Web Recon Checklist π
source: https://pentesterlab.com/badges/recon β no spoilers!
| http/s | dns | git |
|---|---|---|
| robots.txt | check TXT records via dig -t txt {{address}} |
search for public repos, orgs AND their users |
| security.txt | zone transfer via dig axfr @{{nameserver}} {{domain}} |
Show emails used within repo: git shortlog --summary --numbered --email |
| check directory list | check for internal zones as well via zone transfer e.g. int |
tree overview git log --graph --oneline --decorate --all |
| fuzz common directories | check BIND version using dig @{{nameserver}} version.bind txt chaos |
view all commits git log --pretty=oneline |
| curl -H βHost: {{random}}β | changed files git log --name-status |
|
| vhost enumeration via Host headers | ||
| default HTTP and TLS vhost e.g. visit website's IP address | ||
| view TLS certs for alt DNS names | ||
| inspect headers | ||
continously hit load balancers to see other hosts e.g while true; do curl {{loadbalanderURI}}; done |
S3 Buckets
- nslookup the website to find out details about where it's hosted and potentially get the S3 URI as well.
- Otherwise, try and check http info to see if the aws region and az can be found
- use
aws s3 cp s3://$bucketnameOrURI/file $localpathto see if files can be obtained that are otherwise not readable via cloudfront.