Web Recon Checklist πŸ”

source: https://pentesterlab.com/badges/recon – no spoilers!

http/s dns git
robots.txt check TXT records via dig -t txt {{address}} search for public repos, orgs AND their users
security.txt zone transfer via dig axfr @{{nameserver}} {{domain}} Show emails used within repo: git shortlog --summary --numbered --email
check directory list check for internal zones as well via zone transfer e.g. int tree overview git log --graph --oneline --decorate --all
fuzz common directories check BIND version using dig @{{nameserver}} version.bind txt chaos view all commits git log --pretty=oneline
curl -H β€œHost: {{random}}” changed files git log --name-status
vhost enumeration via Host headers
default HTTP and TLS vhost e.g. visit website's IP address
view TLS certs for alt DNS names
inspect headers
continously hit load balancers to see other hosts e.g while true; do curl {{loadbalanderURI}}; done

S3 Buckets