What Should You Do After Recon?!
Summary
TLDRThis video script delves into the post-reconnaissance phase of hacking, emphasizing the importance of understanding one's hacking style. It outlines two primary approaches: terminal-focused hacking, involving tool usage and endpoint fuzzing, and application-focused hacking, which entails deep-diving into application functionalities. The speaker advocates for a balanced approach, combining automation for tedious tasks with manual exploration to uncover vulnerabilities. The script also advises on using tools like Nuclei for template creation and Httpx for light information gathering, and discusses strategies for prioritizing targets based on response codes and titles, ultimately aiming to enhance the hacker's efficiency and effectiveness in identifying and exploiting vulnerabilities.
Takeaways
- 🤔 The next steps in hacking after Recon depend on your personal style and approach to hacking.
- 💬 Engage with the community by sharing your hacking style in comments or subscribing to the channel for more content.
- 🛠️ Recon is not a replacement for hacking; manual approaches are often necessary to find vulnerabilities.
- 🔍 Two common hacking approaches are: 1) Terminal-based hacking, focusing on tool usage and endpoint discovery, and 2) Application-based hacking, which involves deep diving into application functionalities.
- 🔄 It's beneficial to combine both approaches to hacking, automating tedious tasks while manually exploring applications for vulnerabilities.
- 📝 After Recon, use light vulnerability scanning with tools like Nuclei, but customize templates to avoid common defaults and reduce false positives.
- 🔎 Perform light information gathering to quickly understand an organization's infrastructure, prioritizing assets based on response codes and titles.
- 📈 Prioritization of targets is crucial; focus on applications with valuable keywords in their titles, such as 'dashboard' or 'login'.
- 🚫 Error codes like 400 and 403 are not reasons to give up; they present opportunities for further exploration and potential vulnerabilities.
- 📊 Use tools like httpx to gather information and prioritize assets systematically, but also understand the value of manual analysis for a deeper insight.
Q & A
What is the main question people often ask after conducting reconnaissance in hacking?
-The main question people often ask is what they should do after completing their reconnaissance phase in hacking.
What does the speaker suggest is crucial in determining what to do after reconnaissance?
-The speaker suggests that one's own hacking style and approach are crucial in determining what to do after reconnaissance.
What are the two common approaches to hacking mentioned in the script?
-The two common approaches to hacking mentioned are: 1) Preferring to be in a terminal, running tools and fuzzing endpoints, and 2) Wanting to sit down and thoroughly explore an entire application's functionality.
What is the speaker's personal approach to automation in hacking?
-The speaker's personal approach to automation is to use it for efficiency, automating tedious tasks, and not relying solely on it for finding vulnerabilities.
Why does the speaker suggest not solely relying on default templates in tools like Nuclei?
-The speaker suggests not relying on default templates because they are commonly used by many, which can lead to less unique and potentially less effective reconnaissance.
What is 'light information gathering' as described in the script?
-Light information gathering refers to quickly assessing assets using tools like httpx to gather information such as response size, response code, and titles to prioritize targets.
How does the speaker recommend using response codes to prioritize targets during reconnaissance?
-The speaker recommends prioritizing targets by focusing on 200 OK responses for active applications, 300 ranges for redirects (especially single sign-on pages), 400 ranges for authorization-required pages, and 404 errors which might hide accessible resources.
What is the significance of the 300 range response codes in the context of hacking?
-The 300 range response codes signify redirects, which can indicate the presence of single sign-on pages or other authorized resources, potentially leading to more valuable data if vulnerabilities are found.
What does the speaker suggest doing when encountering a 404 response code during reconnaissance?
-When encountering a 404 response code, the speaker suggests using keywords from the subdomain or error page to guess and Brute Force possible routes or endpoints that might be hidden.
How does the speaker recommend prioritizing assets after information gathering?
-The speaker recommends prioritizing assets by manually or automatically sorting through the results from tools like httpx, focusing on titles and response codes to identify the most valuable targets.
Outlines
🤔 What to Do After Recon?
