httprecon Alternatives: Web Recon Tools

G5 Cyber Security

2 weeks ago

TL;DR

httprecon is no longer actively maintained. This guide covers modern alternatives for web reconnaissance, focusing on tools like subfinder, assetfinder, waybackurls, and hakrawler. These offer similar or improved functionality for discovering subdomains, URLs, and technologies.

1. Understanding httprecon’s Role

httprecon was a useful tool for quickly gathering information about web servers – things like server type, headers, potential vulnerabilities based on those headers, and interesting files/directories. It automated some initial steps in the reconnaissance phase of a cyber security assessment.

2. Subdomain Enumeration

Finding subdomains is often the first step. Here are some good replacements:

Subfinder: A fast subdomain scanner written in Go. It uses multiple sources to find subdomains.
```
subfinder -d example.com
```
Assetfinder: Another Go-based tool, focusing on finding assets (including subdomains) associated with a domain.
```
assetfinder example.com
```
Amass: A more comprehensive but slower option. It performs active and passive subdomain enumeration.
```
amass enum -d example.com
```

3. URL Discovery

Once you have subdomains, finding URLs within those domains is crucial.

Waybackurls: Extracts URLs from the Internet Archive’s Wayback Machine.
```
waybackurls example.com
```
Hakrawler: A web crawler designed for reconnaissance. It can be configured to crawl specific subdomains and follow links.
```
hakrawler -u https://example.com/ -c 10
```
(This crawls example.com with a concurrency of 10 threads.)
ffuf: A fast web fuzzer, useful for discovering hidden directories and files.
```
ffuf -w wordlist.txt -u https://example.com/FUZZ
```

4. Technology Detection

Identifying the technologies used by a website can help pinpoint vulnerabilities.

Wappalyzer: A browser extension and command-line tool that identifies technologies.
```
wappalyzer https://example.com
```
BuiltWith: Similar to Wappalyzer, providing detailed technology information.
(Primarily a web service; use their website.)

5. Combining Tools

The best approach is often to combine these tools for more thorough reconnaissance.

Pipeline Example: Use subfinder or assetfinder to find subdomains, then feed those results into waybackurls and hakrawler to discover URLs. Finally, use wappalyzer on the discovered URLs to identify technologies.

6. Automation with Shell Scripting

Automate your reconnaissance process using shell scripts.

#!/bin/bash
DOMAIN="example.com"
subdomains=$(subfinder -d $DOMAIN)
echo "Found subdomains:"
for subdomain in $subdomains; do
  echo "Scanning $subdomain..."
  waybackurls $subdomain > wayback_$subdomain.txt
hakrawler -u $subdomain -c 10 > hakrawl_$subdomain.txt
done

Remember to adjust the concurrency (-c) and output filenames as needed.