Reconnaissance 105: Additional Types of Active Reconnaissance

Welcome to a 5 part series on Recon with ProjectDiscovery! * Part 1 * Part 2 * Part 3 * Part 4 * Part 5 *

This is the final post in our blog series on reconnaissance for penetration testing and bug bounty hunting. In this post, we look at some more creative ways to do active and passive reconnaissance to ensure completely coverage of your target's assets.

Subsidiary and Acquisition Enumeration

Subsidiary and acquisition enumeration, also known as corporate structure enumeration, is the process of identifying and analyzing the subsidiaries and acquisitions of a target organization. This can be useful for various purposes, such as identifying potential targets for an attack, gathering information about the business relationships and operations of the target organization, or understanding the structure and complexity.

Subsidiary and acquisition enumeration may involve several different activities, such as identifying and analyzing publicly available information about the subsidiaries and acquisitions of the target organization, using tools and techniques to gather additional information about the subsidiaries and acquisitions, and exploring the information collected to understand the structure and relationships of the target organization. Several tools and techniques can be used for subsidiary and acquisition enumeration, including web scraping tools, search engines, and public databases.

Hard-Coded Information in JavaScript

Hard-coded information in JavaScript refers to data stored directly in a JavaScript file, rather than stored in a separate configuration file or retrieved from a database or other external source. This information may include database connection strings, API keys, passwords, or other sensitive data.

Hard-coded information in JavaScript can be a security risk because it is often stored in plaintext, meaning anyone accessing the JavaScript file or script can easily see and potentially misuse the information. In addition, hard-coded information can be challenging to update or manage, as any changes that need to be made must be made directly in the JavaScript file or script.

It is generally considered best practice to avoid hard-coding sensitive information in JavaScript and store it in a separate configuration file or retrieve it from an external source.

GitHub Reconnaissance

GitHub reconnaissance refers to gathering information about a target organization or individual by analyzing their activity on the GitHub platform. GitHub can be a valuable source of information for various purposes, such as identifying potential targets for an attack, gathering information about the technologies and tools used by the target organization, or understanding the development processes and practices.

GitHub reconnaissance involves various activities, such as searching for repositories associated with the target organization or individual, analyzing the contents of these repositories, and reviewing commit logs and other activity data to understand the development history of the repositories. It is important to note that organizations may leave their sensitive API keys, such as AWS secret keys, in a repository, which can be a security risk if these keys are exposed.

Google Dorking

Google Dorking uses advanced search operators and other techniques to find specific types of information on the internet using Google and other search engines. It involves using specific search terms and operators to search for particular types of information, such as file types, websites or domains, or specific types of content.

There are many different types of search operators and techniques that can be used for Google Dorking, and these techniques can be combined in various ways to create complex search queries that can yield a wide range of information.

Examples

Searching for specific file types: You can use the filetype: operator to search for particular files, such as PDFs, Excel spreadsheets, or Word documents. For example, a search for filetype:pdf site:example.com would return all PDF files that are hosted on the website "example.com."
Searching for specific websites or domains: You can use the site: operator to search for specific websites or domains. For example, a search for site:example.com would return all pages from "example.com."

Internet Search Engine Discovery

Internet search engine discovery is the process of using search engines and other online resources to discover information about a particular target or set of targets.

Shodan and Censys are search engines allowing users to search for specific subdomains and Internet-connected devices, servers, routers, and network applications. It is helpful as it will enable users to find particular types of services and gather information about them, such as their IP addresses, open ports, and other details.

In this blog, we looked over various concepts, tools, and techniques involved in performing active and passive reconnaissance. We also discussed active vs passive reconnaissance to help you choose your reconnaissance methods better. This is a big topic itself, and there are endless possibilities of what you can try to find more information about your target. We have outlined some good resources below.

Author: Harsh Bothra, @harshbothra_

ProjectDiscovery Reconnaissance Series

Reconnaissance is an essential part of penetration testing and bug bounty hunting, as it is the process of gathering information about a target to identify potential attack vectors and vulnerabilities. This blog series provides an overview of the various reconnaissance techniques available, as well as advice on how to effectively utilize them to maximize the chances of success.