Mastering Web Reconnaissance with photon$ – A Complete Pentest Course

Web Reconnaissance Using photon$

# Web Reconnaissance Using photon$## Installation and Configuration on Kali Linux### Step 1: Install photon$To begin with, you need to ensure that your Kali Linux system is up-to-date. Open your terminal and execute the following command:Next, we will install the photon$ tool. This can be done using the following command:If for any reason you need to install it from its repository, you can clone the GitHub repository directly:Then, you should install the required dependencies listed in the repository. For most systems, you can use:### Step 2: Basic ConfigurationBefore you run photon$, you may need to configure it according to your needs. photon$ allows you to specify options such as the maximum depth of links to crawl, output formats, and the specific domain you want to target.You can create a configuration file (e.g., `photon_config.json`) to store your preferences:[/dm_code_snippet]json { "max_depth": 3, "output_format": "json", "target_domain": "example.com" } [/dm_code_snippet]Make sure to replace `"example.com"` with your intended target domain. You can later load this configuration to make your life easier.## Step-by-Step Usage and Real-World Use Cases### Basic UsageTo run photon$, use the following command:Replace `https://example.com` with the actual URL you want to analyze and `output_directory/` with the directory where you want to save results.#### Example: Finding SubdomainsOne common task in web reconnaissance is discovering subdomains of a target. This can be accomplished with photon$:The `-l` option signifies the maximum depth for crawling, while `–subdomains` instructs photon$ to focus on finding any subdomains linked to the target.#### Use Case: Mapping a Web ApplicationA typical use case for a pentester is to gather as much information about a web application as possible. You can combine various parameters to create a comprehensive map of the target.This command will not only find subdomains but will also gather links and files, providing a holistic view of the target application.### Advanced Usagephoton$ has various advanced options. You can use the `-h` option to display help and see other functionalities.Some advanced functionalities include:– **Cookies**: Using `–cookie` to include session cookies, which may give you access to user-specific content. – **Custom User-Agent**: Using `-a` to specify a custom User-Agent. This is useful for avoiding detection or for interacting with applications that respond differently to different user agents.### External Reference Links– [Photon's GitHub Repository](https://github.com/eykrehbein/photon) – [Kali Linux Official Documentation](https://www.kali.org/docs/) – [Web Application Security Testing Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Web_Application_Security_Testing_Cheat_Sheet.html)## Detailed Technical Explanations### Subdomain EnumerationSubdomain enumeration serves as a preliminary step in web reconnaissance. This process identifies additional systems that may not be directly visible from the main domain. Tools like photon$ automate this task, employing several techniques:– **DNS Brute Force**: This technique attempts to guess subdomains by pre-defined lists combined with brute force approaches. – **Search Engine Queries**: Many tools fetch data from search engines. photon$ does this by querying search engines for any links associated with the main domain.### Link and File DiscoveryLink discovery encompasses uncovering all the interconnected links within the website, helping pen-testers map the structure of the web application. On the other hand, file discovery allows users to identify publicly accessible files, which might contain sensitive information.### Performance OptimizationTo enhance performance, consider the following:– **Adjusting the Crawl Depth**: A smaller crawl depth can yield quicker results, though it might miss some links. – **Using Multithreading**: If you have substantial resources, consider using options that allow parallel requests, thereby speeding up the crawling process.## Code Examples in Markdown Code Blocks for WordPressIn this section, we will outline potential scenarios where you may want to execute specific code snippets related to web reconnaissance using photon$ in a WordPress environment.### Example 1: Basic Reconnaissance on a WordPress SiteAssuming you want to target a WordPress site to find vulnerabilities, start with:### Example 2: Enumerating PluginsPlugins are a common attack vector in WordPress. You can discover plugins using:This command will help identify installed plugins by crawling the site up to a depth of 3.### Example 3: File EnumerationTo search for sensitive files that might be left exposed:This will uncover files that could potentially contain sensitive information.### ConclusionUtilizing photon$ effectively can significantly enhance your web reconnaissance efforts, particularly when assessing web applications built on WordPress. It simplifies the process of uncovering subdomains, links, and files thus providing pen-testers with the necessary intelligence to identify vulnerabilities.As you become more familiar with its functionalities, consider developing customized scripts that could automate repetitive tasks, allowing you to focus on analyzing results rather than collecting data.In conclusion, mastering the use of tools like photon$ is a cornerstone of a successful penetration testing effort, paving the way for thorough security assessments and improved web application defenses.Made by pablo rotem / פבלו רותם