# Recon Checklist

### Single Web Application

* Technology Fingerprinting - Identify web server, development language, development framework, CMS.
* Check for robots.txt, .git and other common files. (Nikto can be used)&#x20;
* Spider/Crawl the application.&#x20;
* Directory Brute force based on dev language:
  * PHP – .php, .txt, .bak, .zip, .html, .xml, .js, .env
  * ASPX - .aspx, .ashx, .txt, .bak, .zip, .html, .xml, .js, .env
* Google Dorking (fastdork can be used)
  * Identify pages and directories
  * Identify files (.txt, .zip, .env, .xlsx, etc)
* JavaScript (Based on <https://gist.github.com/m4ll0k/31ce0505270e0a022410a50c8b6311ff>)
  * Collect all .js URLs in the application using getSrc, gau and burpsuite’s ‘Find Scripts’. (gau alternatives: waymore, waybackurls).&#x20;
  * Identify paths, links using linkfinder.&#x20;
  * Use collector.py to segregate linkfinder output into files, js, params, paths and URLs.&#x20;
  * Identify hardcoded secrets (apikeys, access token, authorizations) using secretfinder.&#x20;
  * Use gf-patterns to identify potential injections points for xss, sqli, lfi, etc.&#x20;
  * Use httpx to check if the URLs still exist
* Identify hidden parameters & headers (Paraminer – Burp Extension)
* Cloud Based WAF Bypass – Directly Access the Web Server
  * Search Shodan using certificate CN
  * Check Historic Hosting IP using security trails
* Enumerate for public buckets related to web app. ( <http://buckets.grayhatwarfare.com/> or other tools in <https://github.com/mxm0z/awesome-sec-s3> )
* Port Scanning

### Wider Scope (*In addition to the above items*):

* Subdomain Enumeration
  * Active and Passive Enumeration - subfinder, amass (Use all APIs)&#x20;
  * Generate permutations - altdns&#x20;
  * Brute force - shuffledns.&#x20;
  * Google Dorking.
* Identify IP Addresses, Domain Names - Shodan, Censys.&#x20;
* Identify Virtual hosts – Reverse lookup security trails, msn.com ‘ip:’ dork.&#x20;
* Identify IP range using Netblock Owner.&#x20;
* Identify valid webservers (subdomains and Ips) – httpx.&#x20;
* Subdomain takeover – subzy, can-i-take-over-xyz, nuclei: detect-all-takeovers.&#x20;
* GitHub Reconnaissance - <https://vsec7.github.io/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hak2learn.gitbook.io/hak2learn/webapp/recon-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.