π‘οΈ Methodology Checklist
- Run full recon methodology against assessment target
- Document all discovered subdomains and vhosts
- Identify CMS/technology stack
- Discover all accessible endpoints and parameters
- Note sensitive files or directories exposed
- Identify any authentication bypass or information disclosure findings
- Compile findings summary for reporting
π― Operational Context
Use when: Validating web recon methodology against a lab environment β practice running the full chain from passive to active enumeration. Think Dumber First: Follow the chain: WHOIS β CT logs β subfinder β dnsx β whatweb β directory brute β vhost fuzz β crawl. Donβt skip steps to save time in labs β that habit carries into real engagements. Skip when: N/A β lab-specific walkthrough file.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
export IP=[TARGET_IP]; export PORT=[PORT]; export DOMAIN="[DOMAIN]" | Set environment variables |
whois [DOMAIN] | grep "IANA ID" | Get registrar IANA ID (public domain) |
curl -I http://$IP:$PORT | Banner grab β identify server software |
gobuster vhost -u http://$IP:$PORT -w [WORDLIST] --append-domain -t 50 | Layer 1 VHost discovery |
echo "$IP [VHOST]" | sudo tee -a /etc/hosts | Map discovered VHost |
curl http://[VHOST]:$PORT/robots.txt | Check robots.txt on subdomain |
gobuster dir -u http://[VHOST]:$PORT -w /usr/share/wordlists/dirb/common.txt | Directory brute-force on subdomain |
curl http://[VHOST]:$PORT/[HIDDEN_DIR]/ | Access discovered directory |
gobuster vhost -u http://[VHOST]:$PORT -w [WORDLIST] --append-domain -t 50 | Layer 2: scan subdomain for sub-subdomains |
echo "$IP dev.[VHOST]" | sudo tee -a /etc/hosts | Map deep subdomain |
python3 ReconSpider.py http://dev.[VHOST]:$PORT | Crawl deep subdomain |
cat results.json | grep "comments" -A 5 | Find API keys in comments |
π¬ Deep Dive & Workflow
Critical Pattern: Recursive VHost Enumeration
The key skill tested: finding sub-subdomains. When a subdomain appears empty, scan it for deeper VHosts.
Attack Chain
- Pre-engagement: Set
IP,PORT,DOMAINenv vars - WHOIS: Public domain queries (e.g.,
inlanefreight.com) β not the lab IP - Banner grab:
curl -I http://$IP:$PORTβ Server header - VHost Layer 1: Gobuster β finds
web1337.inlanefreight.htb - Map VHost β add to
/etc/hosts - robots.txt check on new subdomain β may reveal hidden directory
- Dir brute-force on new subdomain β find
/admin_h1dd3n/ - VHost Layer 2: Scan
web1337.inlanefreight.htbfor sub-subdomains β findsdev.web1337.inlanefreight.htb - Map deep VHost β add to
/etc/hosts - ReconSpider crawl on
dev.web1337.inlanefreight.htbβresults.json - Extract data:
emailskey β email address,commentskey β new API key
Exam Reminders
- Public questions (IANA ID, Whois) β query the real internet
- Target questions (Server, Keys, Emails) β query the lab IP
- If crawler returns 0 results: check
/etc/hosts, site may be empty (try dir brute-force), may be blocked (change User-Agent) - Donβt trust automation blindly β always manually verify with
curl
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Lab target not responding | VPN or target not started | Run ping [TARGET_IP] first; restart target in HTB panel if no response |
| Skills assessment flag not found after enumeration | Missed a vhost or hidden endpoint | Re-run ffuf with bigger wordlist (raft-large-directories.txt); fuzz vhosts too |
| whatweb returns different results than expected | Target config differs from lab guide | Document actual findings; lab guide may be outdated |
| Directory brute returns all 200s | Web server wildcard response | Detect baseline: curl http://[TARGET_IP]/randompath123 β if 200, filter by size (-fs [size]) |
| CT log search returns no results for lab domain | Lab uses .htb or local TLD | CT logs only work for real TLDs; use DNS brute and vhost fuzzing instead |
π Reporting Trigger
Finding Title: Web Recon Methodology Validation β Lab Assessment
Impact: Skills assessment confirms operator proficiency with passive-to-active web recon chain including WHOIS, subdomain enumeration, vhost discovery, and fingerprinting.
Root Cause: N/A β training exercise.
Recommendation: Document full recon chain output. Flag any technique gaps for additional practice. Ensure all tool outputs are saved with tee for later reference.