Cool Recon techniques every hacker misses! Episode 3🔥🔥

Welcome to the 3rd Episode of Cool Recon Techniques. We are back with some more cool recon techniques which we think hackers out there usually miss out on! If you haven’t read the first Episode here’s the link! And here is the link to the second Episode

And Here we Go!!

Technique 15: Enumerate GitHub Repositories for a particular username

While doing GitHub Recon, it is very difficult to find the exact organization name and its repositories to find sensitive data. enumerepo will help you out to list all the repositories for a valid GitHub account. All you have to do is simply submit account names and see the magic!

Command: enumerepo -token-string GITHUB_TOKEN -usernames accounts.txt -o output file

Technique 16: Say a big Hi to Katana

Woah! Woah! Project Discovery’s new tool is over here! Say Bye to all the different tools such as waybackurls, gau, subjs and hi to Katana

Katana is an advanced web crawler which crawls all the endpoints. It comes up with various different filters such as JavaScript parsing/crawling, field scopes, crawl scopes, crawling for known files, automatic form fill. It also provides various display options to filter output. And not just this you can infact store field values which can be later useful to build wordlists.

The table below describes all features and commands of katana.

Katana to nuclei — One Liner

cat subdomains.txt | httpx ––silent >> alive.txt && cat alive.txt | katana ––silent >> endpoints.txt && cat endpoints.txt | nuclei -t <YOUR_TEMPLATES>

Technique 17: Query DNS to get IPs and Subdomains using RapidDNS

Increase your attack surface by querying DNS to find IP Addresses using RapidDNS. RapidDNS is a DNS query tool with more than 3 billion data and more being added daily.

Technique 18: Large Scope Application Recon Issues?

Ever found a large scope domain with huge assets in scope and don't know how to find the entire information? No worries 3klCon comes to the rescue. 3klCon is an automation Recon tool which works with Large & Medium scopes. It performs more than 20 tasks and gets back all the results in separated files.

Technique 19: S3 Bucket Weakness Discovery

Wanna find S3 buckets from a domain and discover weaknesses in them. Then say hi to Festin. A tool which finds S3 buckets using various techniques such as crawling, DNS crawling, S3 Response analysis, etc. The best part you do not require any AWS credentials. It also allows to download bucket objects.

Technique 20: Wordpress Recon

Ever came across a Wordpress website and do not know how to start the recon? No worries! WPRecon is here for you. WPRecon, is a tool for the recognition of vulnerabilities and blackbox information for wordpress.

Simply add your domain name on https://wprecon.com/ and gain all the different information.

We hope that these recon techniques might help you to add and update your methodology. Do share your recon methodology in the comments section.

Happy Hunting!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!