Reconnaissance, Mapping
& Configuration Testing

WHOIS Lookup

Queries domain registration databases for registrant name, organization, email, registrar, name servers, and creation/expiry dates.

• Command: whois target.com
• Reveals: registrant contact info, name servers (NS records), registration dates
• Privacy-protected registrations (e.g., Domains By Proxy) may hide personal data

DNS Enumeration

• A — IPv4 address mapping
• AAAA — IPv6 address mapping
• MX — Mail exchange servers (reveals email provider)
• NS — Authoritative name servers
• TXT — SPF, DKIM, domain verification tokens
• CNAME — Canonical name alias (e.g., www → app.target.com)
• SOA — Start of Authority, zone information
• Zone Transfer (AXFR): dig axfr @ns1.target.com target.com — if the server is misconfigured, returns ALL DNS records at once. A critical finding.
• Subdomain discovery tools: dnsenum, sublist3r, amass, dnsrecon

Google Dorking (Google Hacking)

Advanced search operators to find sensitive information indexed by Google without touching the target server.

• site:target.com filetype:pdf — find exposed documents
• site:target.com inurl:admin — find admin pages
• site:target.com intitle:"index of" — find directory listings
• site:target.com ext:sql OR ext:bak — find backup/database files
• "target.com" "password" — find leaked credentials
• Mnemonic: SIFIE — Site, Inurl, Filetype, Intitle, Ext

Shodan

Search engine for internet-connected devices. Indexes banners, service versions, open ports, and TLS certificates. Use hostname:target.com to find exposed services without probing directly.

• Reveals: open ports, server software versions, exposed IoT devices, vulnerable systems
• Can find staging/dev servers not publicly linked

Certificate Transparency (CT) Logs — crt.sh

Every SSL/TLS certificate issued by a public CA must be logged in Certificate Transparency logs. crt.sh lets you search these logs by domain, revealing all issued certificates and — critically — all subdomains the organization has certificates for.

• Query: https://crt.sh/?q=%.target.com
• Reveals subdomains including internal, staging, and test servers

Wayback Machine / Archive.org

Historical snapshots of web pages. Find removed functionality, old endpoints, credentials committed to old config files, former staff directories, and legacy API versions.

• Pentest use: find endpoints that were removed from the live site but may still be active on the server

Job Postings & LinkedIn/GitHub

Job postings reveal technology stack ("experience with AWS RDS PostgreSQL"). LinkedIn reveals employee names, roles, and potential usernames. GitHub searches may expose API keys, credentials in code, or internal architecture details.

Port Scanning with nmap

• nmap -sV -p- target.com — all 65535 ports, version detection
• nmap -sC -sV -p 80,443,8080,8443,8888 target.com — common web ports with default scripts
• nmap --script http-enum target.com — web enumeration NSE script
• Common web ports: 80 (HTTP), 443 (HTTPS), 8080 (alt HTTP/proxy), 8443 (alt HTTPS), 3000 (Node.js), 8888 (Jupyter)
• nmap -O — OS detection via TCP/IP stack fingerprinting

Service Fingerprinting

nmap -sV sends version probes to identify server software and versions. Banner grabbing (reading the server's initial response) also works: curl -I https://target.com. Look for headers like Server: Apache/2.4.41 and X-Powered-By: PHP/7.4.3.

robots.txt and sitemap.xml

• robots.txt: instructs crawlers which paths to avoid (Disallow:). For pentesters, disallowed paths are highly interesting — they often contain admin panels, staging areas, or sensitive functionality
• sitemap.xml: site structure map revealing all intended public pages

Burp Suite Crawler

Automated discovery of links, forms, API endpoints, and hidden parameters. Enable the Burp proxy first so all manual browsing is captured. Burp's Spider follows links within scope settings.

Directory and File Brute Force

• Gobuster: gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
• FFuF: fast fuzzer, supports multiple wordlist dimensions
• DirBuster: GUI-based, Java tool from OWASP
• Common interesting paths: /admin, /login, /api, /backup, /.git, /config, /phpinfo.php, /wp-admin

Session Token Initial Analysis

• Identify session mechanism: cookies vs. URL parameters vs. localStorage vs. JWT
• Examine Set-Cookie flags: HttpOnly, Secure, SameSite, domain/path scope
• Check for token predictability: sequential values, timestamp-based, short length
• Burp Sequencer: capture many tokens, analyze statistical entropy/randomness

X-Frame-Options

Prevents clickjacking by controlling whether the page can be embedded in an iframe.

