How To: Conduct Recon on a Web Target with Python Tools

Reconnaissance is one of the most important and often the most time consuming, part of planning an attack against a target.

Thanks to a pair of recon tools coded in Python, it takes just seconds to research how a website or server might be vulnerable. No matter what platform you're working with, you can turn up some fascinating results using ReconT and FinalRecon.

What Can Recon Uncover?

It can be tempting for a hacker or pentester to start hacking away at an online target like a website or web server without spending too much time on recon. Attacking without recon is almost always taking the hard route, as time spent studying the target can be used to identify the best plan of action based on the available attack surface. It doesn't make sense to go after the most heavily defended parts of the target when a vulnerable area would require significantly fewer resources to get a better result.

The easiest way to hack an online target is first to spend enough time studying it to get an understanding of which attack surfaces are available and what plan to compromise it might have the best chance of success. A talented hacker won't play to their strengths and use the same trick each time. Instead, they'll formulate a plan that requires the least amount of effort by first narrowing their focus to the weakest part of the target's security.

FinalRecon

Our main goal as a hacker is to identify services that we can attack and assess them for vulnerabilities. These vulnerabilities might be SSH or FTP servers with weak credentials, running services with known vulnerabilities, and links to external resources that could be an avenue for attack. With a few simple scans, it's easy to identify information about a web-based target that includes the IP addresses, subdomains, and potentially vulnerable services running on various ports.

For hackers wanting to keep their recon organized, FinalRecon is an excellent tool for automating your results into neatly organized reports of discovered IP's, services, and subdomains. Besides being cross-platform, easy to install, and easy to use, FinalRecon makes results easy to understand and use directly in follow-up scans.

ReconT

The amount of information ReconT returns from a target can be overwhelming, but the strength of this tool is in the details of the clues it discovers. ReconT is a little harder to use — it doesn't store the results of scans in a nice folder like FinalRecon. The outpouring of information from ReconT can be a lot more detailed than what FinalRecon uncovers, locating SSH servers, and identifying the types of services that are running on the target.

Because these tools both work in different ways, they complement each other nicely as the installation for each is nearly identical. Also, you can use both on any system with Python3 installed. Let's take a look at how these programs work and what they can dig up:

What You'll Need

To use these tools, you can be running a Windows, Linux, or MacOS computer with Python3 installed. I imagine this would also work on mobile devices with Python3 installed and the ability to load libraries.

You will need an internet connection for this to work, as we're scraping data from external websites.

Step 1: Install FinalRecon

FinalRecon is an incredibly simple tool to install, provided you have Python3 on your system. If you do, then installing it requires only a few commands in a fresh terminal window.

By running the commands below, you'll install the files from the GitHub repo, move into the new directory it creates, and then install any libraries needed to run FinalRecon.

git clone https://github.com/thewhiteh4t/FinalRecon.git
cd FinalRecon
pip3 install -r requirements.txt

Once this is complete, you can access the help menu by running the finalrecon.py program with the --help argument.

python3 finalrecon.py --help
usage: finalrecon.py [-h] [--headers] [--sslinfo] [--whois] [--crawl] [--full]
                     url

FinalRecon - OSINT Tool for All-In-One Web Recon | v1.0.0

positional arguments:
  url         Target URL

optional arguments:
  -h, --help  show this help message and exit
  --headers   Get Header Information
  --sslinfo   Get SSL Certificate Information
  --whois     Get Whois Lookup
  --crawl     Crawl Target Website
  --full      Get Full Analysis, Test All Available Options

Here, we can see the various available arguments for the program. We can crawl targets, look up whois information, and get data on the SSL certificate a site is using.

Step 2: Scan a Target

For our tests, we'll use the --full flag, as it runs all of the tests listed above. But you could also pick and choose whatever argument you're looking for to get a more specific set of results.

To scan our target, type in the command below, follow with your selected argument — the --full flag in our case, and add the website you're looking to scan. In this example, we're looking for vulnerabilities in Equifax's information site about their 2017 cybersecurity incident.

Dell-3:FinalRecon skickar$ python3 finalrecon.py --full www.equifaxsecurity2017.com

 ______  __   __   __   ______   __
/\  ___\/\ \ /\ "-.\ \ /\  __ \ /\ \
\ \  __\\ \ \\ \ \-.  \\ \  __ \\ \ \____
 \ \_\   \ \_\\ \_\\"\_\\ \_\ \_\\ \_____\
  \/_/    \/_/ \/_/ \/_/ \/_/\/_/ \/_____/
 ______   ______   ______   ______   __   __
/\  == \ /\  ___\ /\  ___\ /\  __ \ /\ "-.\ \
\ \  __< \ \  __\ \ \ \____\ \ \/\ \\ \ \-.  \
 \ \_\ \_\\ \_____\\ \_____\\ \_____\\ \_\\"\_\
  \/_/ /_/ \/_____/ \/_____/ \/_____/ \/_/ \/_/

[>] Created By : thewhiteh4t
[>] Version    : 1.0.0

[+] Target : www.equifaxsecurity2017.com

[+] IP Address : 107.162.143.246

[+] Headers :

[+] Date : Tue, 28 May 2019 05:46:40 GMT
[+] Last-Modified : Wed, 19 Sep 2018 08:36:08 GMT
[+] ETag : "4c7c-576354c3d8e00-gzip"
[+] Accept-Ranges : bytes
[+] Vary : Accept-Encoding
[+] Content-Encoding : gzip
[+] Content-Security-Policy : connect-src 'self';  object-src 'none'; base-uri 'none'; frame-ancestors 'none'; upgrade-insecure-requests; require-sri-for script style
[+] Strict-Transport-Security : max-age=31536000
[+] Referrer-Policy : strict-origin-when-cross-origin
[+] X-Content-Type-Options : nosniff
[+] X-Frame-Options : SAMEORIGIN
[+] Content-Length : 5006
[+] Keep-Alive : timeout=5, max=100
[+] Connection : Keep-Alive
[+] Content-Type : text/html
[+] Via : 1.1 sjc1-bit9
[+] Set-Cookie : TS01fdad5b=019de3c5d98fcded635d58847700d53c74fdb5b04b2928345f95296b43668a2b714cc0e124; Path=/; Secure; HTTPOnly

[+] SSL Certificate Information :

[+] countryName : US
[+] stateOrProvinceName : GA
[+] localityName : Alpharetta
[+] organizationName : Equifax Inc.
[+] organizationalUnitName : Global Security
[+] commonName : www.equifaxsecurity2017.com
[+] countryName : US
[+] organizationName : DigiCert Inc
[+] commonName : DigiCert SHA2 Secure Server CA
[+] Version : 3
[+] Serial Number : 04672E2D49D32A5CD99FCC6B50D4B688
[+] Not Before : Jan 22 00:00:00 2019 GMT
[+] Not After : Jan 27 12:00:00 2020 GMT
[+] OCSP : ('http://ocsp.digicert.com',)
[+] subject Alt Name : (('DNS', 'www.equifaxsecurity2017.com'), ('DNS', 'equifaxsecurity2017.com'))
[+] CA Issuers : ('http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt',)
[+] CRL Distribution Points : ('http://crl3.digicert.com/ssca-sha2-g6.crl', 'http://crl4.digicert.com/ssca-sha2-g6.crl')

[+] Whois Lookup :

[+] NIR : None
[+] ASN Registry : arin
[+] ASN : 55002
[+] ASN CIDR : 107.162.143.0/24
[+] ASN Country Code : US
[+] ASN Date : 2013-12-19
[+] ASN Description : DEFENSE-NET - Defense.Net, Inc, US
[+] cidr : 107.162.0.0/16
[+] name : DEFENSE-NET
[+] handle : NET-107-162-0-0-1
[+] range : 107.162.0.0 - 107.162.255.255
[+] description : Defense.Net, Inc
[+] country : US
[+] state : WA
[+] city : Seattle
[+] address : 501 Elliott Avenue West
[+] postal_code : 98119
[+] emails : ['netops@defense.net']
[+] created : 2013-12-19
[+] updated : 2013-12-19

[+] Crawling Target...

