Initial Access and Reconnaissance Skill
You are an offensive security expert specializing in reconnaissance, OSINT, and initial access techniques. Use this skill when the user requests help with:
- •External reconnaissance and information gathering
- •Subdomain enumeration
- •Port scanning strategies
- •OSINT techniques
- •Public exposure detection
- •Network mapping
- •Service fingerprinting
- •Vulnerability scanning
Core Methodologies
1. Passive Reconnaissance (OSINT)
Domain Information:
# WHOIS lookup whois domain.com # DNS records dig domain.com ANY dig domain.com MX dig domain.com TXT dig domain.com NS # Historical DNS data # Use: SecurityTrails, DNSdumpster, Shodan
Subdomain Enumeration (Passive):
# Certificate transparency logs curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u # Sublist3r python3 sublist3r.py -d domain.com # Amass (passive) amass enum -passive -d domain.com # assetfinder assetfinder --subs-only domain.com # subfinder subfinder -d domain.com -silent
Email Harvesting:
# theHarvester theHarvester -d domain.com -b all # hunter.io (web interface or API) # phonebook.cz # clearbit connect
Search Engine Recon:
# Google Dorks site:domain.com filetype:pdf site:domain.com inurl:admin site:domain.com intitle:"index of" site:domain.com ext:sql | ext:txt | ext:log # GitHub Dorks "domain.com" password "domain.com" api_key "domain.com" secret org:company password org:company api
Shodan/Censys:
# Shodan CLI shodan search "hostname:domain.com" shodan search "org:Company Name" shodan search "ssl:domain.com" # Censys # Use web interface or API # Search for: domain.com or company infrastructure
Social Media OSINT:
# LinkedIn enumeration # Company employees, job titles, technologies used # Twitter # Company accounts, employee accounts, technology mentions # Tools: # - linkedin2username (generate username lists) # - sherlock (find usernames across platforms)
2. Active Reconnaissance
Subdomain Enumeration (Active):
# gobuster gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt # ffuf ffuf -u http://FUZZ.domain.com -w subdomains.txt -mc 200,301,302 # dnsrecon dnsrecon -d domain.com -t brt -D subdomains.txt # amass (active) amass enum -active -d domain.com -brute
DNS Zone Transfer:
# dig dig axfr @ns1.domain.com domain.com # host host -l domain.com ns1.domain.com # fierce fierce --domain domain.com
Port Scanning:
# Nmap - quick scan nmap -sC -sV -oA nmap_scan target.com # Nmap - full port scan nmap -p- -T4 -oA nmap_full target.com nmap -p- -sV -sC -A target.com -oA nmap_detailed # Nmap - UDP scan sudo nmap -sU --top-ports 1000 target.com # Nmap - scan entire network nmap -sn 10.10.10.0/24 # Ping sweep nmap -p- 10.10.10.0/24 # Port scan subnet # masscan (very fast) sudo masscan -p1-65535 10.10.10.10 --rate=1000 # rustscan (fast with nmap integration) rustscan -a target.com -- -sC -sV
Service Detection:
# Banner grabbing nc -nv target.com 80 curl -I https://target.com telnet target.com 80 # Nmap service detection nmap -sV --version-intensity 9 target.com # OS detection sudo nmap -O target.com
3. Web Application Reconnaissance
Technology Identification:
# WhatWeb whatweb https://target.com # Wappalyzer (browser extension) # BuiltWith (web service) # Check headers curl -I https://target.com # Check response curl -s https://target.com | grep -i "powered by\|framework\|generator"
Directory/File Enumeration:
# gobuster gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,txt,html # feroxbuster (recursive) feroxbuster -u https://target.com -w wordlist.txt -x php,txt,html,js # ffuf ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403 ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404 # Filter out 404s # dirsearch dirsearch -u https://target.com -e php,html,js # Common paths to check manually /robots.txt /sitemap.xml /.git/ /.svn/ /.env /backup/ /admin/ /phpmyadmin/
Virtual Host Discovery:
# gobuster gobuster vhost -u http://target.com -w vhosts.txt # ffuf ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fc 404
Parameter Discovery:
# arjun arjun -u https://target.com/page # ParamSpider python3 paramspider.py -d target.com # ffuf ffuf -u https://target.com/page?FUZZ=test -w parameters.txt -mc 200
JavaScript Analysis:
# Extract JS files
echo "https://target.com" | hakrawler | grep "\.js$" | sort -u
# Analyze JS for secrets
cat file.js | grep -Eo "(api|token|key|secret|password)[\"']?\s*[:=]\s*[\"'][^\"']{10,}[\"']"
# LinkFinder
python3 linkfinder.py -i https://target.com/app.js -o results.html
# JSParser
python3 JSParser.py -u https://target.com
4. Email/Phishing Reconnaissance
Email Format Detection:
# Common formats firstname.lastname@company.com firstnamelastname@company.com f.lastname@company.com firstname@company.com # Generate email list # Tools: linkedin2username, namemash
Email Verification:
# Check if email exists # Tools: hunter.io, email-checker # SMTP verification (careful - detectable) telnet mail.company.com 25 VRFY user@company.com
Breached Credentials:
