| name | recon-methodology |
| description | Comprehensive reconnaissance methodology covering OSINT, subdomain enumeration, technology fingerprinting, DNS reconnaissance, and attack surface mapping. Includes passive and active recon techniques with OPSEC considerations. |
Reconnaissance Methodology
Overview
Reconnaissance is the foundation of every successful penetration test. This skill covers passive and active reconnaissance techniques for mapping the attack surface.
Passive Reconnaissance
Domain Intelligence
WHOIS Information:
whois example.com
Historical WHOIS:
DNS History:
Subdomain Enumeration (Passive)
Certificate Transparency:
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
curl -s "https://api.certspotter.com/v1/issuances?domain=example.com&include_subdomains=true&expand=dns_names" | jq
curl -s "https://search.censys.io/api/v2/certificates/search?q=example.com"
Search Engines:
site:example.com -www
site:*.example.com
Public Datasets:
curl -s "http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=json&fl=original&collapse=urlkey"
Passive DNS:
Subdomain Aggregation Services:
theharvester -d example.com -b all
amass enum -passive -d example.com -o amass.txt
Email Enumeration
Email Harvesting:
theharvester -d example.com -b google,linkedin,bing,yahoo
Email Patterns:
curl -s "https://api.hunter.io/v2/domain-search?domain=example.com&api_key=KEY"
Technology Stack Detection
BuiltWith:
curl -s "https://api.builtwith.com/v19/api.json?KEY=xxx&LOOKUP=example.com"
Wappalyzer:
wappalyzer https://example.com
Web Server Fingerprinting:
curl -sI https://example.com | grep -i "server\|powered\|via"
Source Code Repositories
GitHub Recon:
github-search "org:targetorg password"
github-search "org:targetorg api_key"
github-search "org:targetorg secret"
github-search "org:targetorg token"
github-search "org:targetorg config"
github-search "extension:pem target"
github-search "extension:sql target"
github-search "extension:env target"
GitLab/GitBucket:
Cloud Resources
AWS S3 Buckets:
Azure Storage:
GCP Storage:
Social Media
OSINT Tools:
sherlock username
Employee Information
LinkedIn:
python linkedin2username.py -c "company" -o output.txt
Employee Patterns:
Active Reconnaissance
DNS Enumeration
DNS Record Types:
dig A example.com
dig AAAA example.com
dig MX example.com
dig NS example.com
dig TXT example.com
dig SOA example.com
dig TXT example.com | grep -i spf
dig TXT _dmarc.example.com
dig TXT selector._domainkey.example.com
Zone Transfer:
dig axfr @ns1.example.com example.com
dnsrecon -d example.com -t axfr
dnsenum example.com
DNS Brute Force:
dnsrecon -d example.com -D /usr/share/wordlists/dnsrecon/subdomains-top1mil-5000.txt -t brt
gobuster dns -d example.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Subdomain Brute Force (Active)
Tools:
amass enum -active -d example.com -o amass_active.txt
subfinder -d example.com -o subfinder.txt
assetfinder --subs-only example.com > assetfinder.txt
findomain -t example.com -o findomain.txt
chaos -d example.com -o chaos.txt
shuffledns -d example.com -w wordlist.txt -r resolvers.txt
puredns bruteforce wordlist.txt example.com -r resolvers.txt
Wordlists:
- /usr/share/wordlists/seclists/Discovery/DNS/
- Custom wordlists based on target
- Permutations: dev, staging, admin, api, etc.
Host Discovery
Ping Sweeps:
nmap -sn 192.168.1.0/24
masscan 192.168.1.0/24 -p0 --rate 1000
fping -a -g 192.168.1.0/24 2>/dev/null
Port Scanning
Nmap Scans:
nmap -sV -sC -oN nmap_quick.txt target
nmap -p- -sV -oN nmap_full.txt target
nmap -sU --top-ports 100 -oN nmap_udp.txt target
nmap -A -T4 -oN nmap_aggressive.txt target
nmap -sS -Pn -T2 --randomize-hosts target
nmap --script vuln -oN nmap_vuln.txt target
Masscan:
masscan 0.0.0.0/0 -p0-65535 --rate 10000 -oJ output.json
masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt
Rustscan:
rustscan -a target -- -A
Unicornscan:
unicornscan -mT target/24:1-65535
Service Enumeration
Banner Grabbing:
nc -v target port
telnet target port
nmap -sV --version-intensity 9 target
HTTP Service Detection:
whatweb -a 3 -v target
wappalyzer target
webtech -u https://target
Web Path Discovery
Directory Brute Force:
ffuf -u https://target/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302,403
gobuster dir -u https://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
