Skip to content

Inital Target Scope

Define what the target is. Find the domains, subdomains, IP range. What Infrastructure do they use, what company profiles are attackable and in scope. This sets the boundaries and makes sure it is clear where the recon begins and where it ends.

Engagement Type

First it is essential to clearly define what are you doing your recon for. What is the goal. You need to define if you are doing a CTF, a Pentest or if you are going for a bug bounty.

Rules of Engagement (RoE)

Take a detailed look in the rules you are to follow. If something is not clear, it needs to be adressed.
Is social engineering in scope?
Are destructive payloads prohibited?
Can you fuzz login forms?
What are the time restrictions?
It is important that everything is documented and everyone involved understands the rules.

In Scope

It need to be clearly defined. What domains, subdomains, etc. can be attackt. What about third-party services? You have to be very clear.

Out of Scope

You also need to define specific services, IPs, domains that are not to be touched. Partners, shared infrastructure or production critical services.

Success Criteria

Also really important to define. You want to know when you are done, when you have done your job. It should be clear, that no system is ever completly save, it always depends a multitude of things if and when it will be owned. But what is actually needed to count it as success.

Logistics & Authorization

Which accounts are authorized. What about VPN, access tokes. You need a explicit permission to go through with it. What is your point of contact if anything happens. Do you have a "get out of jail" card?

Warning

No moving forward until this part is airtight.



Passive Recon

Definition

Collecting information without touching the target. Stay a ghost by watching, not touching. The rule is: No traffic hits their servers.

OSINT (Open-Source Intelligence)

Tool and techniques:

  • crt.sh, CertSpotter, Censys, Shodan, ZoomEye, Hunter.io
  • Employee footprinting (LinkedIn, GitHub, Twitter)
  • WHOIS & DNS history
  • Archive.org (Wayback Machine)

Trying to extract all public data about the target without making direct contact. Your Building the dossier befor stepping on the field.

Subdomain Enumeration

Tools:

  • Amass (passive mode), Subfinder, Assetfinder, Findomain

Sources:

  • Certificate Transparency Logs
  • Public DNS data aggregation (VirusTotal, dns.bufferover.run)

This is to find potentail subdomains without touching the target. Create a list of possiblities to make the next stepps easier for yourself.

DNS Enumeration

  • Passive DNS record discovery
  • Zone history (SecurityTrails, PassiveTotal)

Helps to understand the infrastruture layout and potentail service endpoints.

Technologie Figerprinting

Tools:

  • Wappalyzer
  • BuiltWith
  • Netcraft
  • WhatWeb

You can start to understand the stack with the used languages, frameworks, CMS and libraries used.

Codebase & Asset Hunting

  • You can look for public GitHub repos by target name
  • Identify exposed .git, .env, .bak, etc. in the Waybackmashine
  • also looking for though Pastbin, Gist or leaks from your target can be helpful

Here it is not unlikly to come across old credentials, forgotten endpoints or internal code what helps you extract how things are done to find the logic and structure behind it.

Thrid-Party Enumeration

Figuring out about third partries they use.

  • SSO provider
  • Marketing tools
  • used CDN
  • Library dependencies

Mapping dependencies and weak links can help you find differenct attack vectors.

Notes to take:

You need to start building you documentation here.
Here is what you write down:
- Domains - Subdomains - Tech stacks - Notable files/ leaks

Also you should start making a inital map about the internal sturcture.
This helps you to fit everything else you find into its place.

Outcome

By the end of this stage this is what you should have:

  • A list of target domains/ subdomains
  • Public known infrastructure
  • Highlevel service stack
  • Potentail weak links from external assets
  • Initial attack surface mindmap

Active Recon

Definition

Here you are interacting with the target's Infrastructure directly. You are scanning and probing. Since you are sending packages, here you are leaving fingerprints and should be aware of that.

Port scanning

  • Discovering open ports and determine their state
  • Understanding exposed surface area
  • Tools: nmap, rustscan, masscan

Service Enumation

  • Idenfy running services and versions
  • Fingerprint protocols, grab banners, test endpoints
  • Tools: nmap, netcat, telnet, whatweb, httpx

Authentication & Access Points

  • Scan for login portals across services: SSH, FTP, RDP, Telnet
  • Identify entry points that may lead to further attack vectors
  • Tools: hydra, ncrack, meduse

Info Leaks

  • Interact with services to provoke behavior to test for leaks, misconfigs, or sloppy responses
  • Think SMPT, VRFY, FTP misconfigs or SSH MOTD leaks
  • Tools: netcat, curl, openssl

Notes to take:

Document everything you find. Put the new finds in the old documentation, mark the still active subdomains, fill out your map of the infrastructure. Complete with where you find which ports and services.

Outcome

By the endof this stage this is what you should have:

  • List of reachable hosts with open ports and active services
  • Serivce versions with potential weak configs
  • Authentication endpoints and any possible misconfigurations
  • A prioritized attack surface with targets worth deeper inspection
  • Clear specification what need Web Recon to start the next phase with.

Web Recon

Digging deep into web services. There is normally a lot to find. From hidden dirctories, files, over headers used. Find the login portals. Specifiy where attack surface is.

Identifying Web Assets

You should already have a pretty good idea of the web assets after the last steps. But you should make yourself a specified plan of what you need to takle in this section.

Clientside Logic

  • Parse JavaScript files manually or with tools
  • Find API endpoints, secrets and tokens
  • Map JS-based routing and hidden funktionality

Input Vectors

  • Query strings, forms and hidden inputs
  • File uploaders, search bars and filters
  • Are there any client-side validations?

Session Handling & Authentication Behavior

  • Cookie flags, token behavior, session expiry
  • Authentication flows (login, rest, MFA)
  • Redirect behavior, caching
  • Version leaks, misconfigs

Notes

  • Put everything you find to your map
  • Mark interesting targets, that might offer more

Outcome

You should be able to tie findings to potential exploitation paths. Through the exploration of headers and forms, you have a solid understanding of what your targets exposes on the web and where to dig deeper.


Enumeration

Here you want to see what is used. Finding every service and protocol they use. You need to provoke, record and understand every response.

Tools to use:

  • SMB shares
  • HTTPS services
  • FTP
  • DNS zone transfer attempts
  • SNMP

Vulnerability Enumeration

Now that you have loads of information, it is time to look where you can actually get somewhere. Look for known vulnerabilities for services they use, use vuln scanner and look though CVEs. Match exposed services with weaknesses.

Tools to use:

  • Nikto
  • Searchsploit
  • CVE search

Documentation

Most underated weapon. Espacially for recon. With down everything you have. Go over your notes. Make them usefull. You need to be able to find everything you wrote down in an instand.