Recon
Aquatone is a very neat tool that I love to use during external penetration testing. It is very easy to use and install. Requires Google Chrome or Chromium. As stated in the official GitHub repo
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
Check both HTTP and HTTPS
Use Chromium instead of Chrome
Not supported anymore
Very nice tool that can be used to take screenshots of web applications and generate a report. Unlike Aquatone, Gowtiness supports CIDR notation which can be very useful. We can specify a range of IPs address and the tool will screen and take screenshot if a website is found on port 80, 443, 8080, 8443 (by default). By default, the tool put screenshots in the screenshots
directory.
A Docker image exists for this tool.
Scripting language: Golang
Information in document metadata
FOCA is a great tool to find information in a variety of documents metadata. For example, we might check for AD internal username pattern, type and version of software in use, etc. Knowing about the pattern could be used to craft a list of potential usernames with information collected from others publicly known sources.
The biggest downside of FOCA is that it required specific version of Microsoft SQL Server installed on your computer for this tool to work. We can install a version of MSSQL quickly using this link.
gau
From the GitHub repo:
getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's waybackurls.
Shodan
Shodan is a very powerful search engine we can use to find external exposed assets. It worth to pay for the 5$ membership access.
We can search by subnet with the search term net: 10.10.10./20.
Here are listed some examples of Shodan Queries.
Source: APISec University
Uses a list of IP address with Shodan
TruffleHogs
Tool to find leaked secret in public Github repo.
AssetNotes Wordlist
Masscan
Last updated