Skip to main content

Posts

Showing posts with the label Reconnaissance

Reconnaissance Workflow 2026: Complete Beginner to Pro Guide for Ethical Hacking

  Introduction Reconnaissance is the foundation of every successful penetration test. Before exploiting any system, security professionals must understand the target’s structure, assets, and attack surface. This Reconnaissance Workflow 2026 provides a complete step-by-step approach, combining multiple tools and techniques used in real-world cybersecurity. What is Reconnaissance Reconnaissance (Recon) is the process of gathering information about a target system before launching an attack or security assessment. It is divided into two types: Passive Recon (no direct interaction) Active Recon (direct interaction with target) Why Recon is Important Identifies attack surface Reduces guesswork Improves success rate Helps find hidden assets Complete Recon Workflow Step 1: Domain Information Gathering whois example.com Step 2: DNS Enumeration nslookup example.com dig example.com Step 3: Subdomain Discovery subfinder -d example.com Step 4: Live Host Detection nmap -sn example.com Step 5: ...

Subdomain Takeover Guide 2026: Finding and Securing Dangling DNS Records

  Introduction In modern web infrastructures, organizations often use multiple third-party services like hosting platforms, CDNs, and SaaS tools. If these services are not configured properly, they can lead to a serious vulnerability known as Subdomain Takeover. This Subdomain Takeover guide 2026 explains how attackers identify misconfigured DNS records and how security professionals can prevent them. What is Subdomain Takeover Subdomain Takeover occurs when a subdomain points to an external service that is no longer active, but the DNS record still exists. An attacker can claim that external resource and gain control over the subdomain. Why It is Dangerous Full control over subdomain content Phishing attacks Cookie stealing Brand reputation damage How Subdomain Takeover Works A subdomain (e.g., test.example.com) points to a service (e.g., GitHub Pages) The service is deleted or inactive DNS record still exists Attacker registers the same service Attacker gains control of the subd...

DNS Enumeration Guide 2026: Complete Reconnaissance Workflow for Beginners

  Introduction After learning tools like Nslookup and Dig, the next step in cybersecurity reconnaissance is DNS Enumeration. This process helps security professionals gather detailed information about a target domain. This DNS Enumeration guide 2026 explains how to collect domain data using multiple tools and techniques in a structured way. What is DNS Enumeration DNS Enumeration is the process of collecting DNS-related information about a target domain, including subdomains, name servers, mail servers, and IP addresses. It plays a critical role in reconnaissance , penetration testing , and bug bounty hunting . Why DNS Enumeration is Important Discover hidden subdomains Identify attack surface Gather infrastructure details Support vulnerability discovery Basic DNS Enumeration Workflow Domain identification DNS record lookup Subdomain discovery IP mapping Data analysis Step 1: Basic DNS Lookup nslookup example.com Step 2: Advanced DNS Query dig example.com Step 3: Whois Information...

WHOIS Lookup (2026): Uncovering Domain Ownership & Server Details

  Welcome to another segment of our Information Gathering series! In our previous post, we explored WhatWeb to identify a website's internal technology stack. However, to understand who is behind a website, when it was registered, or which company manages its infrastructure, we need a technique called WHOIS Lookup . WHOIS is a fundamental footprinting method used by penetration testers to gather domain-level intelligence. What is WHOIS? WHOIS (pronounced as the phrase "who is") is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block. Essentially, it acts as a public directory providing details about domain ownership, registration dates, expiry dates, and authoritative name servers. Why is it Important for Ethical Hackers? For a security researcher, a WHOIS lookup is vital for several reasons: Ownership Identity: Identifies the person or organization ...

WhatWeb Guide (2026): Identifying Website Technologies Like a Pro

  Welcome back to CyberShield! Amra ager post-e Nmap diye network scanning shikhechi. Kintu jokhon apnar target ekti website hoy, tokhon shudhu port scan korle hoy na; apnake jante hoy shei site-ti kon technology diye toiri. Ajke amra ekti powerful reconnaissance tool niye alochona korbo, jar nam holo WhatWeb . WhatWeb Ki? WhatWeb holo ekti open-source "Next-generation web scanner." Eti ekti website-er technology stack identify korte babohar kora hoy. Mane, ekti site kon CMS (Content Management System), kon web server, kon programming language, ebong kon kon plugin babohar korche, ta WhatWeb ekti command-er maddhome bole dite pare. WhatWeb Keno Babohar Korben? Passive Reconnaissance-er khetre WhatWeb khub-i guruttopurno. Eti diye niche-r jinish gulo khuje paoa jay: CMS Discovery: Site-ti ki WordPress, Joomla, naki Drupal? Web Server Information: Server-ti ki Apache, Nginx, naki Microsoft-IIS? Frameworks: Site-ti ki React, Vue.js, naki Laravel babohar korche? Plugins ...

