Know the enemy and you know yourself, you need not fear the result of a hundred battles. – Sun Tzu
Reconnaissance is essential for every penetration tester or security engineer working on a pen-testing project. Knowing the right tools to find or discover specific information makes it easy for the pentester to learn more about the target.
This article will look at a list of online tools security professionals could use to find specific information and exploit the target.
Find the technology stack of the target.
Before finding or discovering email addresses and other external information related to the target, it is necessary to find the target’s technology stack. For instance, knowing that the target is built with PHP Laravel and MySQL helps the pentester to figure out which type of exploit to use against the target.
BuiltWith is a technology lookup or profiler. It provides pentesters with real-time information of target via the domain API and domain live API. The domain API feeds pentesters with technical information such as analytics service, embedded plugins, frameworks, libraries, etc.
The domain API relies on a BuiltWith database to provide current and historical technology information about the target.
The Lookup search bar retrieves the same information provided by the domain API. On the other hand, the domain live API performs an extensive lookup on the domain or URL provided immediately or in real-time.
It is possible to integrate both API’s into a security product to feed end-users with technical information.
Criminal IP is a comprehensive CTI search engine that can be effectively utilized during online pentest processes. By using the Asset Search feature, users can easily search for assets with various vulnerabilities.
Criminal IP also provides detailed information about connected IPs and subdomains, as well as the technologies used to create the pages, enabling more detailed analysis. By utilizing filters such as product, product_version, and cve_id, assets with specific vulnerabilities can be easily located. In addition, various filters such as title, country, and tech_stack can be used to effectively narrow down the search range.
For example, Asset Search can be used in countless ways, such as searching for assets running a vulnerable version of MySQL or for assets with directory listing enabled by using the filter “title: ‘index of’”.
Wappalyzer is a technology profiler used to extract information related to the technology stack of the target. If you want to find out what CMS or libraries the target is using and any framework, Wappalyzer is the tool to use.
There are different ways to use – you can access information on the target by using the Lookup API. This method is mostly used by security engineers or infosec developers to integrate Wappalyzer as a technology profiler in a security product. Otherwise, you can install Wappalyzer as a browser extension for Chrome, Firefox, and Edge.
Discover subdomains of the target
A domain is the name of a website. A subdomain is an additional part of the domain name.
Usually, the domain is associated with one or more subdomains. Hence, it is essential to know how to find or discover subdomains related to the target domain.
Dnsdumpster is a free domain research tool that can discover subdomains related to the domain of target. It performs subdomain discovery by relaying data from Shodan, Maxmind, and other search engines. There is a limit to the number of domains you are allowed to search. If you want to overcome this limit, you can try their commercial product called domain profiler.
The way domain profiler performs domain discovery is quite similar to Dnsdumpster. However, the domain profiler includes additional information, such as DNS records. Unlike Dnsdumpster, the domain profiler is not free. It requires a full membership plan.
Both Dnsdumpster and domain profiler service belongs to hackertarget.com.
nmmapper leverages native reconnaissance tools such as Sublister, DNScan, Lepus, and Amass to search for subdomains.
NMMAPER got plenty of other tools like ping test, DNS lookup, WAF detector, etc.
Find email addresses
To effectively test whether a company is vulnerable to phishing or not, you need to find email addresses of workers working for the target company.
Hunter is a popular email finder service. It allows anyone to search for email addresses via the domain search method or email finder method. With the domain search method, you can search for an email address via domain name.
Hunter also offers API.
GUI or API – your choice.
EmailCrawlr returns a list of email addresses in a JSON format.
Although Skrapp is suited for email marketing, it can search email addresses via the domain search feature. There is another feature known as bulk email finder. It allows you to import a CSV file with the names of employees and companies. It returns email addresses in bulk.
There is a rest API available for those who prefer to search for email addresses programmatically.
Explore more Email finder tools.
Find Folders and Files
It is important to know which type of files or folders are hosted on the target web server in a pentest project. You will usually find sensitive information in files and folders such as administrator password, GitHub key, and so on a web server.
Url Fuzzer is an online service by Pentest-Tools. It uses a custom-built wordlist for discovering hidden files and directories. The wordlist contains more than 1000 common names of known files and directories.
It allows you to scan for hidden resources via a light scan or full scan. The full scan mode is only for registered users.
Pentest Tools got more than 20 tools for information gathering, website security testing, infrastructure scanning, and exploit helpers.
In a situation where we need information on internet-connected devices such as routers, webcams, printers, refrigerators, and so on, we need to rely on Shodan.
We can rely on Shodan to feed us with detailed information. Like Google, Shodan is a search engine. It searches the invisible parts of the internet for information on internet-connected devices. Although Shodan is a search engine for cybersecurity, anybody interested in knowing more about these devices can use it.
For instance, you can use the Shodan search engine to find how many companies use the Nginx web server or how many apache servers are available in Germany or San Fransico. Shodan also provides filters to narrow down your search to a specific result.
Exploit Search Tools
In this section, we look at different online exploit search tools or services available for security researchers.
Although packet storm is an information security service known for publishing current and historical security articles and tools, it also publishes current exploits to test CVE’s. A group of cybersecurity professionals operates it.
Exploit-DB is the most popular free database exploit. It is a project from Offensive security to collect exploits submitted by the public for penetration testing purposes.
Vulnerability-Lab provides access to a large database of vulnerability with exploits and proofs-of-concept for research purposes. You need to register an account before you can submit exploits or make use of them.
I hope the above tools help you with your research work. They are strictly meant to use for educational purposes on your asset or have permission to run the test on a target.
Next, explore forensic investigation tools.