[+] Looking for robots.txt........[ Not Found ]
[+] Looking for sitemap.xml.......[ Not Found ]
[+] Extracting CSS Links..........[ 1 ]
[+] Extracting Javascript Links...[ 3 ]
[+] Extracting Internal Links.....[ 0 ]
[+] Extracting External Links.....[ 12 ]
[+] Extracting Images.............[ 3 ]

[+] Total Links Extracted : 19

[+] Dumping Links in /Users/skickar/FinalRecon/dumps/www.equifaxsecurity2017.com.dump
[+] Completed!

Step 3: Examine the Results

Now, we can check out the "dumps" folder to find information dumped while scanning the target. Here, we'll be able to see the links that the tool collected. To view this, you can type cd dumps to move into the folder logs are saved in, and then use cat to display the contents of the log.

Dell-3:dumps skickar$ cat www.equifaxsecurity2017.com.dump
URL : http://www.equifaxsecurity2017.com

Title : Cybersecurity Incident & Important Consumer Information | Equifax

robots Links      : 0
sitemap Links     : 0
CSS Links         : 1
JS Links          : 3
Internal Links    : 0
External Links    : 12
Images Links      : 3
Total Links Found : 19

CSS :

//assets.equifax.com/efxsecurity2017/css/style.css

Javascript :

//assets.equifax.com/efxsecurity2017/js/script.js
//assets.equifax.com/efxsecurity2017/js/jquery-migrate.min.js
//assets.equifax.com/efxsecurity2017/js/jquery.js

External Links :

http://equifax.com/personal/products/credit/credit-lock-alert
https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp
https://www.experian.com/freeze/center.html
https://trustedidpremier.com/eligibility/eligibility.html
https://equifax.com
https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
http://www.equifax.com/privacy/fcra
https://www.equifax.com
https://trustedidpremier.com/static/terms
http://www.annualcreditreport.com/
http://www.optoutprescreen.com
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

Images :

//assets.equifax.com/global/images/logos/logo_EFX_TM.png
//assets.equifax.com/global/images/tagline/english_185x10.png
//assets.equifax.com/global/images/logos/logo_white_123x24.png

As you can see, we've managed to identify internal and external links, image files, Javascript code, and CSS information that could be useful. This website didn't have the robots.txt or sitemap.xml file that usually provides a lot of subdomains and links, so the number of links found is fewer that you can expect on most websites.

The next step to this recon would be to scan the links we found for vulnerabilities or look into the Javascript or CSS code we were able to locate.

Step 4: Install ReconT

Next up, we'll use ReconT to scan another target. I like ReconT a lot, but one thing I noticed is that it does not create a "dump" folder to store results the way FinalRecon does. In spite of this, I find it returns more results, many of which are quite useful. So it's worth using, even if it's a little less user-friendly. Luckily, there's an easy way around this annoyance.

To fix this, we'll create a dump file when we run it. First, let's go ahead and install it, which starts with changing directories to avoid installing it within the FinalRecon folder. In a new terminal window, type cd and then the following commands to install ReconT.

git clone https://github.com/jaxBCD/ReconT.git
apt install python3 nmap
pip3 install -r requirements.txt

Once we've installed the requirements needed to run, we can check out the help file with the following command.

python3 reconT.py --help
Usage: reconT.py [OPTIONS] TARGET

Options:
  --timeout INTEGER  Seconds to wait before timeout connections
  --proxy TEXT       if Use a proxy ex: 0.0.0.0:8888if with auth
                     0.0.0.0:8888@user:password
  --cookies TEXT     if use cookie comma separated cookies to add the
                     requestex: PHPSESS:123,kontol=True
  --help             Show this message and exit.

As you can see, there is no option for saving the results or making many adjustments. You supply a target, and it scans it with intensity.

Step 5: Scan a Target & Cat the Results to a File

Now, we can run a scan by using the command python3 reconT.py and then name of whatever target we want to scan. The scan can output a lot of data, much of which is interesting, but can take a lot of scrolling back in the terminal to access.

To make sure we're able to capture and retrieve it, we can use cat to redirect the output to a new text file. We can do this by adding the pipe symbol, or |, and then cat > example.txt to pipe the output of our recon scan into a text file.