• DENY — no embedding anywhere
• SAMEORIGIN — only same-origin embedding
• Superseded by CSP frame-ancestors but still widely tested on the exam

X-Content-Type-Options: nosniff

Prevents the browser from MIME-type sniffing — the browser must use the declared Content-Type. Prevents certain XSS attacks via file upload (e.g., uploading a JS file declared as image/png).

Content-Security-Policy (CSP)

Defines allowed sources for scripts, styles, images, fonts, frames, etc. — the most powerful XSS mitigation header.

• script-src 'self' — only same-origin scripts
• default-src 'none' — deny everything not explicitly allowed
• Misconfigurations to flag: 'unsafe-inline', 'unsafe-eval', wildcard sources (*)
• CSP bypass research: check csp-evaluator.withgoogle.com

HSTS (Strict-Transport-Security)

Forces browsers to connect only via HTTPS for the specified duration. Prevents SSL stripping attacks.

• Full value: max-age=31536000; includeSubDomains; preload
• Without HSTS: an attacker can strip HTTPS from the first request (SSLstrip)
• Without preload: only protects after the user visits once via HTTPS

Other Security Headers

• Referrer-Policy: controls Referer header content sent to other origins (prevents leaking paths/tokens)
• Permissions-Policy (formerly Feature-Policy): restricts browser API access (camera, geolocation, microphone)
• X-XSS-Protection: legacy header, deprecated in modern browsers; value: 1; mode=block. Don't rely on it.

Testing Tools

• testssl.sh: comprehensive CLI TLS scanner — testssl.sh target.com. Tests protocols, ciphers, certificates, and known vulnerabilities.
• SSLyze: Python-based SSL/TLS scanner with JSON output
• Qualys SSL Labs: online scanner, grades A–F (not available during authorized testing without disclosing scan)

Issues to Test For

• Expired or self-signed certificates — no browser trust, MITM possible
• SSLv2 / SSLv3 (POODLE) — both should be disabled; SSLv3 enables POODLE attack
• TLS 1.0 (POODLE for TLS) — deprecated in 2020, still vulnerable
• TLS 1.1 — deprecated, should not be offered
• Weak ciphers: RC4 (BEAST/broken), DES/3DES (SWEET32), NULL ciphers, export ciphers (FREAK/LOGJAM), anonymous DH ciphers (no server auth)
• Missing HSTS: enables SSL stripping
• Certificate chain issues: missing intermediate certs, wrong CN/SAN mismatch

How It's Enabled (and How to Test)

• Apache: Options +Indexes in .htaccess — enables browsing the file system
• Nginx: autoindex on directive
• Test: navigate to a directory without an index file — if a file listing is shown, it's a misconfiguration
• Risk: exposes backup files, configuration files, source code, and log files to unauthenticated users

What Errors Reveal

• Stack traces: framework name/version, file paths (e.g., /var/www/html/app.php:42), database type
• Database errors: DB type, table/column names, full SQL query structure
• Internal IP addresses leaked in error messages
• Test: submit a single quote ('), invalid data types, extra-long inputs — observe responses
• Mitigation: custom error pages, disable debug mode in production (APP_DEBUG=false)

Methods to Test

• curl -X OPTIONS https://target.com -i — check Allow: response header
• curl -X TRACE https://target.com -i — TRACE should be disabled (Cross-Site Tracing / XST attack)
• PUT enabled: potential for unauthorized file write (upload a web shell)
• DELETE enabled: unauthorized deletion of files
• WebDAV methods: PROPFIND, MKCOL — if WebDAV is enabled, often exploitable for file upload

Files and Paths to Check

• Backup extensions: .bak, .old, .orig, ~ (Unix backup), .swp (vim swap) — e.g., index.php.bak
• Source code exposure: /.git/HEAD, /.git/config — if .git directory is publicly accessible, full source code can be reconstructed
• Config files: config.php, web.config, .env, database.yml, settings.py, application.properties
• Log files: error.log, access.log, debug.log
• Mnemonic: Backup Old Environments Git Swap (.bak, .old, .env, .git, .swp)

Cross-Origin Resource Sharing Vulnerabilities

• Wildcard origin: Access-Control-Allow-Origin: * — browsers block cookies with wildcard, but API-key authenticated APIs can still be abused
• Reflected origin: server echoes back whatever Origin: header it receives — allows any site to make credentialed requests (most severe)
• Null origin: Access-Control-Allow-Origin: null — an iframe in sandbox mode can send a null origin and gain access
• CORS test: send Origin: https://attacker.com header and check if response contains Access-Control-Allow-Origin: https://attacker.com and Access-Control-Allow-Credentials: true