Recon Checklist¶

A systematic recon process is the foundation of any successful pentest. This checklist gives you a structured workflow so you don't miss anything. Use it iteratively and adapt it to your target.

Real story: Following this methodology on a recent engagement, I found 47 unknown subdomains, 3 exposed S3 buckets with sensitive data, and a forgotten API endpoint that allowed account takeover. Took 6 hours total. That's the ROI of thorough recon.

Phase 1: Initial Scoping and Passive Intelligence¶

This phase focuses on gathering info without touching the target's infrastructure. Your goal? Build a complete picture of their digital footprint.

Scoping and Objective Definition¶

Clearly define the scope of the engagement (domains, IPs, applications).
Identify "crown jewel" assets or primary objectives.
Establish rules of engagement (e.g., allowed/disallowed techniques, contact points).
Document legal boundaries and compliance requirements (GDPR, CCPA, etc.).
Set time constraints for each reconnaissance phase to avoid analysis paralysis.
Define success metrics and reporting requirements.

Example: For a financial institution, crown jewels might include: customer databases, payment processing systems, internal banking applications, and API endpoints handling financial transactions.

OSINT - Corporate and Human Intelligence¶

Automation Script Example:

#!/bin/bash
# Automated OSINT data collection script
TARGET="example.com"

echo "[+] Running theHarvester for email enumeration"
theHarvester -d $TARGET -l 500 -b google,bing,linkedin -f harvester_$TARGET

echo "[+] Running subfinder for subdomain enumeration"
subfinder -d $TARGET -o subfinder_$TARGET.txt

echo "[+] Checking for exposed .git directories"
python3 git-dumper.py https://$TARGET/.git/ ./git_dump_$TARGET

echo "[+] OSINT data collection complete"

Phase 2: Asset Discovery and Infrastructure Mapping¶

This phase involves both passive and active techniques to identify all technical assets associated with the target.

Domain and Subdomain Enumeration¶

real world Example: During a recent assessment, permutation scanning discovered dev-aws-console.example.com which led to an exposed AWS console login page with weak authentication.

Cloud Asset Discovery (Cloud Assets)¶

Identify the target's cloud providers (AWS, GCP, Azure, DigitalOcean, etc.) from DNS records and IP lookups.
Enumerate public S3 buckets using keywords and permutations (s3scanner, cloud_enum, bucket_finder).
Enumerate public GCP buckets and Azure blobs using provider-specific tools.
Search for exposed cloud databases or services (RDS, CloudSQL, CosmosDB).
Check for exposed cloud metadata services.
Identify cloud storage URLs in source code and documentation.
Use cloud-specific reconnaissance tools: cloudjack, cs suite, ScoutSuite.
Check for cloud trail and logging misconfigurations.
Identify serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions).

Cloud Enumeration Script:

#!/bin/bash
# Cloud asset discovery script
TARGET="example.com"

echo "[+] Checking for AWS S3 buckets"
s3scanner scan --buckets-file wordlists/s3-buckets.txt --region us-east-1

echo "[+] Checking for Azure storage accounts"
azscan --target $TARGET --wordlist wordlists/azure-storage.txt

echo "[+] Checking for Google Cloud Storage"
gcpbucketbrute --wordlist wordlists/gcp-buckets.txt --project $TARGET

echo "[+] Cloud enumeration complete"

Web Archive Analysis (Archive Analysis)¶

Gather all known URLs from the Wayback Machine and other archives using gau, waybackurls, gauplus.
Filter the URLs for interesting files (.js, .json, .xml, .bak, .zip, .sql, .env).
Look for historical API documentation, robots.txt, and sitemap.xml files.
Search for removed functionality and deprecated endpoints.
Analyze historical versions of sensitive pages (login, admin, config).
Use waybackmachine-downloader to download entire site archives.
Check for credentials and secrets in historical versions.
Identify technology stack changes over time.

IP Address and Network Range Discovery¶

Identify all IP ranges belonging to the target using whois, arin, ripe.
Perform reverse DNS lookups on identified IP ranges.
Use BGP looking glass services to map network infrastructure.
Check for acquired companies and their inherited IP ranges.
Use masscan or zmap for internet-wide scanning of target ranges.
Identify colocation facilities and hosting providers.

Mobile and IoT Asset Discovery¶

Search for mobile applications in app stores (Google Play, Apple App Store).
Analyze mobile app binaries for API endpoints and secrets.
Identify IoT devices using Shodan and Censys searches.
Check for mobile device management (MDM) portals.
Look for embedded device management interfaces.

Phase 3: Service Enumeration and Fingerprinting¶

With a list of live hosts, this phase determines what services are running and what technologies are in use.

