Reconnaissance & OSINT

🔥 Vibe Prompt

"Perform OSINT on a target: subdomains, technology stack, exposed endpoints, employee info."

Subdomain Enumeration

# Subfinder
subfinder -d example.com -o subdomains.txt

# Amass
amass enum -d example.com -o amass_subs.txt

# Sublist3r
sublist3r -d example.com -o subs.txt

# Assetfinder
assetfinder --subs-only example.com > assets.txt

# DNS brute force
for sub in $(cat wordlist.txt); do
  host $sub.example.com | grep "has address" && echo $sub.example.com
done

Technology Discovery

# WhatWeb
whatweb example.com -v

# Wappalyzer (browser extension)
# BuiltWith (web service)

# Nmap service scan
nmap -sV -sC -p- example.com -oN nmap.txt

WhatWeb Output

http://example.com [200 OK]
  Country: UNITED STATES
  IP: 93.184.216.34
  UncommonHeaders: x-cache
  HTTPServer: nginx/1.24.0
  Script: [JavaScript]
  jQuery: 3.7.1
  Open-Graph-Protocol: [title, type]
  Framework: Bootstrap 5.x
  Cookies: [sessionid]

API Discovery

# Directory busting
dirsearch -u https://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Find API endpoints
cat js/*.js | grep -E '"/api/|"/v1|"/graphql' | sort -u

# Wayback machine
waybackurls example.com | grep api | sort -u

# Katana
katana -u https://example.com -d 2 -jc -o endpoints.txt

OSINT Tools

| Tool | Purpose | |------|---------| | Shodan | Internet-connected devices | | Censys | Asset discovery | | Hunter.io | Email patterns (@company.com) | | Github Search | Secrets in public repos | | LinkedIn | Employee info, tech stack | | Dehashed | Credential leaks | | Have I Been Pwned | Email breach check |

Passive vs Active Recon

| Type | Passive | Active | |------|---------|--------| | Detectable | No | Yes (logs) | | Speed | Slow | Fast | | Legal risk | Low | Higher | | Examples | Shodan, Cert.sh, Censys | Nmap, Dirsearch |

Best Practices

  • Always start with passive recon
  • Document everything (screenshots, notes)
  • Stay within scope (authorization letter)
  • Use multiple sources (cross-reference)
  • Check certificate transparency (crt.sh)
  • Search GitHub for leaked secrets
  • Use VPN for active recon

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


為什麼滲透測試從偵察開始?

在電影裡,駭客打開電腦就直接開始打字攻擊。但真實世界的滲透測試,80% 的時間花在偵察

偵察的兩大階段

| 階段 | 類型 | 方法 | |:----|:----|:----| | 被動偵察 | 不接觸目標系統 | Google Dorks、Shodan、crt.sh、Whois | | 主動偵察 | 直接與目標互動 | Nmap 掃描、DNS 枚舉、目錄爆破 |

為什麼先做被動?

被動偵察完全不會留下痕跡——目標不知道你在調查它。如果一開始就 nmap 掃下去,防火牆和 IDS 就會響起警報。專業的紅隊演練中,被動偵察階段可能持續數天甚至數週。

被動偵察可以發現什麼?

  • 子網域(dev.admin.target.com → 可能是開發環境)
  • 技術棧(Server: nginx/1.18.0 → 已知漏洞 CVE-2021-23017)
  • 員工 Email(john@target.com → 可用於社交工程)
  • 洩漏的程式碼(GitHub 上的 API Key、內部路徑)

下一章預告:Burp Suite

偵察完之後,下一步就是用 Burp Suite 開始攔截分析 HTTP 流量——這是 Web 滲透測試的核心工作流程。

會員專屬免費教學

本章節為註冊會員專屬的免費開放內容!請先登入或註冊會員,即可立即解鎖閱讀。

立即登入 / 註冊