Post 1: Web Reconnaissance & Enumeration
Finding Every Hidden Door Before You Break In
In any web pentest, recon is everything. Most people rush into testing for SQLi or XSS, but that’s like trying to rob a house without checking if the back door is already open.
This post is your step-by-step guide to web recon and enumeration — what to look for, which tools to use, and how to interpret the output.
Table of Contents
- Why Recon Matters
- Passive vs Active Enumeration
- Discovering Directories and Files
- Identifying Technologies
- Reading HTTP Responses Like a Hacker
- Checking for Misconfigurations
- Fuzzing Parameters
- Tools Recap
1. Why Recon Matters
Web apps are rarely just what you see on the home page. There are:
- Hidden directories (
/admin,/backup,/test) - Old files (
.bak,.old,.zip) - Debug endpoints
- Developer panels
- Unlinked pages
Finding these gives you access others miss — and they’re often vulnerable by design.
2. Passive vs Active Enumeration
Passive Enumeration
Without directly interacting with the app (no alerts/logs):
- View page source
- Check
robots.txt,sitemap.xml - Google Dorking (
site:target.com inurl:admin) - Use
whatweborwappalyzerto fingerprint
curl -s http://target.com/robots.txt
# Lists paths the site doesn't want crawled — often sensitive
whatweb http://target.com
# Detects technologies (CMS, server, languages)
If you’re trying to scan offensivecyberprofessional.com with WhatWeb and get a 403 Forbidden response, it’s because the server is blocking requests from tools using default User-Agents. To get around this, simply spoof the User-Agent to look like a regular browser. For example:
whatweb -U "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" http://offensivecyberprofessional.com
This tells WhatWeb to act like a normal browser, bypassing the block and allowing you to fingerprint the site properly. This is a common trick when dealing with servers protected by basic filters or WAFs.
Active Enumeration
Sends requests to the app — may be logged:
- Directory brute-forcing
- Header grabbing
- Parameter fuzzing
- HTTP method probing
3. Discovering Directories and Files
Gobuster (fast, reliable)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
# Scans for directories using wordlist
FFUF (flexible and fast)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Bruteforces endpoints using the FUZZ keyword
Look for:
/admin//uploads//dev//backup.zip.php.bak,.old,.txt
4. Identifying Technologies
# Identify technologies used by the web application
whatweb http://target.com
# Fingerprints tech stack: Apache, PHP, WordPress, etc.
curl -I http://target.com
# View HTTP headers to identify server and backend language
# Example output:
# Server: Apache/2.4.29 (Ubuntu)
# X-Powered-By: PHP/7.2.24
Also try these tools for additional tech fingerprinting:
- Wappalyzer (browser extension) – detects frontend and backend technologies
- Netcraft – online site report with hosting and tech stack info
- BuiltWith – detailed breakdown of technologies used by a website
5. Reading HTTP Responses Like a Hacker
Headers are full of recon gold:
curl -I http://target.com
Check for:
ServerandX-Powered-BySet-Cookie(session tokens)Cache-ControlandContent-Security-Policy- Unusual status codes (e.g.,
403,405,500)
Try changing verbs:
curl -X OPTIONS http://target.com
# Shows allowed HTTP methods — is PUT or DELETE enabled?
6. Checking for Misconfigurations
HTTP Method Tampering
curl -X TRACE http://target.com
# TRACE method can echo back headers — old but useful
CORS Misconfigurations
curl -H "Origin: http://evil.com" -I http://target.com
# Check if Access-Control-Allow-Origin returns *
Backup Files
Try adding:
.php.bak
.php.old
.zip
.sql
Intercept a request in Burp and try these variations manually or with a fuzz list.
7. Fuzzing Parameters
FFUF can also fuzz parameter names:
ffuf -u "http://target.com/index.php?FUZZ=test" -w param-names.txt
# Fuzz for hidden GET parameters
Try this with headers too:
ffuf -w headers.txt:HEADER -u http://target.com -H "FUZZ: test"
# Tests for hidden headers like X-Forwarded-For, X-Original-URL
8. Tools Recap
| Tool | Use Case |
|---|---|
gobuster | Directory brute-forcing |
ffuf | Directory, parameter, and header fuzzing |
whatweb | Fingerprinting technologies |
curl | Manual request inspection |
Burp Suite | Proxy, fuzz, manual testing |
nmap | Service detection and http scripts |
nikto | Basic vuln scanning (low false positives) |
Next Steps
Now that you’ve mapped the attack surface, you’ll know where to:
- Send payloads
- Look for authentication
- Test inputs
- Upload files
- Exploit business logic
Next Up: Authentication Testing
We’ll go deep on:
- Login bypasses
- Bruteforce techniques
- Common flaws in real apps
- Parameter tampering in auth flows