Port Scanning (Port Scanning)¶

Advanced Nmap Scripting:

# Comprehensive service enumeration
nmap -p- -sV -sC --script vuln -iL targets.txt -oA comprehensive_scan

# HTTP-specific enumeration
nmap -p80,443,8080,8443 --script http-* -iL web_servers.txt

# Database enumeration
nmap -p1433,1521,3306,5432 --script db-* -iL database_servers.txt

Service and Technology Fingerprinting¶

Visual Reconnaissance (Screenshotting)¶

Client-Side Code Analysis¶

API Discovery and Analysis¶

Identify API endpoints from JavaScript files and network traffic.
Use tools like arjun, parameth, or ffuf for parameter discovery.
Analyze API documentation (Swagger, OpenAPI, GraphQL) if available.
Test for API authentication bypass and authorization issues.
Look for deprecated API versions that may have weaker security.
Check for GraphQL endpoints and introspection queries.

Authentication Mechanism Analysis¶

Identify all authentication endpoints and mechanisms.
Analyze password policies and complexity requirements.
Check for multi-factor authentication implementation.
Look for forgotten test accounts and default credentials.
Analyze session management and token handling.

Phase 4: Data Aggregation and Target Prioritization¶

This final phase is about making sense of the collected data and planning the next steps.

Data Consolidation¶

Combine all discovered domains, subdomains, and IPs into a single, sorted, unique list.
Store all findings in a structured manner (e.g., mind map, wiki, database, Notion).
Use tools like nuclei, katana, or custom scripts for data organization.
Correlate findings (e.g., link a discovered S3 bucket to a specific web application).
Create relationship maps between assets, services, and technologies.
Document all findings with timestamps and source information.

Target Prioritization¶

Risk Assessment¶

Evaluate the business impact of potential compromises.
Consider regulatory and compliance implications.
Assess the difficulty of exploitation for each potential vulnerability.
Prioritize targets based on risk scoring methodologies.
Consider time constraints and resource availability.

Next Steps¶

Begin the vulnerability analysis phase, focusing on the prioritized targets.
Use the gathered information (e.g., breached passwords, tech stack) to inform the testing process.
Develop custom payloads and testing methodologies based on the technology stack.
Create targeted wordlists based on company-specific information.
Document all reconnaissance findings clearly in the final report.
Prepare executive summaries and technical details for different audiences.

Automation and Continuous Monitoring¶

Set up automated reconnaissance pipelines for continuous monitoring.
Use tools like nuclei, jaeles, or custom scripts for automated vulnerability scanning.
Implement alerting for new assets and changes in the attack surface.
Create dashboards for real-time visibility into the target landscape.
Schedule regular reconnaissance sweeps to catch new developments.

Advanced Automation Example:

#!/bin/bash
# Comprehensive reconnaissance pipeline
TARGET="example.com"
DATE=$(date +%Y%m%d)

echo "[+] Starting comprehensive reconnaissance for $TARGET"

# Phase 1: Passive Intelligence
echo "[+] Phase 1: Passive OSINT"
python3 osint_collector.py --target $TARGET --output osint_$DATE

# Phase 2: Asset Discovery
echo "[+] Phase 2: Asset Discovery"
subfinder -d $TARGET -o subdomains_$DATE.txt
amass enum -passive -d $TARGET -o amass_$DATE.txt
masscan -p1-65535 -iL targets_$DATE.txt -oX masscan_$DATE.xml

# Phase 3: Service Enumeration
echo "[+] Phase 3: Service Enumeration"
nmap -sV -sC -iL live_hosts_$DATE.txt -oA nmap_$DATE
httpx -l web_targets_$DATE.txt -tech-detect -o httpx_$DATE.txt

# Phase 4: Analysis and Reporting
echo "[+] Phase 4: Analysis and Reporting"
python3 analyze_results.py --input . --output report_$DATE.html

echo "[+] Reconnaissance complete. Report generated: report_$DATE.html"

Legal and Ethical Considerations¶

Ensure all reconnaissance activities are within the defined scope.
Document all actions for legal compliance and audit purposes.
Respect rate limiting and avoid causing service disruptions.
Handle sensitive discovered information appropriately.
Follow responsible disclosure procedures for any accidental findings.

Quality Assurance¶

Verify all findings through multiple sources when possible.
Eliminate duplicates and false positives from the results.
Cross-validate critical findings with different tools and techniques.
Document the methodology and tools used for each finding.
Review the complete dataset for completeness and accuracy.

Final Tip: The most successful reconnaissance operations combine automated tools with manual analysis. While automation can quickly gather large amounts of data, human analysis is essential for identifying subtle patterns, making connections between disparate pieces of information, and formulating creative attack hypotheses. Always budget time for both automated collection and manual review.

Remember that reconnaissance is not a one-time activity but an ongoing process. New assets are constantly being added, configurations change, and previously secure systems may become vulnerable over time. The most effective security professionals maintain continuous awareness of their target's attack surface.