This is the final post in our blog series on reconnaissance for penetration testing and bug bounty hunting. In this post, we look at some more creative ways to do active and passive reconnaissance to ensure completely coverage of your target's assets.
Subsidiary and Acquisition Enumeration
Subsidiary and acquisition enumeration, also known as corporate structure enumeration, is the process of identifying and analyzing the subsidiaries and acquisitions of a target organization. This can be useful for various purposes, such as identifying potential targets for an attack, gathering information about the business relationships and operations of the target organization, or understanding the structure and complexity.
Subsidiary and acquisition enumeration may involve several different activities, such as identifying and analyzing publicly available information about the subsidiaries and acquisitions of the target organization, using tools and techniques to gather additional information about the subsidiaries and acquisitions, and exploring the information collected to understand the structure and relationships of the target organization. Several tools and techniques can be used for subsidiary and acquisition enumeration, including web scraping tools, search engines, and public databases.
GitHub reconnaissance refers to gathering information about a target organization or individual by analyzing their activity on the GitHub platform. GitHub can be a valuable source of information for various purposes, such as identifying potential targets for an attack, gathering information about the technologies and tools used by the target organization, or understanding the development processes and practices.
GitHub reconnaissance involves various activities, such as searching for repositories associated with the target organization or individual, analyzing the contents of these repositories, and reviewing commit logs and other activity data to understand the development history of the repositories. It is important to note that organizations may leave their sensitive API keys, such as AWS secret keys, in a repository, which can be a security risk if these keys are exposed.
Google Dorking uses advanced search operators and other techniques to find specific types of information on the internet using Google and other search engines. It involves using specific search terms and operators to search for particular types of information, such as file types, websites or domains, or specific types of content.
There are many different types of search operators and techniques that can be used for Google Dorking, and these techniques can be combined in various ways to create complex search queries that can yield a wide range of information.
- Searching for specific file types: You can use the
filetype:operator to search for particular files, such as PDFs, Excel spreadsheets, or Word documents. For example, a search for
filetype:pdf site:example.comwould return all PDF files that are hosted on the website "example.com."
- Searching for specific websites or domains: You can use the
site:operator to search for specific websites or domains. For example, a search for
site:example.comwould return all pages from "example.com."
Internet Search Engine Discovery
Internet search engine discovery is the process of using search engines and other online resources to discover information about a particular target or set of targets.
Shodan and Censys are search engines allowing users to search for specific subdomains and Internet-connected devices, servers, routers, and network applications. It is helpful as it will enable users to find particular types of services and gather information about them, such as their IP addresses, open ports, and other details.
In this blog, we looked over various concepts, tools, and techniques involved in performing active and passive reconnaissance. We also discussed active vs passive reconnaissance to help you choose your reconnaissance methods better. This is a big topic itself, and there are endless possibilities of what you can try to find more information about your target. We have outlined some good resources below.
Author: Harsh Bothra, @harshbothra_
ProjectDiscovery Reconnaissance Series
Reconnaissance is an essential part of penetration testing and bug bounty hunting, as it is the process of gathering information about a target to identify potential attack vectors and vulnerabilities. This blog series provides an overview of the various reconnaissance techniques available, as well as advice on how to effectively utilize them to maximize the chances of success.
- Reconnaissance 101: A Deep Dive in Active & Passive Reconnaissance
- Reconnaissance 102: Subdomain Enumeration
- Reconnaissance 103: Host and Port Discovery
- Reconnaissance 104: Expanded Scanning
- Reconnaissance 105: Additional Types of Active Reconnaissance
Additional Resources & Further Reads