Hunting Our Target’s Assets⚡⚡:- HORIZONTAL RECON.
Good Entry!!!. We are in this blog for know about Horizontal Recon In The Web Penetrating Testing.
I hope you’re already familiar with Information Gathering/Recon.If not, you can know about it from Referring my blogs below…!!!
Well.That’s all.. In the before two blogs we can know about Recon in theory, but from this blog we will dive on practically and start our bug bounty Journey..!!!
The RECONISM Was divided in two Parts.In this blog we can see the First Part(HORIZONTAL RECON). On the next blog we will see the second part(VERTICAL RECON)
PART I:HORIZONTAL RECON:-
Horizontal Recon is all about finding the all Related Assets in our Target.Assets means not only the Domains , also the other integrated companies and Theirs Domains.
Topics:
1.Domains Enumeration:
2. IP Addresses(Internet Protocol) Enumeration:
3. CIDR Range(Classless Inter-Domain Routing) Enumeration:
4. ASN Numbers(Autonomous System Numbers) Enumeration:
5.Reverse Whois Enumeration:
6.Reverse DNS Enumeration:->Reverse IP, Reverse NS, Reverse MX
INTRODUCTION STAGE::
In this stage i will give Introduction to basics of all the Topics and Techniques.If you know The basics Then you stop Swim into the “INTRODUCTION STAGE” and start dive into the “ENUMERATION STAGE”
1.Domains:
Domains are unique understandable and string identifiers ,assigned to the IP addresses .They are used to access the content from the hosted computer to across word. The Domains mechanism was Client-Server Based.Simply, An Client Computer Request the Resource and the Server Computer would Return the Resource to the Client.
Form of the domains is: https://www.somedomainname.com/
2.IP (Internet Protocol) Address:
Protocols are set of rules to communication between computers.Internet Protocol(IP) was used for access the Resource from one Computer(server) to All computers(around the world). Every computer has an unique IP address number ,which is like humans names.The names are used to identify the peoples, Like that the IP address numbers are used to identify the computers.
Form Of the IP address Is: 0.0.0.0 →1.1.1.1 , 8.8.8.8
DNS(DOMAIN NAME SYSTEM) SERVERS:
DNS Servers Are used for allocate the IP to Names(Like Contacts , Numbers to Person Name). For example: “0.0.0.0” was assigned to the “somedomain.com”. The Assigned “IP to Domain Name” Information are called DNS’s “A” Record. The DNS contains not only “A” Record(IP to domain) also the Mail Records “MX(Mail to Email Server)”, Name server Records “NS(The Server That holds DNS Records)” and so many Records. The DNS Records Are Available In Public because of Routing the Clients to the specific domains based on the assigned Server Address.
3. CIDR Range(Classless Inter-Domain Routing):
CIDR Number is An Representation to collection of Of IP’s. We can easily Identify the Bunch of IP’s by referring it CIDR Range.
Form Of The CIDR : 1.1.1.1/24 — -> 1.1.1.0–1.1.1.255
4. ASN Numbers(Autonomous System Numbers):
ASN are used to represent the Group of CIDR’s . Autonomous System Number are identifiers of Network.The ASN also Contains Itself another ASNs.
Form Of the ASN : ASN1569 → 8.8.4.0/24 ,8.8.8.0/24 ,8.34.208.0/21 ,8.34.216.0/21 ,8.35.192.0/21 , 8.35.200.0/21 , 23.236.48.0/20 , 23.251.128.0/19 ,34.0.0.0/20 , 34.0.32.0/20 , 34.0.48.0/20, etc…
5.Reverse WHOIS:
WHOIS PROTOCOL:
WHOIS Protocol: WHOIS Protocol is an database that contains information about every registered domain,IP ,CIDR and ASN on the Internet. WHOIS is an Query and Response Based Protocol. We can make query by the domain name, IP, CIDR or ASN,After that the Query returns the Response , that contains information about queried domain name, IP, CIDR or ASN.
Reverse Whois:
Reverse Whois is an Technique, That will look for the Other Domains which they are registered with our Queried Target’s Information.
For example Google company has an WHOIS record ,that the information are same in google companies others domains,Like Youtube, Drive and all their company’s domains.
6.Reverse DNS : — >Reverse IP, Reverse MX, Reverse NS.
