Course Syllabus:

 Introduction to the course

o Requirements
o Resources
 Introduction of James Beers (whoami)
o 1 slide intro with credibility statements
 Explanation of recon (the meaning, the purpose, and the
data) 20mins
o What is recon?
o How can I use recon efficiently?
o What types of recon are there?
 Thinking like a hacker during recon (this is where the
questline comparison comes in) 1hr
o What do sensitive files look like?
o What services should I try to exploit first?
o Sensitive directories.
o OSINT
o Code review
o Api investigation
o Error messages
o Following javascript endpoints
o What would a hacker do?
 Methodology(Recon)
o Find subdomains
o Find URLs
o Find Wayback and crawled content
 o Find keys and cookies
o Find javascript on all live subdomains
o Find more URLs from the javascript
o Apply all the things found to the enumeration of
anything your find after this process
o Apply everything you find that is interesting to the
main target
o Enumerate the logic of the application
 Places for recon online 2mins
o Common places I look
o Common places XSS Rat looks
o Places for recon data other than google 2mins
o Tutorial for using censys
o Tutorial for using shodan
o Tutorial for using BuiltWith
 Tools for recon 25 mins
o Amass
o Subfinder
o Assetfinder
o Gau
o Httprobe
o hakrawler
 How to use each tool 1hr
o Setting up and toning down your tools
o Finding the right flags to use
o Using these tools with multiple targets
 o Using these tools to enumerate wildcard domains
*sub.domain.com
o Setting up amass
o Using amass
o Setting sub finder
o Using sub finder
o Setting up assetfinder
o Using asset finder
o Setting up gau
o Using gau
o Setting up httprobe
o Using httprobe
o Setting up hakrawler
o Using hakrawler
o Troubleshooting video
 What to do with the data for each tool 30mins
o Httprobe data
o Httprobe workflow
o Gau data
o Gau workflow
o Hakrawler data
o Hakrawler workflow
 Recon on IP addresses 45 mins
o Nmap usage
o Research on results
o Different ways to use Nmap
 o Scanning services for over 1,000 subdomains
o Troubleshooting video
 Recon on domains 45 mins(video)
o Technology profile and why we care
o Previously used technologies and why we care
o Current API docs and why we care
o Backend language enumeration and why we care
o URLs to look for and why
o Troubleshooting video
 Recon on gau 15-30 mins
o Gau and what it pulls from
o Results of gau and how to filter them
o Gf patterns and where to find more
 Recon on subdomains 20 mins
o Amass
o Subfinder
o Assetfinder
 Recon with javascript 1hr
o What am I looking for in javascript 30mins
o Links
o Directories
o Keys
o Endpoints
o DOM functions
o Privileged functions
o Directories and what they look like
 o Why different styles of directories
o How to handle regex in javascript
o What files should I look for
o What does a key look like in javascript
o What endpoints can we find
o API endpoints in javascript
o Scripts in source code
o Source code in scripts
 Recon with headers and CORS policy 30mins
o What is a CORS policy10mins
o CORS policies and what they are
o Proper implementation of CORS
o Improper implementation of CORS
o Reading the cross-origin policy header
o Applying the “allowed” domains to your enumeration
o Enumerating and looking for internal networks
o Internal network interaction
o CSRF check EVERYTHING
 All data and how it applies to your target in question 5
mins 30sec
o Bringing everything back around
o Providing VDP targets Google and Walmart
o Asking for reviews of this course
o Thanking the student
o Discord
 Outro and thanks
TOTAL TIME 7.65 hours of course on recon.
This is the outline that I was thinking and I think that at the
end of this lesson we can tease that we will be releasing a
follow-up course where I can teach them to build out
python tools for fuzzing IP/port checking with service
enumeration and subdomain scraping.