Member-only story
Automation of the reconnaissance phase during Web Application Penetration Testing II
This article is a continuation of the previous one available in this link.
After the first phase of reconnaissance, subdomains enumeration, you should have a lot of information about the company you are attacking.
The next step is to select one subdomain and perform a detailed reconnaissance strictly on it. You’ll learn about the path and query enumeration tools in this article. You will also learn how to use them and automate the entire process. Described research is based on the OWASP methodology and the methodology in the book “Hack Tricks” by Carlos Polop.
Generally speaking, if the penetration test coverage is limited to one subdomain, we are interested in the following resources:
- Protocols (scheme)
- Host (IP && ports)
- Paths (directories && files)
- Queries (parameters names && values)
Before starting work, launch a new project in Burp Suite and turn off an interception, as shown in the screenshot below:
Then prepare appropriate catalogs to which the reconnaissance results will be saved (most of the results from the tools used will be held in the “recon.txt” file). Resolve the IP addresses of the targeted domain and set the appropriate variables on which we will operate. Set your target domain in the first line in place of “$domain” variable as shown below.
Tools used:
- dig
The tester’s first task is to check for opened ports on the resolved IP addresses of the targeted subdomain. Then perform OS detection, version detection, script scanning, and traceroute. Restrict the scan to opened ports only.
Save results in a text format and a format for grep — this will be useful for other tools like BruteSpray.
Tools used:
- nmap
The screenshot below shows how you can automate this process using bash:
