Recon & Discovery.
The recon catalog end-to-end: passive vs. active modes, subdomain discovery across CT logs and DNS, web-stack fingerprinting, and port-to-service mapping.
Recon modes
- Passive. No packets to the target. Sources:
crt.sh, Shodan, Censys, FOFA, BGP toolkit, GitHub code search, Wayback Machine. Required mode for stealth engagements and competitive intel work. - Semi-passive. Traffic that looks like normal user behavior: a single HTTP GET, a single DNS lookup. Tolerated under most engagement scopes without explicit scan authorization.
- Active. Port scans, directory fuzzing, wordlist-driven enumeration. Requires written scope authorization and ideally a maintenance window.
Subdomain discovery — full pipeline
- CT logs.
crt.sh?q=%25.target.com,subfinderwith all sources enabled. Catches anything ever issued a public cert. - DNS bruteforce.
shufflednsorpurednswith the SecListsn0kovo_subdomainswordlist against a custom resolver list to avoid rate-limit. Handle wildcards explicitly. - ASN walk. Lookup AS number via
whoisorasnlookup; sweep the entire ASN range; reverse-DNS to find neighbors not in the public zone. - JS scraping.
katana+subjsto extract URLs from JavaScript bundles. Frontends frequently hardcode internal-only API hostnames. - Archive mining.
waybackurls,gau. Historic hosts that no longer resolve still indicate naming conventions.
Web fingerprinting signals
- Headers.
Server,X-Powered-By,Set-Cookienames (PHPSESSID,JSESSIONID,ASP.NET_SessionId), CSP directives. - Favicon hash. MD5 of
/favicon.ico→ Shodanhttp.favicon.hash:. Identifies products by their default icon even when banners are stripped. - Error pages. 404, 500, and parser-error pages have product-specific wording that survives header scrubbing.
- Behavioral probe. Request
/.env,/server-status,/actuator/health,/api/v1. Response codes and bodies fingerprint the stack.
Port → first-look service
- 21 FTP. Anonymous read first, banner second. Check writable directories.
- 22 SSH. Banner reveals OS family;
ssh-auditfor KEX/MAC posture; userlist enum via timing on old OpenSSH. - 445 SMB.
crackmapexec smbfor null-session, signing, OS version, share enum. - 389/636 LDAP. Anonymous bind first; root DSE for naming context; userPrincipalName enumeration.
- 1433 MSSQL.
mssqlclient.py -windows-authwith sprayed creds;xp_cmdshellif sysadmin. - 3389 RDP.
nmap --script rdp-enum-encryptionfor NLA posture; never brute-force without lockout policy confirmed. - 5985/5986 WinRM.
evil-winrmwith sprayed creds. If admin, you have a shell with no AV-touching binary. - 6379 Redis. Unauthenticated by default.
config set dir /var/spool/cron/+ crontab write for RCE. - 27017 MongoDB. Unauthenticated in default Docker images.
mongosh+ show dbs.
Rule of thumbThe cheapest find of the engagement is usually in the recon phase. Spend the time. A subdomain nobody on the security team knows exists is worth more than three exotic exploits against a hardened main app.
Related notes in this domain
- Featured Comprehensive Pentest Reference
- Featured Pentest Methodology — Canonical Reference
- Featured Advanced Penetration Testing & Red Team
- Featured Web Server — Attack & Defense
- Featured Active Directory Pentest
- Featured Internal Pivoting & Lateral Movement
- Reference Recon Tooling — Operator Reference
- Reference Operator Toolkits — Catalog & Reference
- Reference Automation vs. Manual Testing
- Background Social Engineering & Phishing
- Background Pentester Foundations & CTF Practice
From reference to evidence