W-RECON-DIRBRUTEReconnaissance

Directory & File Bruteforce

feroxbuster / ffuf / gobuster against likely paths and extensions. Finds /admin, /backup.sql, /.git, /.env.

§ Where this technique fits

W-RECON-DIRBRUTE is catalogued under the Reconnaissance tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

SQLi (UNION) → DB dump → admin login
Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin.
step 1 / 8
Source map exposure → API key leak → cloud takeover
Public *.js.map files reveal un-minified source and inline-committed API keys (cloud provider, third-party services). Use the keys directly.
step 1 / 6
AXFR → discover shadow-IT staging → exploitable web app
DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.
step 4 / 6

§ What commonly comes next

01
Debug / Admin Endpoint Exposed
W-DEBUG-ENDPOINT · Discovery
seen 1×
02
JavaScript Source Map Exposure
W-RECON-SOURCEMAP · Reconnaissance
seen 1×
03
Tech Stack Fingerprinting
W-RECON-FINGERPRINT · Reconnaissance
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SQLi (UNION) → DB dump → admin login

Source map exposure → API key leak → cloud takeover

AXFR → discover shadow-IT staging → exploitable web app

§ What commonly comes next