Reconnaissance & Target Discovery
Asset Discovery & Technology Fingerprinting
3 min read
Knowing what technologies a target uses shapes your attack strategy. Different stacks have different vulnerabilities.
Why Fingerprint?
| Technology | Common Vulnerabilities |
|---|---|
| WordPress | Plugin vulnerabilities, xmlrpc.php |
| Laravel | Debug mode exposure, .env leaks |
| Spring Boot | Actuator endpoints, SpEL injection |
| Node.js/Express | Prototype pollution, SSRF |
| Django | Debug pages, SSTI |
| .NET | Viewstate deserialization |
HTTP Headers Analysis
Headers reveal technology choices:
# Using curl
curl -I https://example.com 2>/dev/null | grep -iE "server|x-powered|x-aspnet|x-generator"
# With httpx
echo "example.com" | httpx -silent -server -tech-detect
Key headers to examine:
Server: Web server (nginx, Apache, IIS)X-Powered-By: Framework (PHP, Express, ASP.NET)X-Generator: CMS (WordPress, Drupal)Set-Cookie: Session technology hints
Wappalyzer & Browser Detection
Wappalyzer identifies:
- CMS and frameworks
- JavaScript libraries
- CDN providers
- Analytics tools
- Server-side technologies
# CLI alternative: webanalyze
webanalyze -host example.com -crawl 2
# Or using httpx tech detection
cat live-hosts.txt | httpx -silent -tech-detect -json -o tech.json
Response Analysis
Look for technology indicators:
# Check common paths
curl -s https://example.com/robots.txt
curl -s https://example.com/sitemap.xml
curl -s https://example.com/.well-known/security.txt
# Check for framework-specific files
curl -s https://example.com/wp-login.php # WordPress
curl -s https://example.com/administrator # Joomla
curl -s https://example.com/user/login # Drupal
curl -s https://example.com/actuator/health # Spring Boot
JavaScript Analysis
Frontend frameworks and libraries:
# Extract JavaScript files
cat wayback-urls.txt | grep "\.js$" | sort -u > js-files.txt
# Download and analyze
for url in $(cat js-files.txt | head -20); do
curl -s "$url" | grep -oE "api[_-]?key|secret|token|password"
done
Common finds in JS:
- API endpoints
- Hardcoded credentials
- Internal domain names
- Debug functionality
Port & Service Discovery
Expand beyond port 80/443:
# Using naabu for fast port scanning
naabu -host example.com -top-ports 1000 -silent
# Using nmap for service detection
nmap -sV -sC -p- --min-rate 1000 example.com -oN nmap-full.txt
# Common interesting ports
# 8080, 8443 - Alternate HTTP/HTTPS
# 9200 - Elasticsearch
# 27017 - MongoDB
# 6379 - Redis
# 5432, 3306 - PostgreSQL, MySQL
Cloud Asset Discovery
Identify cloud resources:
# AWS S3 buckets
# Pattern: {company}.s3.amazonaws.com, {company}-assets, {company}-backup
# Check if bucket exists and is misconfigured
aws s3 ls s3://example-company-backup --no-sign-request
# Azure blob storage
# Pattern: {company}.blob.core.windows.net
# GCP storage
# Pattern: storage.googleapis.com/{company}
Technology-to-Vulnerability Mapping
After fingerprinting, research known issues:
# Search for CVEs
searchsploit "apache 2.4"
searchsploit "wordpress 6.0"
# Check Nuclei templates
nuclei -l live-hosts.txt -tags cve,wordpress,apache -o nuclei-results.txt
Documentation Example
## Tech Stack: app.example.com
### Server
- Web Server: nginx/1.24.0
- Language: PHP 8.2
- Framework: Laravel
### Frontend
- React 18.2
- jQuery 3.6.0 (potential prototype pollution)
### Infrastructure
- CDN: Cloudflare
- Hosting: AWS (ELB detected)
### Attack Surface
- Laravel debug mode: Check APP_DEBUG
- .env exposure: Check /.env
- phpinfo exposure: Check /phpinfo.php
- React dev mode: Check for source maps
Pro Tip: Technology fingerprinting determines your attack playbook. A WordPress site requires different testing than a Spring Boot API.
Next, we'll discover hidden content and directories. :::