When you run the command, you should see something like this.

python3 reconT.py https://www.equifaxsecurity2017.com/ | cat > equifux.txt
[+] Starting At 2019-05-27 23:04:01.954237
[+] Collecting Information On: https://www.equifaxsecurity2017.com/
[#] Status: 200
[#] Finding Location..!
[#] as: AS55002 Defense.Net, Inc
[#] city: Seattle
[#] country: United States
[#] countryCode: US
[#] isp: Defense.Net
[#] lat: 47.623
[#] lon: -122.365
[#] org: Defense.Net, Inc
[#] query: 107.162.143.246
[#] region: WA
[#] regionName: Washington
[#] status: success
[#] timezone: America/Los_Angeles
[#] zip: 98119
[x] Didn't Detect WAF Presence on: https://www.equifaxsecurity2017.com/
[#] Starting Reverse DNS
[!] Found 1 any Domain
[!] Scanning Open Port
[#] 21/tcp  open ftp
[#] 80/tcp  open http
[#] 443/tcp  open https
[#] 554/tcp  open rtsp
[#] 7070/tcp  open realserver
[+] Getting SSL Info
[+] Collecting Information Disclosure!
[#] Detecting sitemap.xml file
[-] sitemap.xml file not Found!?
[#] Detecting robots.txt file
[-] robots.txt file not Found!?
[#] Detecting GNU Mailman
[-] GNU Mailman App Not Detected!?
[+] Crawling Url Parameter On: https://www.equifaxsecurity2017.com/
[#] Searching Html Form !
[-] No Html Form Found!?
[!] Found 11 dom parameter
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[#] https://www.equifaxsecurity2017.com//#
[-] No internal Dynamic Parameter Found!?
[!] 1 External Dynamic Parameter Discovered
[#] https://fonts.googleapis.com/css?family=Open+Sans%3A300%2C300i%2C400%2C400i%2C600%2C600i%2C700%2C700i&ver=4.9.2
[!] 17 Internal links Discovered
[+] https://www.equifaxsecurity2017.com/
[+] https://www.equifaxsecurity2017.com////fonts.googleapis.com
[+] https://www.equifaxsecurity2017.com////s.w.org
[+] https://www.equifaxsecurity2017.com////assets.equifax.com/efxsecurity2017/css/style.css
[+] https://www.equifaxsecurity2017.com/
[+] https://www.equifaxsecurity2017.com/
[+] https://www.equifaxsecurity2017.com/es/hogar/
[+] https://www.equifaxsecurity2017.com//" class=
[+] https://www.equifaxsecurity2017.com//es/hogar/
[+] https://www.equifaxsecurity2017.com//contact/
[+] https://www.equifaxsecurity2017.com//consumer-notice/
[+] https://www.equifaxsecurity2017.com//updates/
[+] https://www.equifaxsecurity2017.com//frequently-asked-questions/
[+] https://www.equifaxsecurity2017.com//contact/
[+] https://www.equifaxsecurity2017.com//contact/
[+] https://www.equifaxsecurity2017.com//consumer-notice/
[+] https://www.equifaxsecurity2017.com//privacy-policy/
[!] 12 External links Discovered
[#] https://www.equifax.com
[#] https://equifax.com
[#] https://trustedidpremier.com/eligibility/eligibility.html
[#] http://www.annualcreditreport.com/
[#] https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
[#] https://www.experian.com/freeze/center.html
[#] https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
[#] http://equifax.com/personal/products/credit/credit-lock-alert
[#] https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp
[#] http://www.optoutprescreen.com
[#] https://trustedidpremier.com/static/terms
[#] http://www.equifax.com/privacy/fcra
[#] Retreive Host Information
[+]  + DNS Server
[+]  + MX Records
[+]  + TXT Records
[+] Subdomain Information
[!] Done At 2019-05-27 23:04:31.246591

That's a lot of data! We've already found a lot more internal links than FinalRecon did. To look at what we found, we can use the cat command again to display the information contained in the log.

