What Should You Do After Recon?!

NahamSec

6 Feb 202314:46

Summary

TLDRThis video script delves into the post-reconnaissance phase of hacking, emphasizing the importance of understanding one's hacking style. It outlines two primary approaches: terminal-focused hacking, involving tool usage and endpoint fuzzing, and application-focused hacking, which entails deep-diving into application functionalities. The speaker advocates for a balanced approach, combining automation for tedious tasks with manual exploration to uncover vulnerabilities. The script also advises on using tools like Nuclei for template creation and Httpx for light information gathering, and discusses strategies for prioritizing targets based on response codes and titles, ultimately aiming to enhance the hacker's efficiency and effectiveness in identifying and exploiting vulnerabilities.

Takeaways

🤔 The next steps in hacking after Recon depend on your personal style and approach to hacking.
💬 Engage with the community by sharing your hacking style in comments or subscribing to the channel for more content.
🛠️ Recon is not a replacement for hacking; manual approaches are often necessary to find vulnerabilities.
🔍 Two common hacking approaches are: 1) Terminal-based hacking, focusing on tool usage and endpoint discovery, and 2) Application-based hacking, which involves deep diving into application functionalities.
🔄 It's beneficial to combine both approaches to hacking, automating tedious tasks while manually exploring applications for vulnerabilities.
📝 After Recon, use light vulnerability scanning with tools like Nuclei, but customize templates to avoid common defaults and reduce false positives.
🔎 Perform light information gathering to quickly understand an organization's infrastructure, prioritizing assets based on response codes and titles.
📈 Prioritization of targets is crucial; focus on applications with valuable keywords in their titles, such as 'dashboard' or 'login'.
🚫 Error codes like 400 and 403 are not reasons to give up; they present opportunities for further exploration and potential vulnerabilities.
📊 Use tools like httpx to gather information and prioritize assets systematically, but also understand the value of manual analysis for a deeper insight.

Q & A

What is the main question people often ask after conducting reconnaissance in hacking?
-The main question people often ask is what they should do after completing their reconnaissance phase in hacking.
What does the speaker suggest is crucial in determining what to do after reconnaissance?
-The speaker suggests that one's own hacking style and approach are crucial in determining what to do after reconnaissance.
What are the two common approaches to hacking mentioned in the script?
-The two common approaches to hacking mentioned are: 1) Preferring to be in a terminal, running tools and fuzzing endpoints, and 2) Wanting to sit down and thoroughly explore an entire application's functionality.
What is the speaker's personal approach to automation in hacking?
-The speaker's personal approach to automation is to use it for efficiency, automating tedious tasks, and not relying solely on it for finding vulnerabilities.
Why does the speaker suggest not solely relying on default templates in tools like Nuclei?
-The speaker suggests not relying on default templates because they are commonly used by many, which can lead to less unique and potentially less effective reconnaissance.
What is 'light information gathering' as described in the script?
-Light information gathering refers to quickly assessing assets using tools like httpx to gather information such as response size, response code, and titles to prioritize targets.
How does the speaker recommend using response codes to prioritize targets during reconnaissance?
-The speaker recommends prioritizing targets by focusing on 200 OK responses for active applications, 300 ranges for redirects (especially single sign-on pages), 400 ranges for authorization-required pages, and 404 errors which might hide accessible resources.
What is the significance of the 300 range response codes in the context of hacking?
-The 300 range response codes signify redirects, which can indicate the presence of single sign-on pages or other authorized resources, potentially leading to more valuable data if vulnerabilities are found.
What does the speaker suggest doing when encountering a 404 response code during reconnaissance?
-When encountering a 404 response code, the speaker suggests using keywords from the subdomain or error page to guess and Brute Force possible routes or endpoints that might be hidden.
How does the speaker recommend prioritizing assets after information gathering?
-The speaker recommends prioritizing assets by manually or automatically sorting through the results from tools like httpx, focusing on titles and response codes to identify the most valuable targets.