Skip to content

Reconnaissance Methodology

The absolute bedrock of any successful engagement
You cannot exploit what you don't know exists

Reconnaissance splits into two categories — passive (no target contact) and active (direct interaction)
Start passive , stay passive as long as possible , only go active when you've exhausted the intel you can gather from the couch

Passive Reconnaissance

Ghosting the target — gathering intel without ever sending a packet to their infrastructure

OSINT Collection

  • theHarvester — email , subdomains , names from public sources
  • Maltego — relationship mapping between discovered assets
  • SpiderFoot — automated OSINT across 200+ data sources
# Email and subdomain harvesting
theHarvester -d target.com -b google,bing,linkedin -f results.html

# Automated OSINT with SpiderFoot
python3 sf.py -s target.com -t all -o report.html

Breach Data

Check exposure before the target even knows they were breached

  • HaveIBeenPwned — credential exposure checks
  • DeHashed — paid but worth it for finding reused passwords
  • IntelX — dark web intelligence
# Check if credentials are in known breaches (requires API key)
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/email@target.com"

Code Repository Scanning

Developers leak credentials to GitHub like it's a hobby

  • GitHub / GitLab / Bitbucket — search for hardcoded keys , config files , internal URLs
  • trufflehog — scans git history for secrets
  • gitrob — analyzes org repos for sensitive files
# Find secrets in repo history
trufflehog git https://github.com/target/repo --results

# Look for sensitive files in org repos
gitrob -org target-organization

Historical Data

What's been publicly visible in the past matters now

  • Wayback Machine — archived versions of the target's site
  • Certificate Transparency logs — cert.sh / crt.sh reveal subdomains
# Grab subdomains from certificate transparency logs
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

# Get historical URLs from Wayback
waybackurls target.com

Active Reconnaissance

Now you're touching their infrastructure — be careful about rate limits , WAFs , and logs

Subdomain Enumeration

# Multiple tools , compare results
subfinder -d target.com -o subfinder.txt
amass enum -d target.com -o amass.txt
assetfinder --subs-only target.com > assetfinder.txt

# Merge and deduplicate
cat subfinder.txt amass.txt assetfinder.txt | sort -u > all_subs.txt

Port Scanning

Service discovery is the backbone of network recon

# Stealthy initial scan — SYN scan , common ports
sudo nmap -sS -sV -T4 target.com -oA initial_scan

# Full port scan — slower but comprehensive
sudo nmap -sS -sV -sC -p- -T4 target.com -oA full_scan

# UDP scan — often skipped , often fruitful
sudo nmap -sU --top-ports 100 target.com -oA udp_scan

Web Application Mapping

# Directory discovery
gobuster dir -u https://target.com \
  -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,asp

# Technology fingerprinting
whatweb https://target.com -v

# Parameter discovery
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt

Continuous Monitoring

Use automated pipelines for long-running engagements

flowchart LR
    A[Initial Scan] --> B[Asset Discovery]
    B --> C[Service Detection]
    C --> D[Version Tracking]
    D --> E[New Vuln Check]
    E --> A

The attack surface changes throughout an engagement
New subdomains come online , services restart with different versions , WAF rules get adjusted
Keep scanning , keep tracking , never assume yesterday's results apply today