README.md

Reconnaissance

• Passive recon steps for Web/Host:

  1. Target validation
  2. Finding subdomains
  3. Fingerprinting
  4. Data breaches

• We can use BugCrowd as a platform for practicing recon.

• Tools for discovering email addresses:

  • Hunter
  • Phonebook.cz
  • VoilaNorbert
  • Clearbit Connect
  • Email Hippo

• DeHashed can be used to find breached credentials.

• Hunting subdomains:

apt install sublist3r #tool for finding subdomains

sublist3r -d tesla.com

• crt.sh can be used for certificate fingerprinting.

• Tools such as BuiltWith and Wappalyzer can be used for identifying technologies used in a website. whatweb can be used as an alternative, and can be used from the Kali Linux terminal itself.

• Burp Suite can be used for information gathering by intercepting requests.

• Google Advanced Search can be used for efficient Googling.