Reconnaissance & OSINT

๐Ÿ”ฅ Vibe Prompt

"Perform OSINT on a target: subdomains, technology stack, exposed endpoints, employee info."

Subdomain Enumeration

# Subfinder
subfinder -d example.com -o subdomains.txt

# Amass
amass enum -d example.com -o amass_subs.txt

# Sublist3r
sublist3r -d example.com -o subs.txt

# Assetfinder
assetfinder --subs-only example.com > assets.txt

# DNS brute force
for sub in $(cat wordlist.txt); do
  host $sub.example.com | grep "has address" && echo $sub.example.com
done

Technology Discovery

# WhatWeb
whatweb example.com -v

# Wappalyzer (browser extension)
# BuiltWith (web service)

# Nmap service scan
nmap -sV -sC -p- example.com -oN nmap.txt

WhatWeb Output

http://example.com [200 OK]
  Country: UNITED STATES
  IP: 93.184.216.34
  UncommonHeaders: x-cache
  HTTPServer: nginx/1.24.0
  Script: [JavaScript]
  jQuery: 3.7.1
  Open-Graph-Protocol: [title, type]
  Framework: Bootstrap 5.x
  Cookies: [sessionid]

API Discovery

# Directory busting
dirsearch -u https://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Find API endpoints
cat js/*.js | grep -E '"/api/|"/v1|"/graphql' | sort -u

# Wayback machine
waybackurls example.com | grep api | sort -u

# Katana
katana -u https://example.com -d 2 -jc -o endpoints.txt

OSINT Tools

| Tool | Purpose | |------|---------| | Shodan | Internet-connected devices | | Censys | Asset discovery | | Hunter.io | Email patterns (@company.com) | | Github Search | Secrets in public repos | | LinkedIn | Employee info, tech stack | | Dehashed | Credential leaks | | Have I Been Pwned | Email breach check |

Passive vs Active Recon

| Type | Passive | Active | |------|---------|--------| | Detectable | No | Yes (logs) | | Speed | Slow | Fast | | Legal risk | Low | Higher | | Examples | Shodan, Cert.sh, Censys | Nmap, Dirsearch |

Best Practices

  • Always start with passive recon
  • Document everything (screenshots, notes)
  • Stay within scope (authorization letter)
  • Use multiple sources (cross-reference)
  • Check certificate transparency (crt.sh)
  • Search GitHub for leaked secrets
  • Use VPN for active recon

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials

Member Exclusive Free Tutorial

This chapter is free exclusive content for registered members! Please login or register to unlock immediately.

Login / Register Now