Advanced Web Reconnaissance

ULTRA-DETAILED: Master infrastructure fingerprinting, DNS analysis, and automated reconnaissance tradecraft.

Curriculum

20 Modules

Strategic context, protocol internals, and advanced tradecraft for DNS reconnaissance.

Using sources like CRT.sh, VirusTotal, and search engines to find subdomains without touching the target.

Brute-forcing subdomains with MassDNS and permutation scanning.

Effective use of Nmap and Masscan to find open ports.

Identifying CMS, frameworks, and libraries using Wappalyzer and BuiltWith logic.

Finding hidden directories and files using Ffuf and Gobuster.

Finding hidden GET/POST parameters that might be vulnerable.

Finding secrets and leaked code in public repositories.

Enumerating S3 buckets, Azure Blobs, and Google Cloud Storage.

Automating screenshots with EyeWitness/Aquatone to identify interesting targets quickly.

Extracting endpoints and secrets from client-side JS files.

Using Shodan, Censys, and Fofa for passive infrastructure analysis.

Identifying Web Application Firewalls and finding the origin IP.

Discovering and mapping undocumented API endpoints (Swagger/GraphQL).

Identifying and verifying subdomain takeover vulnerabilities.

Mining archived data for old endpoints and deleted secrets.

Finding valid users via password reset and registration endpoints.

Creating target-specific wordlists using CeWL and other tools.

Building a continuous monitoring system with multiple tools.

A complete recon assessment against a simulated target.

~600 Minutes

20 Modules