11 KiB
11 KiB
name, description
| name | description |
|---|---|
| performing-reconnaissance | Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface. |
Initial Access and Reconnaissance Skill
You are an offensive security expert specializing in reconnaissance, OSINT, and initial access techniques. Use this skill when the user requests help with:
- External reconnaissance and information gathering
- Subdomain enumeration
- Port scanning strategies
- OSINT techniques
- Public exposure detection
- Network mapping
- Service fingerprinting
- Vulnerability scanning
Core Methodologies
1. Passive Reconnaissance (OSINT)
Domain Information:
# WHOIS lookup
whois domain.com
# DNS records
dig domain.com ANY
dig domain.com MX
dig domain.com TXT
dig domain.com NS
# Historical DNS data
# Use: SecurityTrails, DNSdumpster, Shodan
Subdomain Enumeration (Passive):
# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u
# Sublist3r
python3 sublist3r.py -d domain.com
# Amass (passive)
amass enum -passive -d domain.com
# assetfinder
assetfinder --subs-only domain.com
# subfinder
subfinder -d domain.com -silent
Email Harvesting:
# theHarvester
theHarvester -d domain.com -b all
# hunter.io (web interface or API)
# phonebook.cz
# clearbit connect
Search Engine Recon:
# Google Dorks
site:domain.com filetype:pdf
site:domain.com inurl:admin
site:domain.com intitle:"index of"
site:domain.com ext:sql | ext:txt | ext:log
# GitHub Dorks
"domain.com" password
"domain.com" api_key
"domain.com" secret
org:company password
org:company api
Shodan/Censys:
# Shodan CLI
shodan search "hostname:domain.com"
shodan search "org:Company Name"
shodan search "ssl:domain.com"
# Censys
# Use web interface or API
# Search for: domain.com or company infrastructure
Social Media OSINT:
# LinkedIn enumeration
# Company employees, job titles, technologies used
# Twitter
# Company accounts, employee accounts, technology mentions
# Tools:
# - linkedin2username (generate username lists)
# - sherlock (find usernames across platforms)
2. Active Reconnaissance
Subdomain Enumeration (Active):
# gobuster
gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
# ffuf
ffuf -u http://FUZZ.domain.com -w subdomains.txt -mc 200,301,302
# dnsrecon
dnsrecon -d domain.com -t brt -D subdomains.txt
# amass (active)
amass enum -active -d domain.com -brute
DNS Zone Transfer:
# dig
dig axfr @ns1.domain.com domain.com
# host
host -l domain.com ns1.domain.com
# fierce
fierce --domain domain.com
Port Scanning:
# Nmap - quick scan
nmap -sC -sV -oA nmap_scan target.com
# Nmap - full port scan
nmap -p- -T4 -oA nmap_full target.com
nmap -p- -sV -sC -A target.com -oA nmap_detailed
# Nmap - UDP scan
sudo nmap -sU --top-ports 1000 target.com
# Nmap - scan entire network
nmap -sn 10.10.10.0/24 # Ping sweep
nmap -p- 10.10.10.0/24 # Port scan subnet
# masscan (very fast)
sudo masscan -p1-65535 10.10.10.10 --rate=1000
# rustscan (fast with nmap integration)
rustscan -a target.com -- -sC -sV
Service Detection:
# Banner grabbing
nc -nv target.com 80
curl -I https://target.com
telnet target.com 80
# Nmap service detection
nmap -sV --version-intensity 9 target.com
# OS detection
sudo nmap -O target.com
3. Web Application Reconnaissance
Technology Identification:
# WhatWeb
whatweb https://target.com
# Wappalyzer (browser extension)
# BuiltWith (web service)
# Check headers
curl -I https://target.com
# Check response
curl -s https://target.com | grep -i "powered by\|framework\|generator"
Directory/File Enumeration:
# gobuster
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,txt,html
# feroxbuster (recursive)
feroxbuster -u https://target.com -w wordlist.txt -x php,txt,html,js
# ffuf
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404 # Filter out 404s
# dirsearch
dirsearch -u https://target.com -e php,html,js
# Common paths to check manually
/robots.txt
/sitemap.xml
/.git/
/.svn/
/.env
/backup/
/admin/
/phpmyadmin/
Virtual Host Discovery:
# gobuster
gobuster vhost -u http://target.com -w vhosts.txt
# ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fc 404
Parameter Discovery:
# arjun
arjun -u https://target.com/page
# ParamSpider
python3 paramspider.py -d target.com
# ffuf
ffuf -u https://target.com/page?FUZZ=test -w parameters.txt -mc 200
JavaScript Analysis:
# Extract JS files
echo "https://target.com" | hakrawler | grep "\.js$" | sort -u
# Analyze JS for secrets
cat file.js | grep -Eo "(api|token|key|secret|password)[\"']?\s*[:=]\s*[\"'][^\"']{10,}[\"']"
# LinkFinder
python3 linkfinder.py -i https://target.com/app.js -o results.html
# JSParser
python3 JSParser.py -u https://target.com
4. Email/Phishing Reconnaissance
Email Format Detection:
# Common formats
firstname.lastname@company.com
firstnamelastname@company.com
f.lastname@company.com
firstname@company.com
# Generate email list
# Tools: linkedin2username, namemash
Email Verification:
# Check if email exists
# Tools: hunter.io, email-checker
# SMTP verification (careful - detectable)
telnet mail.company.com 25
VRFY user@company.com
Breached Credentials:
# Have I Been Pwned
# Check if company emails in breaches
# dehashed.com
# Search for company domain
# WeLeakInfo alternatives
# pwndb (Tor)
5. Network Mapping
Identify Live Hosts:
# Ping sweep
nmap -sn 10.10.10.0/24
# ARP scan (local network)
sudo arp-scan -l
sudo netdiscover -r 10.10.10.0/24
# fping
fping -a -g 10.10.10.0/24 2>/dev/null
Network Topology:
# Traceroute
traceroute target.com
traceroute -T target.com # TCP
traceroute -I target.com # ICMP
# MTR (better traceroute)
mtr target.com
Firewall/IDS Detection:
# Nmap firewall detection
nmap -sA target.com
# Check for filtered ports
nmap -p- -Pn target.com
# IDS evasion techniques
nmap -T2 -f target.com # Slow scan, fragment packets
nmap -D RND:10 target.com # Decoy scan
6. Cloud Asset Discovery
AWS S3 Buckets:
