Area of Scope in Reconnaissance

Penetration Tester can divide the scope of Testing into primarily three types:

1. Small Area of Scope

While performing the penetration testing on any organization, the terms and conditions a re-applied in which the area of scope is decided and explained to the tester. So in the Small scope, the areas of testing are only for subdomains that are allowed by the organization,  all the activity beyond this scope can be considered as malpractice. All the information collected should only belong to the related subdomain.

The information which is collected in small scope is :

1. Directory enumeration
2. Github Dorking
3. Parameter Discovery
4. Port Scan
5. Database Enumeration
6. Backend Enumeration
7. Github Search links

2. Medium Area of Scope 

In the Medium Area of Scope, the testing area will be increased to contain all subdomains related to a specific domain. Any organization can allow the penetration testers to test the *.comoanydoamin.com and find any loopholes. In this scope, the information collected is more than the previous cope, i.e., small area, the data collected can be related to various subdomains of specified or allowed domain.

The information which is collected in Medium scope is :

1. Waybackurls Enumeration
2. JS file Enumeration
3. Port Scan
4. WAF Detection
5. Misconfiguration in Storage
6. Subdomains Takeover

3. Large Area of Scope

This is the best scope for penetration tester as there is no restriction of subdomains and domains. The tester can test any subdomain in his way and methodology. For example, Google Organization can specify the Testers to test Any Google domains and subdomains without restrictions.

The information which is collected in Large scope is :

• ASN to get IP ranges
• DNS and SSL Enumeration
• Seeds or Roots
• Automation Vulnerability Scanning
• Sensitive Files
• List of Subdomains

Reconnaissance or Information Gathering is the initial step or the starting step of the Ethical Hacking or Penetration Testing process. Knowing about the target is very important while performing penetration testing. The information about the target collected serves as the milestone while penetrating the target. Targets can be of two types 1) Organization 2) Individual, so as per the target, penetration tester should collect essential information like open ports, IP addresses, MAC Addresses, Whois Records, etc., while Social Media Account Information, Personal Details if the target is an individual.

While penetrating web-based applications, every tester should collect subdomains, service info, Web database info, information exposure, hidden directories and parameters, juicy links, which may be vulnerable.