Penetration Testing – Reconnaissance and Information Gathering

Pentration Testing – Reconnassaince and Information Gathering

In penetration testing, the first thing to do is always to do reconnassaince and gather information about your target. Information such as subdomains,  directories, firewall, web server, php version are just few of the many crucial information that you will need

1. Finding subdomains or relating links

There are multiple methods to go about this, and all should be employed when doing reconnaissance.

Subdomain Enumeration
Sometimes a website have data in their subdomain that can be exploited too.

If your target is on the public web, you can use dnsdumpster
If your target is within an intranet, you will have to download tools such as subbrute which is in python. If you need a lightweight version, you can take a look at a python script i made here

Google Crawling
Sometimes a website is publicly available on search engine, and you will be surprised at how well google crawls these websites. GoogleSearch1

2. Finding firewall information
In linux and windows, you can use wafw00f to detect the type of firewall behind a web server, or if there is any at all. There is also a nmap script http-waf-detect that does this

3. Finding website information
To find information about the website such as cms, php version, plugins, … You can use wapplyzer which has both a online version and a browser plugin and whatweb which also has an offline and online version.



These information are crucial as they tell you possible attack points, and potential flaws and vulnerabilities in the target system. With these information, you are now better prepared to head into the actual penetration testing

Enjoyed the content ? Share it with your friends !