Highest Voted 'reconnaissance' Questions - IT Security Stack Exchange

122

votes

6 answers

How to find out what programming language a website is built in?

I think that it's fundamental for security testers to gather information about how a web application works and eventually what language it's written in. I know that URL extensions, HTTP headers, session cookies, HTML comments and style-sheets may…

asked Mar 11 '16 at 10:26

storm

1,714
4
16
25

47

votes

8 answers

How can I find subdomains of a site?

One of the things I need to do from time to time is to find subdomains of a site for example. Starting with example.com sub1.example.com other.example.com another.example.com I'm looking for any additional ways to perform recon on these targets…

dns dns-domain sub-domain reconnaissance

asked Apr 30 '13 at 05:54

NULLZ

11,426
17
77
111

19

votes

1 answer

How to protect yourself against OSINT?

I recently watched a video about OSINT and learnt it can be quite a powerful agent. I've been on the internet for years, and at this point I'm not sure what I've posted and where. Given this is now a form of recon in cybersecurity, do you have tips…

social-engineering reconnaissance

asked Oct 13 '19 at 08:05

iiSupaCannon

193
1
7

19

votes

6 answers

How to identify a company's public network address range?

Which methods can I use to identify a company's public network address range(s)?

ip reconnaissance

asked Feb 07 '16 at 11:45

Bob

508
1
3
13

8

votes

3 answers

How to know if two IP addresses point to the same web server?

Doing some testing against two IP address in the scope I find one web server in each one. Both host what it seems the same web application. They are different public (accessible through Internet) IP addresses and there are no explicit redirects…

webserver web-scanners fingerprinting reconnaissance

asked May 21 '13 at 17:57

kinunt

2,759
2
23
30

7

votes

1 answer

What is the purpose of using different DNS server in nmap?

nmap allows the use of different DNS servers (not local). What is the benefit of doing so?

nmap reconnaissance

asked Jun 15 '15 at 10:07

user78612

71
1

7

votes

2 answers

What is the best way of finding subdomains of a domain?

I need to find most subdomains of a domain. I know there are many options. I've tried many available in Kali Linux: dnsmap dnsenum dnsrecon dnswalk fierce urlcrazy Most of them only find 2 or 3 working subdomains, while using this online tool, it…

dns reconnaissance

asked Feb 27 '18 at 17:10

Philippe Delteil

172
1
11

7

votes

2 answers

Extra p0f v3 fingerprints files?

p0f v3 is a passive operating system detector. The latest release is 3.08b, dating to November, 2014. Given the releases of Windows 10, multiple Linux, Firefox and Chrome versions since then, the fingerprints file doesn't identify a lot of TCP SYN…

ids fingerprinting os-fingerprinting reconnaissance

asked Oct 02 '15 at 02:05

Bruce Ediger

4,552
2
25
26

6

votes

2 answers

How to find Windows version from the file on a remote system

I need to find out what Windows and Service Pack system is currently running. All I have is ftp access, it means I cannot run any the software. Is there a way to determine what version of Windows, Service Pack, and what Language is installed on a…

windows fingerprinting reconnaissance

asked Jan 15 '16 at 04:03

Dranik

233
1
3
8

5

votes

2 answers

How do pentesters approach a large complex network?

Lots of books talk about using tools such as whois and other information gathering tools to collect information on the network and of course, not forgetting nmap. However, in a real network with such a large number of hosts, wouldn't there be an…

network penetration-test network-scanners reconnaissance vulnerability-assessment

asked Apr 14 '17 at 21:10

Lew Wei Hao

429
5
13

5

votes

4 answers

What is the best way to explain (a non-technical person) the risk of leaking version information?

I'm wondering what the easiest way is to explain a non-technical person (read: management) why the leakage of a simple version number is considered unnecesarry/a potential risk and should be avoided. For example version leakage through: the HTTP…

known-vulnerabilities data-leakage reconnaissance information-gathering

asked Jun 20 '16 at 23:50

Bob Ortiz

6,234
8
43
90

4

votes

2 answers

What is the purpose of subdomain enumeration?

There're a number of security tools out there that enumerate the subdomains of a given domain. I wonder: What's the purpose of that in terms of security / hacking? Is there any way to do that other than by brute-force with a dictionary of the most…

dns network-scanners reconnaissance sub-domain

asked Jun 28 '15 at 06:20

Oskar K.

149
1
5

4

votes

3 answers

IP addresses readily available on black market?

I know that criminals can readily find on the black market large dumps of password databases from hacked sites. These may contain the username, password, and email address for millions of users. But what about IP addresses? Is it easy to find…

reconnaissance crime

asked Jul 11 '16 at 21:59

D.W.

98,420
30
267
572

4

votes

2 answers

How to map a network passively with wireshark dumps?

I'm currently diving into network mapping and thought that in order to do this stealthily why not listen to the existing network traffic; a wireshark dump usually contains a metric ton of information - you have at least info on hosts which are up…

network reconnaissance

asked May 04 '16 at 16:04

Draugr

670
9
14

4

votes

3 answers

Security implications of WAF revealing internal IP addresses

What are the security implications of a web app firewall/load balancer revealing internal IPs of the web sites behind it to the outside world? A specific example is with F5 products: They use a cookie that can be decoded to show the internal IPs of…

ip waf reconnaissance information-gathering

asked Apr 13 '16 at 02:10

nyxgeek

1,297
10
22

Questions tagged [reconnaissance]