Skip to content

Advanced Reconnaissance

Advanced reconnaissance techniques for experienced penetration testers.

OSINT (Open Source Intelligence)

Automated OSINT Frameworks

# theHarvester - Email, subdomain, host enumeration
theHarvester -d target.com -b all -l 500

# Recon-ng
recon-ng
marketplace install all
workspaces create target
db insert domains
modules search
modules load recon/domains-hosts/google_site_web
run

# SpiderFoot
spiderfoot -s target.com -m all

# Shodan CLI
shodan search "hostname:target.com"
shodan host 192.168.1.1
shodan stats --facets port net:192.168.1.0/24

# Censys
censys search "192.168.1.0/24"
censys view 192.168.1.1

Certificate Transparency Logs

# crt.sh API
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

# Certificate Search
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[] | select(.issuer_ca_id==16418) | .common_name' | sort -u

# Findomain
findomain -t target.com -u subdomains.txt

# Subfinder
subfinder -d target.com -all -recursive

GitHub Reconnaissance

# GitDorker - GitHub OSINT
python3 GitDorker.py -tf tokens.txt -d dorks/sensitive.txt -o results.txt

# TruffleHog - Find secrets in git repos
trufflehog git https://github.com/target/repo --json

# GitLeaks
gitleaks detect --source /path/to/repo -v

# GitHub Dorks
site:github.com "target.com" password
site:github.com "target.com" api_key
site:github.com "target.com" AWS_ACCESS_KEY_ID
site:github.com "target.com" filename:config

Cloud Asset Discovery

# CloudEnum - Multi-cloud OSINT
python3 cloudenum.py -k target

# S3Scanner
python3 s3scanner.py --bucket target-backup

# Azure Subdomain Enumeration
az account list
az resource list

# GCP Asset Discovery
gcloud asset search-all-resources --query "name:target"

Advanced DNS Techniques

DNS Cache Snooping

# Check if domain is cached
dig @resolver.com target.com +norecurse

# DNS History
curl -s "https://securitytrails.com/domain/target.com/history/a"

DNS Tunneling Detection

# Monitor DNS queries
tcpdump -i eth0 -n port 53

# Passive DNS
curl -s "https://www.virustotal.com/api/v3/domains/target.com/resolutions" \
  -H "x-apikey: YOUR_API_KEY"

Advanced Zone Walking

# NSEC Walking
ldns-walk @ns1.target.com target.com

# NSEC3 Hash Cracking
nsec3walker target.com > hashes.txt
john hashes.txt

Network Reconnaissance

ASN Enumeration

# BGP Toolkit
whois -h whois.radb.net -- '-i origin AS15169' | grep route

# ASN Lookup
curl -s "https://api.bgpview.io/asn/AS15169/prefixes"

# Hurricane Electric BGP Toolkit
curl -s "https://bgp.he.net/AS15169#_prefixes"

# amass with ASN
amass intel -asn 15169

IPv6 Reconnaissance

# IPv6 alive scan
alive6 eth0

# THC-IPv6 tools
parasite6 eth0
fake_router6 eth0

# IPv6 scanning
nmap -6 -sS target.com
nmap -6 --script=ipv6*

# IPv6 multicast discovery
ping6 ff02::1%eth0

SSL/TLS Deep Analysis

# sslscan with advanced options
sslscan --show-certificate --show-client-cas target.com:443

# SSLyze comprehensive
sslyze --regular --heartbleed --robot target.com:443

# Custom OpenSSL cipher testing
for cipher in $(openssl ciphers 'ALL:eNULL' | tr ':' '\n'); do
  openssl s_client -cipher "$cipher" -connect target.com:443 < /dev/null 2>&1 | grep -q 'Cipher is' && echo "$cipher"
done

# Certificate chain analysis
openssl s_client -showcerts -connect target.com:443 -servername target.com | openssl x509 -noout -text

Advanced Web Reconnaissance

JavaScript Analysis

# LinkFinder - Extract endpoints from JS
python3 linkfinder.py -i https://target.com/app.js -o results.html

# JSParser
python3 jsparser.py -u https://target.com

# Retire.js - Find vulnerable JS libraries
retire --js --jspath https://target.com

# Extract API endpoints
curl -s https://target.com/app.js | grep -oP '["'\'']/(api|v1|v2)/[^"'\'']+' | sort -u

GraphQL Discovery

# GraphQL endpoint discovery
ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200 -fs 42

# GraphQL introspection
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"query IntrospectionQuery { __schema { types { name } } }"}'

# GraphQL Voyager
graphql-voyager https://target.com/graphql

# Altair GraphQL Client with introspection

Content Discovery Optimization

# Feroxbuster - Recursive with multiple threads
feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -t 50 -d 4 -k

# gobuster with advanced patterns
gobuster dir -u https://target.com -w wordlist.txt -x php,html,txt,json -t 50 -k -r -e

# Custom recursive scanner
while read -r path; do
  ffuf -w wordlist.txt -u "https://target.com/$path/FUZZ" -mc 200,301,302,403 -ac
done < discovered_paths.txt

API Reconnaissance

# Swagger/OpenAPI discovery
curl https://target.com/swagger.json
curl https://target.com/api-docs
curl https://target.com/openapi.json
curl https://target.com/v2/api-docs

