Reconnaissance & OSINT
🔥 Vibe Prompt
"Perform OSINT on a target: subdomains, technology stack, exposed endpoints, employee info."
Subdomain Enumeration
# Subfinder
subfinder -d example.com -o subdomains.txt
# Amass
amass enum -d example.com -o amass_subs.txt
# Sublist3r
sublist3r -d example.com -o subs.txt
# Assetfinder
assetfinder --subs-only example.com > assets.txt
# DNS brute force
for sub in $(cat wordlist.txt); do
host $sub.example.com | grep "has address" && echo $sub.example.com
done
Technology Discovery
# WhatWeb
whatweb example.com -v
# Wappalyzer (browser extension)
# BuiltWith (web service)
# Nmap service scan
nmap -sV -sC -p- example.com -oN nmap.txt
WhatWeb Output
http://example.com [200 OK]
Country: UNITED STATES
IP: 93.184.216.34
UncommonHeaders: x-cache
HTTPServer: nginx/1.24.0
Script: [JavaScript]
jQuery: 3.7.1
Open-Graph-Protocol: [title, type]
Framework: Bootstrap 5.x
Cookies: [sessionid]
API Discovery
# Directory busting
dirsearch -u https://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Find API endpoints
cat js/*.js | grep -E '"/api/|"/v1|"/graphql' | sort -u
# Wayback machine
waybackurls example.com | grep api | sort -u
# Katana
katana -u https://example.com -d 2 -jc -o endpoints.txt
OSINT Tools
| Tool | Purpose | |------|---------| | Shodan | Internet-connected devices | | Censys | Asset discovery | | Hunter.io | Email patterns (@company.com) | | Github Search | Secrets in public repos | | LinkedIn | Employee info, tech stack | | Dehashed | Credential leaks | | Have I Been Pwned | Email breach check |
Passive vs Active Recon
| Type | Passive | Active | |------|---------|--------| | Detectable | No | Yes (logs) | | Speed | Slow | Fast | | Legal risk | Low | Higher | | Examples | Shodan, Cert.sh, Censys | Nmap, Dirsearch |
Best Practices
- Always start with passive recon
- Document everything (screenshots, notes)
- Stay within scope (authorization letter)
- Use multiple sources (cross-reference)
- Check certificate transparency (crt.sh)
- Search GitHub for leaked secrets
- Use VPN for active recon
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
為什麼滲透測試從偵察開始?
在電影裡,駭客打開電腦就直接開始打字攻擊。但真實世界的滲透測試,80% 的時間花在偵察。
偵察的兩大階段
| 階段 | 類型 | 方法 | |:----|:----|:----| | 被動偵察 | 不接觸目標系統 | Google Dorks、Shodan、crt.sh、Whois | | 主動偵察 | 直接與目標互動 | Nmap 掃描、DNS 枚舉、目錄爆破 |
為什麼先做被動?
被動偵察完全不會留下痕跡——目標不知道你在調查它。如果一開始就 nmap 掃下去,防火牆和 IDS 就會響起警報。專業的紅隊演練中,被動偵察階段可能持續數天甚至數週。
被動偵察可以發現什麼?
- 子網域(
dev.admin.target.com→ 可能是開發環境) - 技術棧(
Server: nginx/1.18.0→ 已知漏洞 CVE-2021-23017) - 員工 Email(
john@target.com→ 可用於社交工程) - 洩漏的程式碼(GitHub 上的 API Key、內部路徑)
下一章預告:Burp Suite
偵察完之後,下一步就是用 Burp Suite 開始攔截分析 HTTP 流量——這是 Web 滲透測試的核心工作流程。