The speaker addresses a frequently asked question about what actions to take after completing Recon. They emphasize that the answer depends on the individual's hacking style and approach. The speaker encourages viewers to explore their style and shares that hacking can involve manual or automated processes, both of which have their merits. The importance of not relying solely on automation for vulnerability discovery is highlighted, as manual approaches can yield valuable findings.
🔍 The Importance of Manual vs Automated Hacking
In this section, the speaker contrasts two approaches to hacking: manual fuzzing and automated processes. While automation is efficient for repetitive tasks, they stress the importance of manual intervention in discovering deeper vulnerabilities, especially in applications with logins and complex functionality. The speaker shares their own approach of balancing automation with manual investigation, particularly in web applications with user authentication and different privilege levels.
🧩 How to Approach Targets After Recon
The speaker provides actionable advice on how to handle targets after Recon. They recommend using nuclear templates but advise against relying solely on default options, as many hackers use them. Instead, they suggest customizing templates based on past vulnerabilities and creating fingerprints for specific assets like Jira or Jenkins. The speaker explains that using nuclei to automate discovery and gather leads can be an effective way to identify potential vulnerabilities.
📊 Light Information Gathering and Prioritization
This section introduces the concept of light information gathering using tools like httpx to gather critical data points, such as response codes, titles, and response sizes, which help prioritize assets. The speaker highlights the value of quickly understanding an organization's infrastructure and explains how these elements help in narrowing down the focus to critical applications and vulnerabilities. They also touch on the significance of combining information gathering with prioritization to streamline hacking efforts.
📡 Dealing with HTTP Response Codes: 200, 300, 400 Ranges
The speaker delves into different HTTP response codes and their implications for hackers. For instance, a 200 response means an application is accessible, and its title can offer clues for further investigation. Redirects (300) may signal sensitive data behind authentication barriers, while 400 series codes like 401 and 403 imply authorization issues. The speaker emphasizes how these codes present opportunities to explore deeper, using brute force or other techniques to bypass restrictions and uncover vulnerabilities.
🧑💻 Overcoming HTTP 403 and 404 Errors
In this section, the speaker encourages hackers not to give up when faced with 403 or 404 errors, as these can often be bypassed. They share strategies for brute-forcing and exploring directories to gain access to hidden or restricted areas. Techniques like adding slashes or using specific patterns for bypassing these blocks are discussed, and the speaker highlights the importance of persistence in uncovering hidden resources even when the server indicates 'Forbidden' or 'Not Found.'
📁 Prioritizing Targets Based on Response Data
The speaker wraps up by discussing how to prioritize targets after gathering HTTP response data. They suggest focusing on response codes and keywords within titles to identify the most valuable assets. By filtering through the data for keywords like 'dashboard,' 'login,' and 'admin,' hackers can quickly locate critical applications. The speaker also touches on looking for specific internal tools, such as Jenkins or GitHub, to find valuable vulnerabilities. This prioritization strategy helps streamline the hacking process.
🎯 Final Thoughts on Recon and Target Prioritization
In the closing remarks, the speaker reinforces the importance of manually prioritizing targets and understanding an organization's infrastructure, rather than relying solely on automated tools. They reflect on how manual processes in the early days helped them gain experience and insight into large infrastructures. The speaker advises hackers to use a mix of tools and manual investigation to thoroughly analyze an organization's assets and maximize their hacking efforts.
Mindmap
Keywords
💡Recon
💡Hacking Style
💡Automation
💡Fuzzing
💡Manual Approach
💡Nuclei Templates
💡Information Gathering
💡HTTP Status Codes
💡Prioritization
💡Brute Forcing
Highlights
The most common question asked is what to do after Recon in hacking.
The answer to what to do post-Recon depends on the individual's hacking style.
Readers are encouraged to comment on their style of hacking.
Hacking approaches are influenced by personal preferences and methodologies.
A misconception is that automation can replace manual hacking efforts.
Manual approaches are often more effective for finding vulnerabilities.
Automation is best used for efficient and repetitive tasks.
Two common hacking approaches are discussed: terminal-based and application-based.
Terminal-based hackers focus on tool usage and endpoint discovery.
Application-based hackers delve into application functionalities and interactions.
The speaker personally prefers a mix of both approaches.
Light vulnerability fingerprinting with tools like Nuclei is recommended.
