Reconnaissance and information gathering
Reconnaissance is the very first stage of performing a penetration test. In this stage, a pen tester will try to identify the system or application in question and find as much information as they can about it. This is the most crucial stage of testing as this step defines the attack surface. In white box testing, the recon may not be important because all the information regarding the in-scope target is already provided by the client.
The black box test heavily relies on this stage as no information is given to the tester. In the context of a web application penetration test, we will be focusing on identifying the technology used by the web application, the domain/subdomain information, the HTTP protocol recon and enumeration, and any other details that could help us increase our efficiency. The scope for the target and the goal are generally defined at this stage.
The following is the list of tools that can be used to perform recon on a web application:
- Identifying applications running on a nonstandard port (user-defined custom ports): Amap, Nmap, and so on
- Identifying the DNS and subdomains: dnsenum, dnsmap, dnswalk, dnsrecon, dnstracer, Fierce, dnscan, Sublist3r, and so on
- Identifying technological platforms: BlindElephant, Wappalyzer, WhatWeb, and so on
- Identifying content management systems: WPScan, Joomscan, CMScan, Drupscan, and so on
Now, let's look at enumeration.