In penetration testing, reconnaissance (information gathering) is the first step to analyse the target and explore its attack surface. It is a crucial step to determine the ways that the target could be exploited.
In this article, we will explore the 5 essential and popular open-source tools for reconnaissance for penetration testing.
We will be covering the following tools:
- Wappalyzer – Website Technology Identifier
- DNSrecon – DNS-related information gathering
- Sublit3r – Subdomain finder
- theHarvester – Email Finder (for social engineering)
- Ffuf – URL Fuzzer/Finder
Wappalyzer is free to use, but they also have paid services (a monthly subscription) for its API or advance features. Wappalyzer is an open-source project so you can also download the software from GitHub.
Thus, Wappalyzer can be run from the Wappalyzer website, through a chrome extension, or executed with a command line interface (CLI).
Find out more about Wappalyzer here
DNSrecon is a DNS reconnaissance tool to gather DNS information, such as DNS records and DNS servers from a website or domain (DNSSEC, SOA, NS, MX and etc). This can help piece together the network infrastructure of an organization. Additionally, it does not trigger an alert from the organisation’s firewall or IDS/IPS. Conveniently, it comes preinstalled on Kali Linux.
Find out more about DNSrecon here
Sublits3r is a tool to help expand your attack surface by automatically finding subdomains of a target. It uses many search engines such as Baidu, Google, Yahoo, Netcraft and Virustotal to find the subdomains. Sublits3r is a python3 tool and is used from a command line interface (CLI).
Find out more about Sublit3r here
theHarvester is a tool used for social engineering. It can extract emails based on a given domain by using different search engines such as Bing, Virustotal, Shodan, etc. These email addresses can be used for brute-forcing login accounts or social engineering. However, some of the search engines will require an API key.
Find out more about theHarvester here
ffuf is a URL fuzzer (a brute force directory browsing tool) That is run from the command line. used to find hidden directories given a wordlist. This expands the attack surface of the target and can sometimes find sensitive or vulnerable files. Conveniently, it comes preinstalled on Kali Linux.
Find out more about Ffuf here
By using these 5 tools for reconnaissance together, you can gather a target’s:
- Technology being used
- DNS records
- Hidden directories and vulnerable files
giving you a full picture of your target, and making it easier to find angles of attack and ways to exploit your target.