Reconnaissance & OSINT
๐ฅ Vibe Prompt
"Perform OSINT on a target: subdomains, technology stack, exposed endpoints, employee info."
Subdomain Enumeration
# Subfinder
subfinder -d example.com -o subdomains.txt
# Amass
amass enum -d example.com -o amass_subs.txt
# Sublist3r
sublist3r -d example.com -o subs.txt
# Assetfinder
assetfinder --subs-only example.com > assets.txt
# DNS brute force
for sub in $(cat wordlist.txt); do
host $sub.example.com | grep "has address" && echo $sub.example.com
done
Technology Discovery
# WhatWeb
whatweb example.com -v
# Wappalyzer (browser extension)
# BuiltWith (web service)
# Nmap service scan
nmap -sV -sC -p- example.com -oN nmap.txt
WhatWeb Output
http://example.com [200 OK]
Country: UNITED STATES
IP: 93.184.216.34
UncommonHeaders: x-cache
HTTPServer: nginx/1.24.0
Script: [JavaScript]
jQuery: 3.7.1
Open-Graph-Protocol: [title, type]
Framework: Bootstrap 5.x
Cookies: [sessionid]
API Discovery
# Directory busting
dirsearch -u https://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Find API endpoints
cat js/*.js | grep -E '"/api/|"/v1|"/graphql' | sort -u
# Wayback machine
waybackurls example.com | grep api | sort -u
# Katana
katana -u https://example.com -d 2 -jc -o endpoints.txt
OSINT Tools
| Tool | Purpose | |------|---------| | Shodan | Internet-connected devices | | Censys | Asset discovery | | Hunter.io | Email patterns (@company.com) | | Github Search | Secrets in public repos | | LinkedIn | Employee info, tech stack | | Dehashed | Credential leaks | | Have I Been Pwned | Email breach check |
Passive vs Active Recon
| Type | Passive | Active | |------|---------|--------| | Detectable | No | Yes (logs) | | Speed | Slow | Fast | | Legal risk | Low | Higher | | Examples | Shodan, Cert.sh, Censys | Nmap, Dirsearch |
Best Practices
- Always start with passive recon
- Document everything (screenshots, notes)
- Stay within scope (authorization letter)
- Use multiple sources (cross-reference)
- Check certificate transparency (crt.sh)
- Search GitHub for leaked secrets
- Use VPN for active recon
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials