Hey guys, Rocky here! 🕵️♂️
Welcome back to Day 2 of the Daily Web Hacking series! If you missed Day 1, we broke down HTTP basics—the secret language browsers and servers use to flirt. Today, we’re diving into Part 2: Reconnaissance, where you’ll learn to stalk websites like a digital Sherlock Holmes. Grab your magnifying glass—let’s uncover some secrets!
—
Why Recon Matters: The Art of Pre-Hacking
Recon is the homework hackers do before launching attacks. It’s like studying a bank’s blueprints before a heist. Why? Because 90% of hacking is knowing where to strike. You’re looking for:
- Hidden doors: Unlisted pages, forgotten admin panels, backup files.
- Weak spots: Outdated software, leaked credentials, misconfigured servers.
- Intel: Who owns the site? What tech do they use? Where’s the treasure buried?
Skip recon, and you’re just throwing punches in the dark.
—
The Recon Toolkit: Free, Powerful, and (Mostly) Legal
You don’t need a $10,000 toolset to start. Here’s my go-to arsenal:
—
1. Google Dorking: The OG Hackers’ Search Engine
Google is a legal hacking machine if you know how to talk to it. Use special operators to find hidden gems:
| Operator | Example | What It Finds |
|———————|———————————|——————————————–|
| site: | site:hacklivly.com admin | All pages mentioning “admin” on the site. |
| filetype: | filetype:pdf site:hacklivly.com | Leaked PDFs, invoices, or manuals. |
| intitle: | intitle:"index of /" "backup" | Open directories with “backup” in the title.|
| inurl: | inurl:php?id= | Pages vulnerable to SQL injection. |
| cache: | cache:hacklivly.com | Cached versions of pages (even deleted ones). |
Pro Tip: Check out the Google Hacking Database (GHDB) for 10,000+ pre-made dorks. Want to automate this? Use tools like GoDork or write a Python script to scrape results.
Real-World Example:
Search site:github.com "api_key" to find accidentally exposed API keys in GitHub repos. Yikes!
Discover : Google Dorks Cheat Sheet: Advanced Search Techniques for Ethical Hacking and Information Discovery
—
2. WHOIS Lookup: “Who Owns This Domain?”
Every domain registration leaves a paper trail. Use WHOIS to:
- Find the owner’s name, email, phone number, and address.
- See when the domain expires (expired domains can be hijacked!).
- Identify the hosting provider (useful for phishing or reporting abuse).
Hacker Angle:
- Phishing: If the admin’s email is
admin@hacklivly.com, guess what their Slack login might be?
- Domain Takeovers: Expired domains can be re-registered to host malicious content.
But Wait! Many domains use privacy services (like WHOISGuard). To bypass this:
- Look for historical WHOIS records using ViewDNS.info.
- Check the site’s SSL certificate (details in Part 1) for organization info.
—
3. Nmap: The Network Ninja
Nmap is the Swiss Army knife of recon. It scans for open ports (doors) and fingerprints services (what’s behind the doors).
Basic Scan:
nmap -sV hacklivly.com
-sV: Detects software versions.
Sample Output:
PORT STATE SERVICE VERSION
80/tcp open http Apache 2.4.29 (Ubuntu)
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
Translation: The server runs Apache 2.4.29 and OpenSSH 7.6p1—both outdated and possibly vulnerable!
Advanced Tricks:
Stealth Scan: nmap -sS hacklivly.com (sneakier, doesn’t fully connect).
Aggressive Scan: nmap -A hacklivly.com (OS detection, script scanning).
Scripts: Use Nmap’s scripting engine to find vulnerabilities:
nmap --script vuln hacklivly.com
Pro Tip: Save scans to a file with -oN report.txt and compare them over time to spot changes.
🎥 Watch Our Nmap Tutorial!
Want a hands-on walkthrough of Nmap in action? Check out our latest video: “Nmap Basics – Mastering Network Scanning” 📡🔍
▶️ Watch now: https://www.youtube.com/watch?v=IMzRT_A60r4&t=1s
This video complements our article by diving deeper into practical scanning techniques, command usage, to help you level up your recon skills! 🚀
4. Dirsearch/DirBuster: Brute-Force the Hidden Web
Websites often hide files like /admin, /backup.zip, or /wp-login.php. Tools like Dirsearch and DirBuster brute-force these paths using massive wordlists.
Command Example:
dirsearch -u https://hacklivly.com -e php,html,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
-e: File extensions to check.-w: Wordlist (I recommend SecLists).
Why It Matters: Finding /phpmyadmin could mean unrestricted database access.
—
5. Wappalyzer: Tech Stack Detective
The Wappalyzer browser extension instantly reveals a site’s tech stack:
- CMS: WordPress, Drupal, Joomla.
- Programming Languages: PHP, Python, Node.js.
- Server Software: Apache, Nginx, Microsoft-IIS.
- Analytics: Google Analytics, Hotjar.
Hacker Move: If the site uses WordPress, hunt for vulnerabilities in plugins like WooCommerce or Elementor.
Limitation: Wappalyzer isn’t perfect. Manually confirm by:
- Checking HTTP headers (
curl -I).
- Looking for telltale files like
/wp-content/ (WordPress) or /lib/jquery.js (jQuery).
—
6. Shodan: The Search Engine for Hackers
Shodan.io is Google for internet-connected devices. Find:
- Webcams, routers, and smart fridges with default passwords.
- Industrial control systems (SCADA) exposed to the internet.
- Databases (MongoDB, Redis) without authentication.
Search Filters:
org:"Amazon" port:21 → Find FTP servers owned by Amazon.city:"San Francisco" product:"Apache" → Apache servers in SF.http.title:"Hacked" → Devices with “Hacked” in their page title (yes, this works).
Pro Tip: Use Shodan’s Exploits tab to find vulnerabilities for your target’s software.
—
Passive vs. Active Recon: Don’t Get Busted!
- Passive Recon: Gathering intel without directly interacting with the target.
- Examples: Google dorking, WHOIS, Shodan.
- Advantage: Leaves no trace.
- Active Recon: Directly probing the target.
- Examples: Nmap scans, directory brute-forcing.
- Risk: Can trigger alarms (e.g., IDS/IPS systems).
Rule of Thumb: Start passive. Only go active if you’re sure it’s allowed (e.g., a bug bounty program).
—
Fingerprinting: “What’s Under the Hood?”
Fingerprinting tells you exactly what software a server runs. From Day 1, you know HTTP headers leak clues. Let’s dig deeper:
Check Headers:
curl -I https://hacklivly.com
Look for Server, X-Powered-By, and X-AspNet-Version.
Error Pages: Visit a non-existent page (e.g., https://hacklivly.com/404). A PHP error might leak the server path or framework.
Favicon Hash: Hash the site’s favicon.ico and match it to frameworks using OWASP favicon database.
Default Files: Check for /robots.txt, /sitemap.xml, or /README.md—they often list hidden paths or software versions.
Tools:
- WhatWeb: Advanced fingerprinting tool.
- BuiltWith: Detailed tech profile of any site.
—
Subdomains: The Hidden Internet
Subdomains (dev.hacklivly.com, api.hacklivly.com) are often less secure. Find them with:
Sublist3r:
sublist3r -d hacklivly.com
Crt.sh: Search SSL certificates for subdomains: crt.sh.
DNS Dumpster: DNSdumpster.com maps subdomains and DNS records.
Brute-Force: Use tools like Amass or Subfinder with wordlists.
Why It Matters: test.hacklivly.com might have a staging environment with debug mode enabled.
—
APIs & Endpoints: The Silent Killers
APIs (Application Programming Interfaces) are goldmines for hackers. Find them by:
- Inspecting JavaScript: Use Chrome DevTools (
Sources tab) to look for /api/v1/ endpoints.
- Burp Suite: Intercept app traffic to discover hidden API calls.
- GitHub: Search the target’s repos for
config.js or api_key strings.
Common API Vulnerabilities:
- Broken Authentication: Can you access
api.hacklivly.com/users without a token?
- Excessive Data Exposure: Does
GET /api/users return passwords or emails?
- Rate Limiting: Can you brute-force logins 10,000 times per second?
Tool Alert: Use Postman or Insomnia to test APIs manually.
—
Homework: Become a Recon Wizard
- Google Dork a Target: Use
site:example.com filetype:env to find .env files with database passwords.
- Scan with Nmap: Run
nmap -sS -A -T4 yourtarget.com (replace with a test site).
- Find Subdomains: Use crt.sh for a site and check for
dev, staging, or api subdomains.
- Fingerprint a Site: Use Wappalyzer and
curl -I to identify tech stacks.
—
Recon in the Wild: A Hypothetical Attack
Let’s tie it all together with a real-world scenario:
- Passive Recon:
- WHOIS lookup → Domain expires in 30 days. Owner: John Doe (john@hacklivly.com).
- Google dork →
site:hacklivly.com intitle:"index of /" exposes /backups/database.sql.
- Active Recon:
- Nmap scan → Apache 2.4.29 (outdated) and OpenSSH 7.6p1.
- Dirsearch → Finds
/wp-admin (WordPress login).
- Exploitation:
- Default credentials (
admin/admin) work on WordPress.
- Upload a malicious plugin to get a reverse shell.
Boom. You’ve pwned the server—all thanks to solid recon.
—
What’s Next? Part 3: Exploitation!
Now that you’ve mapped the target, Day 3 will cover Exploitation—turning recon intel into real hacks. Think SQL injection, phishing, and reverse shells.
—
Final Thoughts
Recon is where hacking becomes an art. It’s not about tools; it’s about curiosity, patience, and connecting dots. The internet is a messy place—exposed APIs, forgotten subdomains, and leaky servers are everywhere. Your job? Find them before the bad guys do.
Remember: Always stay ethical. With great power comes great responsibility (and maybe a bug bounty 💸).
Rocky signing off! ✌️
—
P.S. If you’re hyped for Part 3, share this with your squad! Let’s turn newbies into ninjas.
Discussion Question: What’s the craziest thing you’ve found during recon? I once found a live AWS S3 bucket with a company’s customer data… and it was wide open. 😱 Spill your stories below! 👇