python3 dirsearch.py -u https://target -e php,asp,aspx,jsp,html,js,bak,txt
feroxbuster -u https://target -w /usr/share/wordlists/dirb/common.txt
dirb https://target /usr/share/wordlists/dirb/common.txt
cewl -d 2 -m 5 -w custom.txt https://target
gobuster dir -u https://target -w custom.txt
Virtual Host Discovery:
ffuf -u https://target -H "Host: FUZZ.target.com" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
API Discovery
Common API Paths:
/api/
/api/v1/
/api/v2/
/api/v3/
/rest/
/graphql
/swagger.json
/api-docs/
/openapi.json
API Fuzzing:
ffuf -u https://target/api/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/api-endpoints.txt
Content Analysis
Web Application Mapping
Crawling:
katana -u https://target -d 5 -o katana.txt
echo "https://target" | hakrawler -d 3
gospider -s "https://target" -d 3 -o output
echo "target.com" | waybackurls > wayback.txt
gau target.com > gau.txt
JavaScript Analysis:
linkfinder -i https://target/script.js -o cli
python3 SecretFinder.py -i https://target/script.js
trufflehog git https://github.com/target/repo
Screenshot Enumeration
Tools:
eyewitness --web -f urls.txt -d eyewitness
cat hosts.txt | aquatone -ports xlarge
gowitness file -f urls.txt --threads 4
python webscreenshot.py -i urls.txt
Attack Surface Mapping
Asset Inventory
Create Asset Map:
┌─────────────────────────────────────────────────────────────┐
│ Target: example.com │
├─────────────────────────────────────────────────────────────┤
│ Subdomains: │
│ - www.example.com (185.199.108.153) - Web │
│ - api.example.com (104.16.100.52) - API │
│ - mail.example.com - Mail │
│ - vpn.example.com - VPN │
│ │
│ IPs: │
│ - 185.199.108.153 │
│ - 104.16.100.52 │
│ │
│ Services: │
│ - TCP/80: Nginx 1.18 │
│ - TCP/443: Nginx 1.18 (SSL) │
│ - TCP/22: OpenSSH 8.2 │
│ │
│ Technologies: │
│ - WordPress 5.8 │
│ - PHP 7.4 │
│ - MySQL (backend) │
│ │
│ Cloud: │
│ - AWS (based on headers) │
│ - S3 bucket: example-bucket.s3.amazonaws.com │
└─────────────────────────────────────────────────────────────┘
Prioritization Matrix
Risk-Based Prioritization:
Priority 1 (Critical):
- Internet-facing admin panels
- Outdated services with known CVEs
- Default credentials
- Exposed sensitive data
Priority 2 (High):
- Web applications with user input
- API endpoints
- Subdomains with interesting names
- Legacy systems
Priority 3 (Medium):
- Standard web services
- Common ports
- Information disclosure
Priority 4 (Low):
- Services requiring auth
- Limited functionality
- Known good configurations
OPSEC Considerations
Stealth Techniques
Rate Limiting:
nmap -T2 --max-retries 1 target
ffuf -rate 10 -u https://target/FUZZ -w wordlist.txt
Source IP Rotation:
proxychains nmap -sT target
User-Agent Rotation:
ffuf -H "User-Agent: Mozilla/5.0..." -u https://target/FUZZ -w wordlist.txt
Timing Randomization:
Automation
Recon Pipeline
#!/bin/bash
TARGET=$1
OUTPUT_DIR="recon_$TARGET_$(date +%Y%m%d)"
mkdir -p $OUTPUT_DIR
echo "[+] Starting recon for $TARGET"
echo "[+] Passive DNS"
amass enum -passive -d $TARGET -o $OUTPUT_DIR/amass_passive.txt
echo "[+] Active DNS"
amass enum -active -d $TARGET -o $OUTPUT_DIR/amass_active.txt
echo "[+] Aggregating subdomains"
cat $OUTPUT_DIR/*.txt | sort -u > $OUTPUT_DIR/all_subdomains.txt
echo "[+] Probing for alive hosts"
cat $OUTPUT_DIR/all_subdomains.txt | httprobe > $OUTPUT_DIR/alive.txt
echo "[+] Port scanning"
nmap -iL $OUTPUT_DIR/alive.txt -sV -sC -oN $OUTPUT_DIR/nmap.txt
echo "[+] Taking screenshots"
cat $OUTPUT_DIR/alive.txt | aquatone -out $OUTPUT_DIR/aquatone
echo "[+] Recon complete. Output in $OUTPUT_DIR"
Tools Summary
| Category | Tools |
|---|
| Subdomain Enum | amass, subfinder, assetfinder, chaos, findomain |
| DNS | dig, dnsrecon, dnsenum, fierce |
| Port Scanning | nmap, masscan, rustscan, unicornscan |
| Web Crawling | katana, hakrawler, gospider, waybackurls |
| Directory Brute | ffuf, gobuster, dirsearch, feroxbuster |
| Screenshots | eyewitness, aquatone, gowitness |
| OSINT | theharvester, sherlock, linkedin2username |
| Secret Finding | truffleHog, gitLeaks, SecretFinder |
| Tech Detection | whatweb, wappalyzer, webtech |
References
- OSINT Framework
- Bug Bounty Hunter's Methodology
- The Art of Subdomain Enumeration
- Recon.ng Documentation
- Amass Documentation