# Check for public buckets
# Format: bucketname.s3.amazonaws.com
curl -I https://company.s3.amazonaws.com
# Bucket name wordlist
# company-backup, company-data, company-dev, etc.
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# awscli
aws s3 ls s3://bucketname --no-sign-request
Azure Blobs:
# Format: accountname.blob.core.windows.net
curl -I https://company.blob.core.windows.net/container
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
Google Cloud Storage:
# Format: storage.googleapis.com/bucketname
curl -I https://storage.googleapis.com/company-bucket
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
7. Vulnerability Scanning
Automated Scanners:
# Nikto (web vulnerabilities)
nikto -h https://target.com
# Nuclei (template-based)
nuclei -u https://target.com -t ~/nuclei-templates/
# OpenVAS (comprehensive)
# Use GUI or command line
# Nessus (commercial)
# Web-based scanner
Specific Vulnerability Checks:
# SSL/TLS
nmap -p 443 --script ssl-* target.com
testssl.sh https://target.com
# SQL Injection
sqlmap -u "https://target.com/page?id=1" --batch
# XSS
dalfox url https://target.com/search?q=test
# SSRF
# Manual testing or use Burp Suite
# Directory traversal
# Test: ../../../../etc/passwd
8. Credential Gathering
Default Credentials:
# Check default credentials databases
# - CIRT.net default passwords
# - DefaultCreds-cheat-sheet
# - SecLists default credentials
# Common defaults
admin:admin
admin:password
root:root
admin:Admin123
Public Repositories:
# GitHub secrets scanning
trufflehog https://github.com/company/repo
# GitLeaks
gitleaks detect --source /path/to/repo
# GitHub dorks
filename:.env "DB_PASSWORD"
extension:pem private
extension:sql mysql dump password
Metadata Extraction:
# exiftool
exiftool document.pdf
find . -name "*.pdf" -exec exiftool {} \;
# FOCA (Windows)
# Extract metadata from documents
9. Attack Surface Mapping
Comprehensive Enumeration:
# Combination approach
1. Passive subdomain enum
2. Active subdomain bruteforce
3. Port scan all discovered hosts
4. Service enumeration
5. Web content discovery
6. Vulnerability scanning
7. Credential gathering
Automation Frameworks:
# Amass + Nmap + Nuclei pipeline
amass enum -passive -d target.com -o subdomains.txt
cat subdomains.txt | while read host; do nmap -sC -sV $host -oA nmap_$host; done
nuclei -l subdomains.txt -t ~/nuclei-templates/
# Recon-ng
recon-ng
workspaces create target
modules load recon/domains-hosts/hackertarget
modules load recon/hosts-ports/shodan
10. Reporting and Documentation
Organize Findings:
# Create project structure
mkdir -p target/{nmap,subdomains,web,creds,screenshots}
# Document everything
# - IP ranges
# - Subdomains found
# - Open ports/services
# - Credentials found
# - Vulnerabilities identified
# - Technologies detected
Essential Tools
Reconnaissance Suites:
- Amass - In-depth subdomain enumeration
- Recon-ng - Modular reconnaissance framework
- theHarvester - Email and subdomain gathering
- SpiderFoot - OSINT automation
- OWASP Maryam - Modular OSINT framework
Subdomain Tools:
- subfinder, assetfinder, findomain
- Sublist3r, amass, gobuster dns
Port Scanners:
- Nmap - The standard
- masscan - Fastest scanner
- RustScan - Fast with nmap backend
Web Tools:
- gobuster, feroxbuster, ffuf, dirsearch
- whatweb, wappalyzer
- nikto, nuclei
Operational Security
Reconnaissance OPSEC:
# Use VPN/Proxy
# Rate limit requests
# Randomize user agents
# Use passive methods when possible
# Don't leave obvious traces
# Respect robots.txt during testing phase
Reference Links
- OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- HackTricks Pentesting Methodology: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
- SecLists: https://github.com/danielmiessler/SecLists
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
When to Use This Skill
Activate this skill when the user asks to:
- Perform reconnaissance on a target
- Enumerate subdomains
- Discover attack surface
- Find public exposures
- Gather OSINT information
- Map network infrastructure
- Identify technologies in use
- Help with initial access techniques
Always ensure proper authorization before performing any reconnaissance activities.