Web Enumeration


Web Reconnaissance is the foundation of a thorough security assessment. This process involves systematically and meticulously collecting information about a target website or web application.

The primary goals of web reconnaissance include:

• Identifying Assets: Uncovering all publicly accessible components of the target, such as web pages, subdomains, IP addresses, and technologies used. This step provides a comprehensive overview of the target’s online presence.

• Discovering Hidden Information: Locating sensitive information that might be inadvertently exposed, including backup files, configuration files, or internal documentation. These findings can reveal valuable insights and potential entry points for attacks.

• Analysing the Attack Surface: Examining the target’s attack surface to identify potential vulnerabilities and weaknesses. This involves assessing the technologies used, configurations, and possible entry points for exploitation.

• Gathering Intelligence: Collecting information that can be leveraged for further exploitation or social engineering attacks. This includes identifying key personnel, email addresses, or patterns of behaviour that could be exploited.

Active Reconnaissance

TechniqueDescriptionExampleToolsRisk of Detection
Port ScanningIdentifying open ports and services running on the target.Using Nmap to scan a web server for open ports like 80 (HTTP) and 443 (HTTPS).Nmap, Masscan, UnicornscanHigh: Direct interaction with the target can trigger IDS and firewalls.
Vulnerability ScanningProbing the target for known vulnerabilities, such as outdated software or misconfigurations.Running Nessus against a web app to check for SQLi or XSS flaws.Nessus, OpenVAS, NiktoHigh: Scanners send exploit payloads that security solutions can detect.
Network MappingMapping the target’s network topology, including connected devices and their relationships.Using traceroute to find packet paths and network hops to a target server.Traceroute, NmapMedium to High: Unusual traffic may raise suspicion.
Banner GrabbingRetrieving info from banners displayed by services on the target.Connecting to port 80 and examining the HTTP response headers.Netcat, curlLow: Minimal interaction but still potentially logged.
OS FingerprintingIdentifying the OS running on the target system.Using nmap -O to detect if the target runs Linux or Windows.Nmap, Xprobe2Low: Usually passive, but some methods may trigger alerts.
Service EnumerationIdentifying the versions and details of services on open ports.Using nmap -sV to see if Apache 2.4.50 or Nginx 1.18.0 is running.NmapLow: May be logged, but rarely triggers alerts.
Web SpideringCrawling websites to find directories, files, and parameters.Using Burp Spider or ZAP to discover hidden paths or admin panels.Burp Suite Spider, OWASP ZAP Spider, ScrapyLow to Medium: Poorly configured crawlers can draw attention.

Passive Reconnaissance

TechniqueDescriptionExampleToolsRisk of Detection
Search Engine QueriesUsing search engines to find information about the target.Searching Google for “[Target Name] employees” to gather details from public web pages.Google, DuckDuckGo, Bing, Shodan, CensysVery Low: Normal browsing behavior.
WHOIS LookupsQuerying WHOIS databases for domain registration details.WHOIS lookup to find a domain’s registrant name and contact info.whois, online WHOIS lookup toolsVery Low: Passive, non-intrusive.
DNS EnumerationInspecting DNS records to discover subdomains and services.Using dnsenum to identify subdomains and associated infrastructure.dig, host, nslookup, dnsenum, fierce, dnsreconVery Low: DNS lookups are standard traffic.
Web Archive AnalysisChecking historical snapshots of websites for leaked or outdated info.Exploring Wayback Machine for a site’s earlier pages and exposed paths.Wayback Machine, archive.orgVery Low: Archival browsing is passive.
Social Media AnalysisMining social platforms for employee roles, structure, or targets.Searching LinkedIn for staff info to build a profile for social engineering.LinkedIn, Twitter, Facebook, Maltego, SpiderFootVery Low: Public data, not suspicious.
Code RepositoriesSearching public repos for secrets, tokens, or vulnerable code.Looking up exposed .env files or hardcoded keys in GitHub repos.GitHub, GitLab, GitHub Dorks, truffleHog, GitLeaksVery Low: Public repos are open to search.