# API fuzzing with Arjun
arjun -u https://target.com/api/endpoint

# Kiterunner - API discovery
kr scan https://target.com -w routes-large.txt

# REST API versioning discovery
for v in {1..10}; do
  curl -s "https://target.com/api/v$v/" | grep -q "200" && echo "v$v exists"
done

Advanced Host Discovery

Network Mapping

# Layer 2 discovery
netdiscover -r 192.168.1.0/24 -i eth0

# ARP scanning
arp-scan --interface=eth0 192.168.1.0/24

# Passive network mapping
p0f -i eth0 -p

# SNMP sweeping
onesixtyone -c community.txt -i targets.txt
snmpwalk -v2c -c public target.com

Firewall/IDS Detection

# Firewall fingerprinting
wafw00f https://target.com

# Advanced WAF detection
nmap -p80,443 --script http-waf-detect,http-waf-fingerprint target.com

# IDS/IPS detection
hping3 -S -p 80 -c 1 target.com

CDN Detection and Bypass

# CDN detection
curl -I https://target.com | grep -i "server\|x-cache\|cf-ray"
dig target.com

# Real IP discovery
nslookup target.com 8.8.8.8
curl https://censys.io/api/v1/search/certificates

# Historical DNS records
curl "https://securitytrails.com/domain/target.com/history/a"

# CloudFlair - Find real IP behind CloudFlare
python3 cloudflair.py target.com

# Bypass CDN with origin server
curl https://origin-target.com --resolve target.com:443:1.2.3.4

Automation and Custom Tooling

Nuclei Templates

# Run all templates
nuclei -u https://target.com -t ~/nuclei-templates/

# Custom severity
nuclei -u https://target.com -severity critical,high

# Technology specific
nuclei -u https://target.com -tags cve,exploit

# Rate limiting
nuclei -u https://target.com -rl 150

# Create custom template
cat > custom-check.yaml << 'EOF'
id: custom-check
info:
  name: Custom Vulnerability Check
  severity: high
requests:
  - method: GET
    path:
      - "{{BaseURL}}/admin"
    matchers:
      - type: status
        status:
          - 200
EOF

nuclei -u https://target.com -t custom-check.yaml

Custom Bash Reconnaissance

#!/bin/bash
# Advanced subdomain enumeration pipeline

domain=$1
output_dir="recon_$domain"
mkdir -p $output_dir

# Passive enumeration
subfinder -d $domain -o $output_dir/subfinder.txt
assetfinder --subs-only $domain > $output_dir/assetfinder.txt
amass enum -passive -d $domain -o $output_dir/amass.txt
findomain -t $domain -u $output_dir/findomain.txt

# Certificate transparency
curl -s "https://crt.sh/?q=%.$domain&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $output_dir/crt.txt

# Combine and clean
cat $output_dir/*.txt | sort -u > $output_dir/all_subdomains.txt

# Resolve subdomains
cat $output_dir/all_subdomains.txt | dnsx -silent -resp -o $output_dir/resolved.txt

# Port scanning on live hosts
cat $output_dir/resolved.txt | awk '{print $1}' | naabu -silent -p 80,443,8080,8443 -o $output_dir/ports.txt

# Screenshot live hosts
cat $output_dir/ports.txt | httpx -silent -screenshot -o $output_dir/httpx.txt

# Nuclei scanning
nuclei -l $output_dir/httpx.txt -t ~/nuclei-templates/ -o $output_dir/nuclei.txt

Python Reconnaissance Framework

#!/usr/bin/env python3
import dns.resolver
import requests
import concurrent.futures
import json

class AdvancedRecon:
    def __init__(self, target):
        self.target = target
        self.results = {}

    def dns_enumeration(self):
        """Advanced DNS enumeration"""
        record_types = ['A', 'AAAA', 'CNAME', 'MX', 'NS', 'TXT', 'SOA']
        for rtype in record_types:
            try:
                answers = dns.resolver.resolve(self.target, rtype)
                self.results[rtype] = [str(rdata) for rdata in answers]
            except Exception as e:
                self.results[rtype] = []

    def check_security_headers(self, url):
        """Check HTTP security headers"""
        headers_to_check = [
            'Strict-Transport-Security',
            'X-Frame-Options',
            'X-Content-Type-Options',
            'Content-Security-Policy',
            'X-XSS-Protection'
        ]
        try:
            r = requests.get(url, timeout=10)
            missing = [h for h in headers_to_check if h not in r.headers]
            return {'present': len(headers_to_check) - len(missing), 'missing': missing}
        except:
            return None

    def subdomain_permutation(self):
        """Generate subdomain permutations"""
        prefixes = ['dev', 'staging', 'test', 'api', 'admin', 'portal', 'vpn']
        return [f"{prefix}.{self.target}" for prefix in prefixes]

    def run(self):
        self.dns_enumeration()
        subdomains = self.subdomain_permutation()

        with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor:
            futures = {executor.submit(self.check_security_headers, f"https://{sub}"): sub 
                      for sub in subdomains}
            for future in concurrent.futures.as_completed(futures):
                subdomain = futures[future]
                try:
                    result = future.result()
                    if result:
                        self.results[subdomain] = result
                except Exception as e:
                    pass

        return json.dumps(self.results, indent=2)

if __name__ == "__main__":
    recon = AdvancedRecon("target.com")
    print(recon.run())