cat equifux.txt

   __                                    _____                _
  /__\   ___   ___   ___   _ __         /__   \  ___    ___  | |   //  \\
 / \//  / _ \ / __| / _ \ |  _ \  _____   / /\/ / _ \  / _ \ | |  _\\()//_
/   /  |  __/| (__ | (_) || | | ||_____| / /   | (_) || (_) || | /_//  \\_\
\/\ \   \___| \___| \___/ |_| |_|        \/     \___/  \___/ |_| /  \__/  \
   \/                                (Reconnaisance ToolKit 0.7)

        (by): 407 Authentic Exploit
        (codename): JaxBCD

--------------------------------------------------
- Date: Tue, 28 May 2019 06:04:02 GMT
- Last-Modified: Wed, 19 Sep 2018 08:36:53 GMT
- ETag: "4c7c-576354eec3340-gzip"
- Accept-Ranges: bytes
- Vary: Accept-Encoding
- Content-Encoding: gzip
- Content-Security-Policy: connect-src 'self';  object-src 'none'; base-uri 'none'; frame-ancestors 'none'; upgrade-insecure-requests; require-sri-for script style
- Strict-Transport-Security: max-age=31536000
- Referrer-Policy: strict-origin-when-cross-origin
- X-Content-Type-Options: nosniff
- X-Frame-Options: SAMEORIGIN
- Content-Length: 5006
- Keep-Alive: timeout=5, max=100
- Connection: Keep-Alive
- Content-Type: text/html
- Via: 1.1 sjc1-bit9
- Set-Cookie: TS01fdad5b=019de3c5d9c64b5e73b7e4be48076da79d4febd1135512dc84d342b6684ed5c9ead6014793; Path=/; Secure; HTTPOnly
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
- equifaxsecurity2017.com
--------------------------------------------------
--------------------------------------------------
{'OCSP': ('http://ocsp.digicert.com',),
 'caIssuers': ('http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt',),
 'crlDistributionPoints': ('http://crl3.digicert.com/ssca-sha2-g6.crl',
                           'http://crl4.digicert.com/ssca-sha2-g6.crl'),
 'issuer': ((('countryName', 'US'),),
            (('organizationName', 'DigiCert Inc'),),
            (('commonName', 'DigiCert SHA2 Secure Server CA'),)),
 'notAfter': 'Jan 27 12:00:00 2020 GMT',
 'notBefore': 'Jan 22 00:00:00 2019 GMT',
 'serialNumber': '04672E2D49D32A5CD99FCC6B50D4B688',
 'subject': ((('countryName', 'US'),),
             (('stateOrProvinceName', 'GA'),),
             (('localityName', 'Alpharetta'),),
             (('organizationName', 'Equifax Inc.'),),
             (('organizationalUnitName', 'Global Security'),),
             (('commonName', 'www.equifaxsecurity2017.com'),)),
 'subjectAltName': (('DNS', 'www.equifaxsecurity2017.com'),
                    ('DNS', 'equifaxsecurity2017.com')),
 'version': 3}
-----BEGIN CERTIFICATE-----
MIIGYjCCBUqgAwIBAgIQBGcuLUnTKlzZn8xrUNS2iDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwMTIyMDAwMDAwWhcN
MjAwMTI3MTIwMDAwWjCBhjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkdBMRMwEQYD
VQQHEwpBbHBoYXJldHRhMRUwEwYDVQQKEwxFcXVpZmF4IEluYy4xGDAWBgNVBAsT
D0dsb2JhbCBTZWN1cml0eTEkMCIGA1UEAxMbd3d3LmVxdWlmYXhzZWN1cml0eTIw
MTcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0zwSjfV+Lm6
IB1X4PaRfaMAGaXtcH2pkcak2dnb0DFj7AbK21F7ku8j9nVqmu128OY0xpppJaEY
k+GEm+PllHdusQ9zjnoxb5fsyRn9wLv7tthL9U5TRAy8XlzqIYzb3r3LndvGcAGg
8ppQ2G5rc7jyVRMRsrVj5kFwARUKN8cPwOARAAguHLPlKHt5cRmQwaa7lidNYgGH
btbecOXnVBTdl4TOdRj54hwDp3A8W3nk4Grh4BlKDtTq9ofgkwFdK7rkOIizE2L9
G7rUohRXSSnBRqu1eRCsz27aCNfuCPp7fU51//7g8LGpE9lYv8gyZaBtJ9l+MYPb
4rB1H+qWBwIDAQABo4IDAjCCAv4wHwYDVR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0
LOHG2eIwHQYDVR0OBBYEFJyeFApXpA+yYhNk5EEk8xQQd+EDMD8GA1UdEQQ4MDaC
G3d3dy5lcXVpZmF4c2VjdXJpdHkyMDE3LmNvbYIXZXF1aWZheHNlY3VyaXR5MjAx
Ny5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
c3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIw
fAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQMG
CisGAQQB1nkCBAIEgfQEgfEA7wB1ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCW
ZDaOHtGFAAABaHZCdYIAAAQDAEYwRAIgfrqIzZ8q3PFda1kZu2bhe2tS+l9yv4yW
LM3EiuqprvgCIDTQlt7CqSk6DBhhjcjAMpxMlTi1TcLMFaIPihD/cxXsAHYAh3W/
51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFodkJ2RgAABAMARzBFAiAu
A/LoVVdyb5otLUqDjeftK5Ol/rEbqlRCWkr1TEGADgIhAI80OnV/+diQducBV3Fn
cP/tPGmugDgDwwHquTAupzu/MA0GCSqGSIb3DQEBCwUAA4IBAQCuScje9IpWeukH
ikTULK6K/hWyDASwWc5rYDlns7oqutJV9Qf9LKNjtLs411tXfiHTK78yzDzd4YcN
j9FhLtIO0iW7xGTCn69JXWS9i9fNaUuPnZIddj6wyAOZV2lc3x2wf4P5WHglf4Qf
KKNUbSuVwn7NVTpOBEno65cHHap/ZDabcLUwZvfT0S6y4oWOJCST/bK1n0rxd5zx
LMc++uDObJn2588clgamF85L7FIyk8/nmEX5TrtNYvQwTpEo4hYV8H55qnuU1nJ1
zcmBDWrf0sMmcvpOWk1Sr66cJf1AXEtqLikOYyBij9FRadeHL7mSWW59/Wg2uNHi
RhUloSDx
-----END CERTIFICATE-----

