Reconnaissance & Target Discovery
Passive Reconnaissance
Passive reconnaissance gathers information without directly interacting with the target. This approach is stealthy, legal everywhere, and often reveals critical attack surface.
Why Start Passive?
- Undetectable: No traffic to target systems
- Legal: Public information only
- Efficient: Hours of data in minutes
- Foundation: Informs active recon strategy
Certificate Transparency Logs
SSL/TLS certificates are publicly logged. This reveals subdomains:
# Using crt.sh API
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
# Alternative: certspotter
curl -s "https://api.certspotter.com/v1/issuances?domain=example.com&include_subdomains=true&expand=dns_names" | jq -r '.[].dns_names[]'
Real find: A researcher discovered staging.internal.example.com from CT logs—a $5,000 bug followed.
Wayback Machine & Web Archives
Historical snapshots reveal:
- Old endpoints still accessible
- Removed functionality with bugs
- JavaScript files with API keys
- Development comments
# Using waybackurls
echo "example.com" | waybackurls | sort -u > wayback-urls.txt
# Using gau (GetAllUrls)
gau example.com --threads 5 > all-urls.txt
# Filter for interesting extensions
cat all-urls.txt | grep -E "\.(js|json|xml|config|env|sql|bak)$"
Google Dorking
Advanced search operators find exposed assets:
| Dork | Purpose |
|---|---|
site:example.com filetype:pdf |
Find documents |
site:example.com inurl:admin |
Admin panels |
site:example.com "error" "sql" |
Error messages |
site:example.com ext:env OR ext:config |
Config files |
"example.com" password |
Leaked credentials |
# Common productive dorks
site:example.com intitle:"index of"
site:example.com inurl:wp-content
site:*.example.com -www
site:example.com filetype:log
GitHub & Source Code Leaks
Developers accidentally commit secrets:
# GitHub search (manual)
# - Search: "example.com" password
# - Search: "example.com" api_key
# - Search: org:examplecorp filename:.env
# Using trufflehog
trufflehog github --org=examplecorp
# Using gitleaks
gitleaks detect --source=. --report-format=json
Common finds: AWS keys, database credentials, API tokens, internal URLs.
Shodan & Censys
Internet-wide scanners index exposed services:
# Shodan CLI
shodan search "hostname:example.com"
shodan search "ssl:example.com"
# Censys search
# - certificates.parsed.subject.common_name: example.com
# - hosts services
Look for:
- Exposed databases (MongoDB, Elasticsearch, Redis)
- Admin interfaces
- Development/staging environments
- Outdated software versions
OSINT Automation
Combine sources with automation:
# Using theHarvester
theHarvester -d example.com -b all
# Amass passive mode
amass enum -passive -d example.com -o passive-results.txt
# Subfinder (passive by default)
subfinder -d example.com -all -o subdomains.txt
Documentation Template
## Passive Recon: example.com
### Certificate Transparency
- Found: 47 unique subdomains
- Notable: staging.*, dev.*, api-internal.*
### Historical URLs
- Found: 2,340 unique URLs
- Interesting: /api/v1/debug, /backup/
### GitHub Exposure
- Found: 3 repositories mentioning target
- Potential: .env file in archived repo
### Next Steps
- Validate subdomain existence
- Check historical endpoints for access
- Investigate GitHub findings
Pro Tip: Run passive recon before starting any active testing. The information asymmetry gives you an advantage over other hunters.
Next, we'll enumerate subdomains using active techniques. :::