Custom Nuclei templates can help identify specific application vulnerabilities.
Light information gathering with tools like httpx is essential for asset prioritization.
Response codes, titles, and sizes from httpx are valuable for asset analysis.
200 OK response codes indicate a live application that requires further investigation.
300 range responses suggest redirects that might lead to valuable assets.
400 range responses, including 404 errors, can be puzzles that lead to hidden assets.
Prioritizing targets based on response data is crucial for efficient hacking.
The speaker emphasizes the importance of manual analysis for a deeper understanding of infrastructure.
A combination of tools and manual methods is suggested for a comprehensive approach to hacking.
Transcripts
believe it or not one of the most common
questions that I still get asked to this
day is what should I do after Recon
honestly the answer to that question
fully relies on you and how you're going
to react to what I'm going to ask you
next what is your style of hacking and
it's okay if you don't have an answer to
that if you do do me a favor drop me a
comment let me know what your style of
hacking is if you don't that's okay
hopefully I'm gonna help you figure that
out can I get an understanding of how
you want to proceed with hacking what is
your approach and eventually that will
help you figure out what to do after
you're done with your recon before we
jump into that though do me a favor if
you haven't already hit that subscribe
button subscribe to the channel if you
come into homie if you want to support
it there's also subscription-based
memberships please do that join it it
will help me run this Channel and help
me make more content all right let's
talk about what you should do after
Recon before we do it I gotta address a
few things first is that a lot of
hackers think that Automation and Recon
is a replacement for hacking and finding
vulnerabilities and honestly that's not
the case because a lot of the good
research that I have seen have been done
through manual approaches by fuzzing
things manually going through burp
Street going through workflows of
websites and finding those good ones and
that's not to say that you can't do that
with an automated approach you can find
really cool stuff if you automate that
work but again my approach to automation
is to be efficient to automate those
tasks that are very tedious and I don't
want to keep doing over and over and
relying on my tools to get those tasks
done and earlier in the video I asked
you what is your style of hacking and I
told you it's okay if you don't know the
answer but I'm going to try and kind of
help you figure that out well there's
two approaches when it comes down to
hacking there is the approach of always
wanting to be in a terminal those are
the people that run a lot of tools that
includes fuzzing for endpoints and
finding those endpoints and looking for
parameters fuzzing through them and
looking for endpoints that's a very very
boring way of doing it a lot of it could
be automated but again I personally
think you're going to lose out on a lot
of bugs especially with applications
that have logins in front of them and
then those applications when you log
into it has a lot of functionalities
like using interaction maybe they have
it back in API that you need to
authenticate to and so on which brings
me to my second approach of wanting to
sit down and rip an entire application
apart based on your knowledge of the
application that comes with browsing the
site seeing what functionality it has
seeing what the application is supposed
to do what it's not supposed to do we're
looking at different user rules trying
to provest your account and so on up to
now we've just kind of talked about the
two different approaches those are the
two that I think are very common and to
be honest I kind of do both because I
like to automate some things and I'll
tell you what those mean I like to
automate some of the things that I do
while in parallel I'm actually looking
for applications that are are big in
functionality that I could log into I
could register test out all the
functionalities available to me and then
do a little bit of a dive into the
JavaScript files and look for different
endpoints that may be available to
admins other users with different
Privileges and so on so those are the
two different approaches again I like to
do both that's up to you can do one you
can do the other drop me a comment let
me know which one do you think is for
you but again there is no right or wrong
answer you can pick either one now that
we know what the two approaches are we
need to kind of figure out what to do
next so here's what I do and this is my
recommendation to you as well if I were
in your shoes this is how you should
approach your targets one do some light
nuclear templating don't rely on those
default nuclear templates just because
if you're running those nuclear
templates so is everybody else you're
not the only person doing it there are a
ton of people running the same templates
but instead you should be looking for
different vulnerabilities that you have
found in the past and ways to
fingerprint for them and automate it and
it's not just necessarily using nuclear
for bugs but you can also use nuclei to
create a template that could identify
leads we can identify what the
application is so for example if you
know that jira has a ton of
vulnerabilities right an actual