Google Dorking Guide (2026): Using Advanced Search to Discover Hidden Information

Welcome back to CyberShield! Search engines are more powerful than most people realize. Beyond regular queries, they can reveal deeply indexed content that is not easily visible through normal browsing. In cybersecurity, this technique is known as Google Dorking . It allows researchers to uncover publicly exposed data using advanced search queries without ever directly interacting with the target's server. What is Google Dorking? Google Dorking refers to the use of advanced search operators to locate specific types of information within search engine indexes. Instead of performing simple keyword searches, users apply structured queries to filter results and uncover hidden or sensitive data that was never meant to be public. Why It Matters in Security Testing For penetration testers and bug bounty hunters, this technique is a vital part of passive reconnaissance . It helps to: Identify exposed files and directories: Finding folders that should be private. Discover forgotten or unl...

Nmap Tutorial: Complete Guide to Network Scanning and Reconnaissance (2026)

  Introduction In penetration testing and cybersecurity, the first step is always reconnaissance. Before identifying vulnerabilities, you need to understand the target system—what services are running, which ports are open, and what technologies are in use. One of the most powerful tools for this purpose is Nmap (Network Mapper). What is Nmap? Nmap is an open-source network scanning tool used to discover hosts and services on a network. Security professionals use Nmap to: Identify active devices Detect open ports Discover running services Gather system information Why Nmap is Important Nmap plays a crucial role in the reconnaissance phase: Network Discovery It helps identify which systems are online. Port Scanning You can find open, closed, and filtered ports. Service Detection Nmap can detect the version of services running on ports. Security Assessment It helps identify potential entry points for attackers. Installing Nmap On Kali Linux: sudo apt install nmap Basic Nmap Commands ...

WafW00f Tutorial: Detecting Web Application Firewalls (WAF) in 2026.

  Introduction During reconnaissance and penetration testing, understanding a target’s defensive setup is critical. Before attempting any testing, security professionals need to know what protections are in place. One of the most common defenses used by modern web applications is a Web Application Firewall (WAF). To identify this protection layer, a specialized tool called WafW00f is widely used. What is WafW00f? WafW00f is an open-source reconnaissance tool designed to detect the presence of a Web Application Firewall. It helps security testers determine: Whether a WAF is protecting the target The specific type or vendor of the WAF This information is useful when planning testing strategies and understanding possible restrictions. What is a Web Application Firewall (WAF)? A Web Application Firewall (WAF) is a security system that monitors and filters incoming HTTP/HTTPS traffic between users and a web application. It protects against attacks such as: SQL Injection Cross-Site Scrip...

Subdomain Enumeration Guide: Finding Hidden Attack Surfaces (2026)

  Welcome back to our Cybersecurity series! We have completed our initial 20-post journey, but the learning never stops. Today, we are diving deep into the most critical part of the Reconnaissance phase: Subdomain Enumeration . What is Subdomain Enumeration? Subdomain Enumeration is the process of finding all the subdomains (e.g., dev.example.com , api.example.com , staging.example.com ) associated with a main domain ( example.com ). Professional hackers spend a lot of time here because main domains are usually highly secured, but subdomains—especially those used for development or testing—often have weak security, unpatched software, or hidden admin panels. Why Should You Care About Subdomains? Hidden Assets: Companies often forget about old subdomains that might contain sensitive data or old backup files. Increased Attack Surface: Every new subdomain is a new chance to find a bug like SQLi, XSS, or SSRF. Subdomain Takeover: Sometimes, a subdomain points to a service (like Gi...

Directory Bruteforce: Discover Hidden Paths in Web Applications (2026 Guide)

Introduction In web penetration testing, discovering hidden directories and files is a crucial step. Many sensitive resources are not publicly linked but still accessible. Directory bruteforcing helps identify these hidden endpoints and expand the attack surface. What is Directory Bruteforce? Directory bruteforce is a technique used to discover hidden files and directories on a web server by systematically guessing possible paths. It works by sending multiple HTTP requests with different directory names from a wordlist. Why Directory Enumeration is Important Hidden directories may contain: Admin panels Backup files Configuration files API endpoints Development environments These can expose vulnerabilities. Popular Tools for Directory Bruteforce Common tools include: Gobuster Dirsearch FFUF These tools automate the process of discovering hidden paths. Installing Gobuster On Kali Linux: sudo apt install gobuster Basic Usage gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/...

Subfinder Tutorial: Complete Guide to Subdomain Enumeration (2026)

Introduction Subdomain enumeration is a crucial step in reconnaissance for penetration testing and bug bounty hunting. Finding hidden subdomains can reveal additional attack surfaces. One of the most efficient tools for this task is Subfinder. What is Subfinder? Subfinder is a fast and powerful subdomain discovery tool designed to find valid subdomains using passive sources. It is widely used by security researchers for reconnaissance. Key Features Passive subdomain enumeration Fast and lightweight Uses multiple data sources Easy to use Suitable for bug bounty workflows Why Subdomain Enumeration Matters Subdomains often expose: Admin panels APIs Development environments Misconfigured services These can lead to vulnerabilities. Installation Install Subfinder using Go: go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest Make sure your PATH is configured correctly. Basic Usage subfinder -d example.com This command finds subdomains of the target domain. Save Output ...