The Reverse DNS Techniques are Same as the Reverse WHOIS Technique. We can Make reverse lookup on our target DNS Records for Finding the other domains that they are contains the Same Registered Records.
Reverse IP: Looking for the Another Domains that Assigned with our Target’s IP.
Reverse NS: Looking for the Another Domains that Assigned with our Target’s Name Server.
Reverse MX: Looking for the Another Domains that Assigned with our Target’s Mail Server.
ENUMERATION STAGE:
1.Domains Enumeration:
From Companies:
First of all we need to find our Target Domain.We can find our Target domain by the Company.For example, Facebook company has many domains but , Theirs main domain is facebook.com. This is one way we can find our target domains for Penetration Testing.However , like the Facebook , not all the company has bug bounty Policy .
From Bug Bounty Platforms:
For this reason Some companies are arise as the Bug Bounty platform.The “Bug Bounty platform” are Managers of Taking the Responsibility to allow bug bounty hunters to perform Penetration Testing and Report the Vulnerability. After Identified the Vulnerability, They will Resolve it and Reward to ours.
Example to the Bug Bounty Platforms are: Bugcrowd, Hackerone and Intigriti and so on…
2. IP Address(Internet Protocol) Enumeration:
As the Penetration Tester , we are not only conduct Testing on Domains. We need to also perform testing on IP address(means the domain’s server). Some Of the companies in bug bounty platform has given the IP,Not all the Companies disclosed their IP’s.
$nslookup
Name Server Lookup Will Return the IP of the Given domain by Query the DNS “A” record.
nslookup example.com
After run this Command we will get the IP address of example.com.Now we got the IP and Domain Name Of the Target.
Actually, “THE ART OF RECONISM: HORIZONTAL RECON FOR PENETRATION TESTING:” Is starting From Here…!!!
On The Above.., We Just Saw the Introduction and Basic Techniques of “HORIZONTAL RECON”. From now, Let’s we Start Advanced HORIZONTAL RECON Techniques.
3. CIDR Range(Classless Inter-Domain Routing) Enumeration:
Finding the CIDR Range from The IP Address:
asnmap -i 8.8.8.8 -silent
$asnmap -> https://github.com/projectdiscovery/asnmap
Install Asnmap:
NOTE: Installing From Go Command your tools will be installed on /go/bin/ by default.If don’t setup your /go/bin/ as the Value Of $PATH Environment variable , you need to run the tool by “ ~go/bin/tools_name ”.
go install github.com/projectdiscovery/asnmap/cmd/asnmap@latestSetup Asnmap:
ASNMap API that requires API Token from ProjectDiscovery .
You can Get your API Key By registering On https://cloud.projectdiscovery.io/ .
The API Key would configured -auth option as shown below.
asnmap -auth
#Paste Your ProjectDiscovery Cloud API,If its Successfull Then It will Prompt your usernameFinding The CIDR Range From the Domain Name:
asnmap -d example.com -silentFinding The CIDR Range From the Organization Name:
asnmap -org GOOGLE -silent4. ASN Numbers(Autonomous System Numbers) Enumeration:
$Amass :
Finding The ASN Number From the Organization Name:
amass intel -org 'GOOGLE'Install Amass:
go install -v github.com/owasp-amass/amass/v4/...@masterOkay.. In the first two Techniques (1.Domain Enumeration , 2. IP Enumeration) we Found the Target Domain and IP. We used the these Information to Gather more IP’s and Domains from ASN and CIDR.
Now , we Got CIDR Ranges and ASN Numbers of our Target. After we Confirmed that they are Scope in our Target Policy, We can convert the CIDR and ASN To IP an Domains.. Lets Go to the Past Steps and Enumerate The IP’s and Domains.
1)1. IP Address(Internet Protocol) Enumeration From ASN and CIDR:
Finding The IP Addresses From the ASN:
asnmap -a ASN0000Finding The IP Addresses From the CIDR:
cidr2ip → https://github.com/codeexpress/cidr2ip
cidr2ip 0.0.0.0/0Install Cidr2ip:
go install github.com/codeexpress/cidr2ip@latest1)2. Domains Enumeration From ASN and CIDR:
Finding The Domains from the CIDR:
$hakrevdns →https://github.com/hakluke/hakrevdns
prips 173.0.84.0/24 | hakrevdns -t 10Install:
sudo apt install prips
go install github.com/hakluke/hakrevdns@latestFinding The Domains from the ASN:
I looked for tools to done the job.But temporarily i cannot finding any tool.But There are websites available to done the job..
https://bgp.he.net/ → just enter the ASN as the input and you can explore all the information , Not only the Domains also the CIDR and ASN. The domains also allow you to input the Domain name, IP , CIDR and ASN.