fingerprint for jira if there is one
already improve it make sure there's no
false positives to help you flag certain
assets with a certain application like
jira Jenkins and so on and that's how
you leverage nuclei to find assets that
could potentially have vulnerabilities
and be an extreme value to you so that's
my approach to using nuclear I also go
as far as finding an endpoint that I
found a different pen test let's say a
good example of that would be maybe a
Swagger I run a bunch of different
fingerprints a bunch of different
endpoints for it I look for them across
the entire organization or any other
organization that I could you know I'm
hacking on you can also do that with a
lot of different things again just the
nuclear thing is a rabbit hole maybe
I'll make another video on it let me
know if that's what you want in the
comments if I get enough requests maybe
I'll make in video on how I use nuclear
the second thing you want to do is what
I call light information gathering this
should be done very quickly you can do
some poor scan with it but you can use a
tool like httpx and leverage it to look
for information like the response size
Response Code and the title those are
the three things that I look for that is
extremely valuable to me to prioritize
my assets and then I'm going to combine
the two obviously with prioritization
and information gathering because they
go hand in hand but you want to find a
way to get an overview of an entire
organization's infrastructure without
looking at them one by one and obviously
you can do screenshots too those are a
great way to do them I think screenshots
may take you longer but again that's
completely up to you you can do either
one I used to do screenshots I switch
over from screenshots to getting actual
text because I can grip through it and I
can find different assets let's break it
down let's understand what this means
important one but also confusing one is
the 200 okay so this one pretty much
tells you hey there is an application
here there is something being served
here but you just have to figure out
what it is and that is why we rely on
titles so if something comes like as 200
we look at the title and if the title
says something like dashboard add
register application customer whatever
keywords are valuable to you and you
pick up some of these keywords the more
you hack it becomes easier to identify
them when you look at the title you go
okay because this word is in there
there's probably some sort of a login
okay I log in I gotta log out whatever
that is and get access to it and
obviously there's times when you have a
200 there's no title or there's a fake
title and a white page you can you know
you can look through those and use a
response size to make sure you filter
through them and then use the approach
for the the next things I'm going to
talk to you about when this happens so
when you see a white page you should do
the same thing as the error codes for
400s and 300 that we're going to talk
about later on so so far we talked about
the 200 okay that's probably the most
common one this is the one that you
should look at if your objective as a
hacker after you have done Recon is to
look for applications you want to hack
on so that means if you don't want to
spend your entire time in a terminal
this is a good place for you to start
forget about the rest focus on these
applications go register rip them apart
and see if you can't find any
vulnerabilities next one is the 300
ranges these are your redirects that
means that the specific website is
redirecting you to another page another
website sometimes the most common one
that I see is a single sign-on like an
October One login which indicates that
hey this is supposed to be only
accessible with people that are
authorized within the organization or
their partners and those are very fun
because
if you find a vulnerability there's
probably better data behind this thing
and that's why they're getting it of
course just because there is a redirect
it doesn't mean that you can't access
these resources you can do some
directory brute forcing again if you
love to be in a terminal all day you
should eat this up you should enjoy this
part but you can Brute Force for it
sometimes before they redirect you they
send you to an index page you can see
the Dom and from that Dom you can pull
the JavaScript files and you can look
through them and sometimes give you
paths and endpoints that they use and
you can probably access them without
being authorized you kind of you can
look for bypasses and that kind of
things so again just because there's a
300 redirect doesn't mean that you
shouldn't try to Brute Force find a way
to bypass the login or even better go
look how you can register as a partner
and get access to these things this is a
really good one maybe I'll make a whole
video on it again but a lot of times
it's companies with their ssos they make
a mistake and they don't actually make
the permissions right so anybody with
any account that has SSO login could
access anything across the entire
infrastructure so keep that in mind a
login page should not be a reason for
you to give up and move on to the next
Target and then you have your 400 ranges
arguably this is probably the most fun
you can have with Recon because it
becomes like a puzzle you want to kind
of understand where to go what is on
this application how do I find it it
becomes a guessing game because the 400
ranges either mean that you don't have
