Question

In this chapter, I introduced many tools you can use in your recon process. Many more good tools are out there. The ones mentioned here are merely my personal preferences. I’ve included them here in chronological order for your reference.

在这一章中，我介绍了许多您可以在侦查过程中使用的工具。还有更多好的工具在市场上。这里提到的只是我个人的偏好。我按照时间顺序将它们列在这里供您参考。

Be sure to learn about how these tools work before you use them! Understanding the software you use allows you to customize it to fit your workflow.

在使用这些工具之前一定要了解它们的工作原理！了解你使用的软件可以让你根据自己的工作流程进行定制。

Scope Discovery

1. WHOIS looks for the owner of a domain or IP.
2. ViewDNS.info reverse WHOIS ( https://viewdns.info/reversewhois/ ) is a tool that searches for reverse WHOIS data by using a keyword.
3. nslookup queries internet name servers for IP information about a host.
4. ViewDNS reverse IP ( https://viewdns.info/reverseip/ ) looks for domains hosted on the same server, given an IP or domain.
5. crt.sh ( https://crt.sh/ ), Censys ( https://censys.io/ ), and Cert Spotter ( https://sslmate.com/certspotter/ ) are platforms you can use to find certificate information about a domain.
6. Sublist3r ( https://github.com/aboul3la/Sublist3r/ ), SubBrute ( https://github.com/TheRook/subbrute/ ), Amass ( https://github.com/OWASP/Amass/ ), and Gobuster ( https://github.com/OJ/gobuster/ ) enumerate subdomains.
7. Daniel Miessler’s SecLists ( https://github.com/danielmiessler/SecLists/ ) is a list of keywords that can be used during various phases of recon and hacking. For example, it contains lists that can be used to brute-force subdomains and filepaths.
8. Commonspeak2 ( https://github.com/assetnote/commonspeak2/ ) generates lists that can be used to brute-force subdomains and filepaths using publicly available data.
9. Altdns ( https://github.com/infosec-au/altdns ) brute-forces subdomains by using permutations of common subdomain names.
10. Nmap ( https://nmap.org/ ) and Masscan ( https://github.com/robertdavidgraham/masscan/ ) scan the target for open ports.
11. Shodan ( https://www.shodan.io/ ), Censys ( https://censys.io/ ), and Project Sonar ( https://www.rapid7.com/research/project-sonar/ ) can be used to find services on targets without actively scanning them.
12. Dirsearch ( https://github.com/maurosoria/dirsearch/ ) and Gobuster ( https://github.com/OJ/gobuster ) are directory brute-forcers used to find hidden filepaths.
13. EyeWitness ( https://github.com/FortyNorthSecurity/EyeWitness/ ) and Snapper ( https://github.com/dxa4481/Snapper/ ) grab screenshots of a list of URLs. They can be used to quickly scan for interesting pages among a list of enumerated paths.
14. OWASP ZAP ( https://owasp.org/www-project-zap/ ) is a security tool that includes a scanner, proxy, and much more. Its web spider can be used to discover content on a web server.
15. GrayhatWarfare ( https://buckets.grayhatwarfare.com/ ) is an online search engine you can use to find public Amazon S3 buckets.
16. Lazys3 ( https://github.com/nahamsec/lazys3/ ) and Bucket Stream ( https://github.com/eth0izzle/bucket-stream/ ) brute-force buckets by using keywords.

OSINT

1. The Google Hacking Database ( https://www.exploit-db.com/google-hacking-database/ ) contains useful Google search terms that frequently reveal vulnerabilities or sensitive files.
2. KeyHacks ( https://github.com/streaak/keyhacks/ ) helps you determine whether a set of credentials is valid and learn how to use them to access the target’s services.
3. Gitrob ( https://github.com/michenriksen/gitrob/ ) finds potentially sensitive files that are pushed to public repositories on GitHub.
4. TruffleHog ( https://github.com/trufflesecurity/truffleHog/ ) specializes in finding secrets in public GitHub repositories by searching for string patterns and high-entropy strings.
5. PasteHunter ( https://github.com/kevthehermit/PasteHunter/ ) scans online paste sites for sensitive information.
6. Wayback Machine ( https://archive.org/web/ ) is a digital archive of internet content. You can use it to find old versions of sites and their files.
7. Waybackurls ( https://github.com/tomnomnom/waybackurls/ ) fetches URLs from the Wayback Machine.

Tech Stack Fingerprinting

1. The CVE database ( https://cve.mitre.org/cve/search_cve_list.html ) contains publicly disclosed vulnerabilities. You can use its website to search for vulnerabilities that might affect your target.
2. Wappalyzer ( https://www.wappalyzer.com/ ) identifies content management systems, frameworks, and programming languages used on a site.
3. BuiltWith ( https://builtwith.com/ ) is a website that shows you which web technologies a website is built with.
4. StackShare ( https://stackshare.io/ ) is an online platform that allows developers to share the tech they use. You can use it to collect information about your target.
5. Retire.js ( https://retirejs.github.io/retire.js/ ) detects outdated JavaScript libraries and Node.js packages.

Automation

1. Git ( https://git-scm.com/ ) is an open sourced version-control system. You can use its git diff command to keep track of file changes.

You should now have a solid understanding of how to conduct reconnaissance on a target. Remember to keep extensive notes throughout your recon process, as the information you collect can really balloon over time. Once you have a solid understanding of how to conduct recon on a target, you can try to leverage recon platforms like Nuclei ( https://github.com/projectdiscovery/nuclei/ ) or Intrigue Core ( https://github.com/intrigueio/intrigue-core/ ) to make your recon process more efficient. But when you’re starting out, I recommend that you do recon manually with individual tools or write your own automated recon scripts to learn about the process.

现在你应该已经对如何对目标进行侦查有了深入的理解。记得在整个侦查过程中保持详细的笔记，因为你收集的信息可能会随着时间的推移而不断增加。一旦你对如何在目标上进行侦察有了牢固的理解，你可以尝试利用像 Nuclei（https://github.com/projectdiscovery/nuclei/）或 Intrigue Core（https://github.com/intrigueio/intrigue-core/）这样的侦查平台，使你的侦察过程更加高效。但当你刚开始时，我建议你使用单个工具手动进行侦查，或编写自己的自动化侦查脚本以了解该过程。