NOTE:We need to find the IP’s from the ASN or CIDR, Based on our Company Scope Policy. Big companies are allow our to Pentest their ASN and CIDR . But , Small Domains did not allow to pentest because they are not big Company and they did hold ASN or CIDR. They just rendered some IP’s from the Providers.
Yeah …We found Out bunch of IPs and Domains .We Don’t Stop here ,Not all the domains are registered in One ASN. There’s a chances to Registered the domain from out of ASN. But, Registered with Same Registration Information.(ex. Name server,Email address and other Personal Information). For this Reason We will explore more assets from more other Techniques. There Are More Ways…!!!!
5.Reverse Whois Enumeration: → Conducting Reverse Information Search.
Web-Eyes: https://github.com/r4bin/web-eyes
python3 web-eyes.py
(web-eyes): RWHOIS test.comInstall And Setup:
#Requirements
pip3 install requests
pip3 install dnspython
#Installing
git clone https://github.com/r4bin/web-eyes.git
cd web-eyes6.Reverse DNS Enumeration:->Reverse IP,Reverse NS,Reverse MX:
i)Reverse IP Lookup: — ->Look for the Domains which they are Registered In Same IP Address.
$RevIPLookup → https://github.com/1uffyD9/revIPLookup
python3 revIPLookup -i 0.0.0.0 or 0.0.0.0/24
python3 revIPLookup -f IPListFile.txtInstall and Setup:
git clone 'https://github.com/1uffyD9/revIPLookup.git' && cd revIPLookup
pip3 install -r requirements.txtii)Reverse NS Lookup: →Look for the Domains which they are Registered In Same Name Server.
Tools are not available at the Time.But the domains are available to do Reverse NS Lookup.
https://reverse-ns.whoisxmlapi.com/ →Enter your Target Name Server Then you need find your target related domains.you can Find Your target Name Server by Enter the command in below.
dig NS yourdomain.comiii)Reverse MX Lookup: →Look for the Domains which they are Registered In Same MAIL Server:
https://reverse-mx.whoisxmlapi.com/
Just Enter Your Target Mail Server.You will Get Mail server By Running the below command:
dig MX yourdomain.comCAUTION: While Performing Reverse Lookup , There are high Possibility to get Other Domains which they are Unrelated from our Target Domain .For Example Facebook, Amazon were had Unique Name server,Mail Server. Not all the domains are uses unique mail server for them. Mots of the domains are uses the mail server on Cloud Providers(Domains providers)Ex :Google, Godaddy, Wordpress And etc,.
If You Hit these types of domains , Then you will got unwanted Results. So Its Important to stay within Our scopes when we Performing HORIZONTAL RECON.
After Done The “HORIZONTAL RECON” We could have lot of information(IP and Domains). Its Very important to Find which they are In our Target’s Scope. Once you found Out the IP and Domains, you can ask the company to Test these Scopes. If they are Out of Scope, Just Leave Them And Focus on Scopes Targets. But, If you Granted Access to Conduct pentest on these Scopes , You’re the Minimum person who Conduct Penetrate testing on these Scopes. By Doing these you can Explore More Bugs, Because These Scopes are not Visible For All.
Yeah…! We came to The end of The “HORIZONTAL RECON FOR PENETRATION TESTING”(The Outer Play Game).. We Just Completed the first Step In Our Bug Bounty Journey. After this , We Could Dive Into the “VERTICAL RECON” → Gathering Information In The Target(The Inner Play Game).
I hope this Blog helped You to Learn Something New or Know Extra More Things about already known by You. I Shared Everything i know about HORIZONTAL RECON. If I missed any Techniques Please comment out And Help the blog to Become Greater. I am Very Thankful for You Reading The blog. I Hope This blog Is value’s Your Time . Okay.., Thanks To All.. We Will Meet on Next Blog“Vertical Recon:-SUBDOMAINS ENUMERATION🔥🔥.”
Quote For the Day:
“Don’t be Afraid to Give up the Good to go for the Great.” — John D. Rockefeller
