# Web Reconnaissance Using photon$
## Installation and Configuration on Kali Linux
Before diving into the functionalities of photon$, a crucial web reconnaissance tool, let’s start with the installation and configuration process on Kali Linux. This tool is specifically designed for gathering subdomain and other web-related data to assist penetration testers in their reconnaissance phase.
### Prerequisites
– Ensure you are running the latest version of Kali Linux. Updates can be performed using the following command:
sudo apt update && sudo apt upgrade -y
"`
– You should have access to the terminal with root privileges.
### Step 1: Installation
#### Installing photon$
photon$ can be installed via GitHub. Follow these steps to install it on your Kali Linux environment:
1. **Open your terminal**.
2. **Clone the photon$ repository**:
git clone https://github.com/s0md3v/Photon.git
3. **Navigate to the cloned directory**:
cd Photon
4. **Install the required dependencies** (Ensure that you have Python 3 installed):
pip3 install -r requirements.txt
5. **Make the script executable**:
chmod +x photon.py
6. **Move it to a bin directory** for easier access:
sudo mv photon.py /usr/local/bin/photon
### Step 2: Configuration
photon$ does not require extensive configuration but provides a way to customize its output and behavior.
– **API Keys**: If you are using any API for additional features, store your keys in a `.env` file or configure them as environment variables.
– **Output File**: You can specify the output file format (JSON, text, etc.) when running photon$.
"`bash
export API_KEY='your_api_key_here'
"`
## Step-by-Step Usage and Real-World Use Cases
Once photon$ is installed and configured, you can start using it for web reconnaissance. Below are some common usage examples and explanations.
### Basic Usage
The basic command structure for running photon$ is:
"`bash
photon -u
"`
– `-u
– `-o
#### Example Command
"`bash
photon -u https://example.com -o output.txt
"`
### Options
photon$ comes with various options to customize your scans. Here are some commonly used flags:
– `-d`: To set the depth of the crawl.
– `-t`: To specify the number of concurrent threads for requests.
– `-r`: To include or exclude specific domains or subdomains.
– `-h`: To display the help information.
### Real-World Use Cases
#### 1. Subdomain Enumeration
One of the primary use cases for photon$ is enumerating subdomains. This is a vital step for gaining broader access to a web application.
"`bash
photon -u https://testsite.com -o subdomains.txt -d 2 -t 20
"`
In the command above:
– `-d 2` allows the tool to crawl two levels deep to discover subdomains.
– `-t 20` sets the number of concurrent threads for faster processing.
#### 2. Gathering Metadata
photon$ can also pull metadata associated with the target domain.
"`bash
photon -u https://example.com –metadata -o metadata.txt
"`
This will store the metadata in the `metadata.txt` file, which can contain useful information like server type, technology stack, and more.
#### 3. Finding Endpoint URLs
Using photon$, you can also discover potential endpoint URLs that the application may be using, leading to further exploitation vectors.
"`bash
photon -u https://example.com –endpoints -o endpoints.json
"`
### Detailed Technical Explanations
#### Internal Mechanics
photon$ employs various techniques to collect data. It utilizes:
– **Web Crawling**: It traverses links found on the target site to discover additional resources.
– **DNS Queries**: It performs DNS resolution to enumerate subdomains.
– **API Calls**: If configured, it may call external APIs to enrich the information gathered.
The tool processes HTML pages, parses links, and intelligently identifies potential attack surfaces.
#### Code Example for WordPress
For WordPress sites, you can specifically look for configurations and known vulnerabilities. Here are some commands tailored for WordPress:
1. **Identify WordPress Version**:
Check for version-specific vulnerabilities:
photon -u https://wordpress-site.com –version
2. **Enumerate Plugins**:
Discover installed plugins which can introduce vulnerabilities:
photon -u https://wordpress-site.com –plugins -o plugins.json
Each of these commands can help you build a comprehensive report on your target’s web application security posture.
### External Reference Links
– [Kali Linux Official Website](https://www.kali.org/)
– [Photon GitHub Repository](https://github.com/s0md3v/Photon)
– [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
– [Subdomain Enumeration Techniques](https://www.acs.com.hk/en/products/1117/subdomain-enumeration-techniques/)
In this section, we explored the installation and configuration of photon$, its usage, and practical applications in real-world scenarios. This tool is invaluable for any penetration tester or security enthusiast, and mastering it will significantly enhance your web reconnaissance skills.
—
Made by pablo rotem / פבלו רותם