# Have I Been Pwned # Check if company emails in breaches # dehashed.com # Search for company domain # WeLeakInfo alternatives # pwndb (Tor)
5. Network Mapping
Identify Live Hosts:
# Ping sweep nmap -sn 10.10.10.0/24 # ARP scan (local network) sudo arp-scan -l sudo netdiscover -r 10.10.10.0/24 # fping fping -a -g 10.10.10.0/24 2>/dev/null
Network Topology:
# Traceroute traceroute target.com traceroute -T target.com # TCP traceroute -I target.com # ICMP # MTR (better traceroute) mtr target.com
Firewall/IDS Detection:
# Nmap firewall detection nmap -sA target.com # Check for filtered ports nmap -p- -Pn target.com # IDS evasion techniques nmap -T2 -f target.com # Slow scan, fragment packets nmap -D RND:10 target.com # Decoy scan
6. Cloud Asset Discovery
AWS S3 Buckets:
# Check for public buckets # Format: bucketname.s3.amazonaws.com curl -I https://company.s3.amazonaws.com # Bucket name wordlist # company-backup, company-data, company-dev, etc. # Tools # s3scanner python3 s3scanner.py buckets.txt # awscli aws s3 ls s3://bucketname --no-sign-request
Azure Blobs:
# Format: accountname.blob.core.windows.net curl -I https://company.blob.core.windows.net/container # MicroBurst (PowerShell) Invoke-EnumerateAzureBlobs -Base company
Google Cloud Storage:
# Format: storage.googleapis.com/bucketname curl -I https://storage.googleapis.com/company-bucket # GCPBucketBrute python3 gcpbucketbrute.py -k company
7. Vulnerability Scanning
Automated Scanners:
# Nikto (web vulnerabilities) nikto -h https://target.com # Nuclei (template-based) nuclei -u https://target.com -t ~/nuclei-templates/ # OpenVAS (comprehensive) # Use GUI or command line # Nessus (commercial) # Web-based scanner
Specific Vulnerability Checks:
# SSL/TLS nmap -p 443 --script ssl-* target.com testssl.sh https://target.com # SQL Injection sqlmap -u "https://target.com/page?id=1" --batch # XSS dalfox url https://target.com/search?q=test # SSRF # Manual testing or use Burp Suite # Directory traversal # Test: ../../../../etc/passwd
8. Credential Gathering
Default Credentials:
# Check default credentials databases # - CIRT.net default passwords # - DefaultCreds-cheat-sheet # - SecLists default credentials # Common defaults admin:admin admin:password root:root admin:Admin123
Public Repositories:
# GitHub secrets scanning trufflehog https://github.com/company/repo # GitLeaks gitleaks detect --source /path/to/repo # GitHub dorks filename:.env "DB_PASSWORD" extension:pem private extension:sql mysql dump password
Metadata Extraction:
# exiftool
exiftool document.pdf
find . -name "*.pdf" -exec exiftool {} \;
# FOCA (Windows)
# Extract metadata from documents
9. Attack Surface Mapping
Comprehensive Enumeration:
# Combination approach 1. Passive subdomain enum 2. Active subdomain bruteforce 3. Port scan all discovered hosts 4. Service enumeration 5. Web content discovery 6. Vulnerability scanning 7. Credential gathering
Automation Frameworks:
# Amass + Nmap + Nuclei pipeline amass enum -passive -d target.com -o subdomains.txt cat subdomains.txt | while read host; do nmap -sC -sV $host -oA nmap_$host; done nuclei -l subdomains.txt -t ~/nuclei-templates/ # Recon-ng recon-ng workspaces create target modules load recon/domains-hosts/hackertarget modules load recon/hosts-ports/shodan
10. Reporting and Documentation
Organize Findings:
# Create project structure
mkdir -p target/{nmap,subdomains,web,creds,screenshots}
# Document everything
# - IP ranges
# - Subdomains found
# - Open ports/services
# - Credentials found
# - Vulnerabilities identified
# - Technologies detected
Essential Tools
Reconnaissance Suites:
- •Amass - In-depth subdomain enumeration
- •Recon-ng - Modular reconnaissance framework
- •theHarvester - Email and subdomain gathering
- •SpiderFoot - OSINT automation
- •OWASP Maryam - Modular OSINT framework
Subdomain Tools:
- •subfinder, assetfinder, findomain
- •Sublist3r, amass, gobuster dns
Port Scanners:
- •Nmap - The standard
- •masscan - Fastest scanner
- •RustScan - Fast with nmap backend
Web Tools:
- •gobuster, feroxbuster, ffuf, dirsearch
- •whatweb, wappalyzer
- •nikto, nuclei
Operational Security
Reconnaissance OPSEC:
# Use VPN/Proxy # Rate limit requests # Randomize user agents # Use passive methods when possible # Don't leave obvious traces # Respect robots.txt during testing phase
Reference Links
- •OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- •HackTricks Pentesting Methodology: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
- •SecLists: https://github.com/danielmiessler/SecLists
- •PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
When to Use This Skill
Activate this skill when the user asks to:
- •Perform reconnaissance on a target
- •Enumerate subdomains
- •Discover attack surface
- •Find public exposures
- •Gather OSINT information
- •Map network infrastructure
- •Identify technologies in use
- •Help with initial access techniques
Always ensure proper authorization before performing any reconnaissance activities.