT FORWARDING(portmap.io) 12 Replies
1 wk ago -
Forum Thread: Hydra Syntax Issue Stops After 16 Attempts 2 Replies
4 wks ago -
Forum Thread: Hack Instagram Account Using BruteForce 208 Replies
4 wks ago -
Forum Thread: Metasploit reverse_tcp Handler Problem 47 Replies
2 mo ago -
Forum Thread: How to Train to Be an IT Security Professional (Ethical Hacker) 22 Replies
2 mo ago -
Metasploit Error: Handler Failed to Bind 41 Replies
3 mo ago -
Forum Thread: How to Hack Android Phone Using Same Wifi 21 Replies
3 mo ago -
How to: HACK Android Device with TermuX on Android | Part #1 - Over the Internet [Ultimate Guide] 177 Replies
3 mo ago -
How to: Crack Instagram Passwords Using Instainsane 36 Replies
3 mo ago -
Forum Thread: How to Hack an Android Device Remotely, to Gain Acces to Gmail, Facebook, Twitter and More 5 Replies
3 mo ago -
Forum Thread: How Many Hackers Have Played Watch_Dogs Game Before? 13 Replies
3 mo ago -
Forum Thread: How to Hack an Android Device with Only a Ip Adress 55 Replies
4 mo ago -
How to: Sign the APK File with Embedded Payload (The Ultimate Guide) 10 Replies
4 mo ago -
Forum Thread: How to Run and Install Kali Linux on a Chromebook 18 Replies
5 mo ago -
Forum Thread: How to Find Admin Panel Page of a Website? 13 Replies
6 mo ago -
Forum Thread: can i run kali lenux in windows 10 without reboting my computer 4 Replies
6 mo ago -
Forum Thread: How to Hack School Website 11 Replies
6 mo ago -
Forum Thread: Make a Phishing Page for Harvesting Credentials Yourself 8 Replies
6 mo ago -
Forum Thread: Creating an Completely Undetectable Executable in Under 15 Minutes! 38 Replies
7 mo ago
-
How To: Crack SSH Private Key Passwords with John the Ripper
-
How To: Dox Anyone
-
How To: Crack Shadow Hashes After Getting Root on a Linux System
-
How To: Make Your Own Bad USB
-
How To: Scan for Vulnerabilities on Any Website Using Nikto
-
How To: Brute-Force Nearly Any Website Login with Hatch
-
How To: Create a Persistent Back Door in Android Using Kali Linux:
-
How to Hack Wi-Fi: Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher
-
The Hacks of Mr. Robot: How Elliot & Fsociety Made Their Hack of Evil Corp Untraceable
-
How To: Exploit EternalBlue on Windows Server with Metasploit
-
How To: Check if Your Wireless Network Adapter Supports Monitor Mode & Packet Injection
-
How to Hack Wi-Fi: Stealing Wi-Fi Passwords with an Evil Twin Attack
-
How To: Find Identifying Information from a Phone Number Using OSINT Tools
-
How To: Enumerate SMB with Enum4linux & Smbclient
-
How To: Use SQL Injection to Run OS Commands & Get a Shell
-
How To: Find Passwords in Exposed Log Files with Google Dorks
-
How To: Use Ettercap to Intercept Passwords with ARP Spoofing
-
Android for Hackers: How to Turn an Android Phone into a Hacking Device Without Root
-
How To: Bypass File Upload Restrictions on Web Apps to Get a Shell
-
How To: Use SpiderFoot for OSINT Gathering
4 Responses
How did you find the XSS vulnerability? I've always been interested in this, but haven't been too good at it :/
As for the recon, any open ports, services, versions of services (especially), and just any general information. I might be (probably) missing a few things, but these are definitely necessary.
I just typed
Into the search bar
The information gathering stage can make or break a pentest. You want to gather a large list of information and then hone in from there.
Some things to look for, there's always more:
Can you physically goto their building?
Can you physically access their building easily?
What is the target, how do they operate?
What IP ranges do they have allocated?
What do they do for mail?
What do their DNS records show?
What subdomains do they have?
What's going on in their company?
Who works there? How do they assign login names? What's their password policy?
What do their networks look like?
Are any of the people who work there vulnerable to social engineering?
What employees are all over social media leaking information?
Does the company or any of it's employees have a public facing Github?
Did they leave any API keys or credentials somewhere for you to find them?
What employees in the company have had their data leaked?
If an employee had their data leaked in a big dump were passwords part of that?
Who seems non-technical?
What are there valuable assets?
Where do they store valuable assets?
Like I said there's always more. As you answer these questions more questions will pop up. You want to be thorough in your analysis. Leave no stone unturned. This will give you an idea of what hosts you want to target specifically. It will also help you dig through your collection of nmap logs a little faster, or narrow down the amount of scanning you have to do. There's no point in scanning a mx for a company if it's just hosted by Cisco.
Thanks man
Share Your Thoughts