access to it you need to be authorized
or a 404 nothing is on this page and in
most cases that is a lie so the 401 is
your unauthorized a lot of times it
means you have to have access to it the
best way to approach this is finding a
way to log in to another application and
seeing if the session carries over I've
done that a few times sometimes that
happens sometimes there's an error that
happens they make mistakes so a session
from the other app or another API
carries over and it gives you access so
this is also some of the 300 just
because there's an authorization there
just because an HD password pops up it
doesn't mean that you shouldn't brute
forceful files or find ways to bypass
them again and a lot of ways you can
also guess for these passwords so if
it's a HD password try admin admin admin
password
admin 2023 different variations and see
if it gives you access sometimes it does
sometimes it doesn't but it's always
worth a try then you have your 403 403
means hey there is something here but I
refuse to show it to you and that should
be a challenge for you to find a way to
get access and do exactly what is
preventing you from doing seeing the
resources behind that page similarly to
401 you can also Brute Force here you
can try different things for example if
you're on a tomcat you can try different
slash patterns you can put a bunch of
slashes see if it bypasses that you can
do a semicolon slash it's a bunch of
different tricks there's a bunch of good
talks on these so when you see a 403 in
your mind you should automatically go
challenge accepted you don't want to
show me what's on here I'm gonna figure
it out and the best way to do it is
contextualizing your attack or your
directory brute forcing I did a whole
video on it go watch it but the whole
point is contextualize it use the right
word list understand what that asset is
like and Brute Force until you find
something and 404 is the last one that I
want to cover for this video this one is
very interesting because
it means that nothing was found but yet
a lot of times I find things on these
websites just like outside the entire
video an error a 404 403 401 or 300 it
never means a reason for you to give up
but the 404 is a nice approach because a
lot of times when I see a 404 page uh
it's usually a keyword or what's on the
subdomain itself that gives away the
answer to that so example is if I see
API then I'm not going to Brute Force
for JSP files I'm going to focus on
finding API route files and just slowly
going after API routes find maybe a
Swagger Json file finding a yaml that
could give me the specs to this API and
then just taking it from there and of
course you know when you see the
application I'm in there it's like XYZ
Dash API the XYZ should be in the
process of guessing the folder the app
name the API name while you're doing
your testing and the last thing I talked
about was prioritizing your targets I
kind of touched on this but a lot of
times you should be able to grip through
your entire data set so you find your
assets you use your subdomain finder you
get a list of assets you run it through
httpx httpx gives you a list of all the
available assets their title their
response code and response size then you
should either automate this or manually
go through a result and grip for
specific things so grab for all the 200
ones first and when the 200 comes back
look at the titles grip for things like
dashboard look for ads customers login
obviously if you have you know a website
like IBM that has thousands of assets
this is going to take a lot longer but
then after that move on to what comes
podcast 404 see which ones have the
keyword API in them which ones have the
keyword app in them and that sort of
stuff but I take it a step further and I
look for things like Dev internal Corp
or even keywords like Ci that indicate
tools that are being leveraged in the
continuous development and integration
so those are your Jenkins it could be
GitHub GitHub whatever so look for these
applications with the keywords and
prioritize them as well all of these
come with years of experience the more
you do this the more you learn but it
doesn't hurt to approach this entire
method manually to get a better
understanding of hey how do I prioritize
assets based on a result of httpx and
not rely on just on nuclear where I
could miss things so I'll wrap it up
with just telling you that I did a lot
of these in the early days manually
because I want to understand what does a
large infrastructure look like and how
do I prioritize my work what do I pick
to hack on and that sort of stuff but
that is how I approach a large
organization it's depending on using
nuclear honestly I don't use a lot of
nuclees sometimes I do I like to use
make because I have a set of endpoints
based on that Target that I usually run
across the entire infra then I use httpx
that's to get some light information
gathering get some response codes
respond types that sort of stuff and I
do that to have an overview of the
antenna application and then last but
not least we prioritize our entire asset
list and take it from there so that's it
that is how I approach our Target I
really hope this helps and I really hope
you enjoyed this video do me a favor
drop me a comment and tell me what kind
of hacker are you and do you want to
just spend your time in a terminal or
would you rather just go after an
application and break it apart and look
for votes alright see you in the next
video
thank you
5.0 / 5 (0 votes)