Scope Based Recon Methodology: Exploring Tactics for Smart Recon

Scope Based Recon Methodology

What is Scope Based Recon Methodology?

Why Scope Based Recon Methodology is useful?

  1. Saves a lot of time
  2. You know what exactly to look for
  3. You can easily automate your recon workflow
  4. Less of a chance to submit Out-of-Scope Issues
  5. Just like other security methodologies, it enables you to perform better Recon

Small Scope Recon

What to Look for?

  • Wappalyzer Plugin
  • Whatweb
  • Use Automated tools for findings hardcoded information
  • Use Automated tools for finding interesting parameters, keywords, endpoints, and other pieces of information.
  • Download all JavaScript files recursively and use GF patterns/Custom Regex to look for interesting information.
  • Differentiate JavaScript files (Previous vs. Current) over a period of time to see if something interesting came up.

Medium Scope Recon

  • CORS Scanning
  • Security Headers Scanning
  • SPF Record Scanning
  • CRLF Injection Scanning
  • HTTP Request Smuggling Detection (High Chance of False Positives in Automation)

Large Scope Recon

Automated Recon Frameworks

Scope Based Recon Talks

Offensive & Scope Based Recon — Red Team Village c0c0n 2020

Offensive & Scope Based Recon — Red Team VIllage c0c0n 2020

Offensive Recon — Bug Hunter’s Playbook

Offensive Recon — Bug Hunter’s Playbook

Takeaways

  1. Recon is about increasing the attack surface so that you will have more attack vectors.
  2. Recon is not always about or equal to finding security vulnerabilities.
  3. Scope Based Recon helps you to automate your Recon methodology based upon various target scope (Small/Medium/Large).
  4. Since now you know exactly what you need to look for in the provided scope, the next step is to implement this strategy and look at the results.
  5. Various interesting tools and understanding why a particular methodology is useful and should be included in Recon.
  6. The next step is to explore and try this methodology in wild during your engagements for fun and profit altogether.

--

--

--

Security Engineer | Bugcrowd Top 150 & MVP| Synack Red Teamer | Cobalt Core Pentester | Bug Hunter | Author | Speaker | Learner | Poet | Twitter — @harshbothra_

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Flash Stock Firmware on Samsung GALAXY ACE4 SM-G357FZ

Flash Stock Rom on Samsung Galaxy

The ultimate guide to threat intelligence for corporate security

{UPDATE} Desigualdad Matemática Full Hack Free Resources Generator

{UPDATE} Football Players Quiz Hack Free Resources Generator

Abacus Defender 🛡️

Data sharing between Government Agencies -FGN

Flash Stock Firmware on Samsung GALAXY Note Edge SM-N915G

Flash Stock Rom on Samsung Galaxy

What is JWT and how to use it for authorization, securely?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Harsh Bothra

Harsh Bothra

Security Engineer | Bugcrowd Top 150 & MVP| Synack Red Teamer | Cobalt Core Pentester | Bug Hunter | Author | Speaker | Learner | Poet | Twitter — @harshbothra_

More from Medium

Top 10 API Bugs — Where To Find Them

Exploiting Execute After Redirect (EAR) vulnerability in HTB Previse

Research on Host Header Injection — Cyber Sapiens Internship Task-11

Understanding IMAP/SMTP injection