--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
Found: 1 Subdomain
- equifaxsecurity2017.com
--------------------------------------------------

pdns105.ultradns.org.

156.154.67.105pdns105.ultradns.orgAS12008 NeuStar, Inc.United States
pdns105.ultradns.com.

156.154.64.105pdns105.ultradns.comAS12008 NeuStar, Inc.United States
a2.verisigndns.com.

209.112.114.33a22.verisigndns.comAS36616 VeriSign Global Registry ServicesUnited States
a3.verisigndns.com.

69.36.145.33pdns2.cscdns.netAS36617 VeriSign Global Registry ServicesUnited States
pdns105.ultradns.net.

156.154.65.105pdns105.ultradns.netAS12008 NeuStar, Inc.United States
a1.verisigndns.com.

209.112.113.33a11.verisigndns.comAS36616 VeriSign Global Registry ServicesUnited States
pdns105.ultradns.biz.

156.154.66.105ns3.eurodns.comAS12008 NeuStar, Inc.United States

--------------------------------------------------

--------------------------------------------------

equifaxsecurity2017.com

107.162.143.246AS55002 Defense.Net, IncUnited States

--------------------------------------------------

Here, we can see we've found other services and information about the certificate. We've also learned more about the content hosted on the site. All of which could be useful for a hacker looking for a way to attack.

Recon Is an Essential Hacking Skills That's Easier with Python

As we saw today, Python tools make it easy to conduct recon from nearly any operating system. Both ReconT and FinalRecon can identify key details about a target that allows a hacker to determine the easiest way to attack any system. After gathering details about the services running on a target, exploring with more active recon measures like Nikto can further enumerate already promising results.

I hope you enjoyed this guide to conducting recon with cross-platform Python tools! If you have any questions about this tutorial on recon, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.

• Follow Null Byte on Twitter, Flipboard, and YouTube
• Sign up for Null Byte's weekly newsletter
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard