Recon Methodology: Passive OSINT to Active Enumeration

Reconnaissance is the phase that separates good testers from great ones. The more thoroughly you map the attack surface before touching anything, the more efficiently you find vulnerabilities and the fewer important targets you miss. This guide walks through a complete recon methodology — passive OSINT first, then active enumeration — without triggering detection.

Phase 1: Passive Recon

flowchart TD
  Target["Target Organization"] --> Passive["Passive Recon"]
  Target --> SemiActive["Semi-Active Recon"]
  Passive --> WHOIS["WHOIS / DNS records
IP ranges"]
  Passive --> GoogleDorks["Google Dorks
LinkedIn employees"]
  Passive --> ShodanCensys["Shodan / Censys
Internet-facing assets"]
  Passive --> CertSearch["Certificate Transparency
crt.sh subdomain harvest"]
  SemiActive --> SubdomainEnum["Subdomain enumeration
amass, subfinder, assetfinder"]
  SemiActive --> PortScan["Port scan on discovered IPs
nmap -T2 for stealth"]
  SubdomainEnum --> WebTech["Tech fingerprinting
WhatWeb, Wappalyzer"]
  WebTech --> VulnScan["Vulnerability scan
nuclei, nikto"]
  VulnScan --> Manual["Manual testing
based on findings"]

Passive recon collects information without sending a single packet to the target. Everything comes from third-party data sources, public records, and search engines.

WHOIS and Registration Data

Start with the basics. WHOIS data reveals registrant names, organizations, registration dates, name servers, and registrar. Even with privacy protection, the name servers and registrar often reveal infrastructure patterns.

whois example.com
whois -h whois.arin.net 1.2.3.4   # IP ownership lookup

Certificate Transparency Logs

Certificate Transparency (CT) logs are one of the most powerful passive recon sources. Every TLS certificate issued must be logged publicly, which means every subdomain that has ever had HTTPS is enumerable.

# crt.sh — query by organization or domain
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u

# subfinder also pulls CT logs
subfinder -d example.com -silent

Use the Recon Hub to automate CT log queries and subdomain discovery from multiple sources simultaneously.

Shodan for Exposed Infrastructure

Shodan indexes everything the internet exposes. Key search operators for recon:

org:"Example Corp"              # all IPs registered to the organization
hostname:example.com            # subdomains indexed by Shodan
ssl:"example.com"               # certificates referencing the domain
http.title:"Example Login"      # login portals
product:"Apache Tomcat" org:"Example Corp"  # specific tech stack

Look for development servers, staging environments, Kubernetes dashboards, and admin panels that wouldn't be found through the main domain.

LinkedIn and Employee OSINT

LinkedIn reveals the technology stack and internal tooling through employee job titles and skill listings. "AWS Lambda developer at Example Corp" tells you they use serverless infrastructure. "Okta SSO Engineer" tells you they use Okta for identity. This shapes your testing priorities.

GitHub Dorking

Developers frequently commit secrets, internal hostnames, and architectural details to public repositories. Use GitHub's search to find them:

# GitHub search operators
org:examplecorp password
org:examplecorp api_key
org:examplecorp "internal.example.com"
org:examplecorp filename:.env
org:examplecorp extension:pem

Automate this with tools like trufflehog or gitleaks against the organization's public repos. The Secret Scanner can identify credential patterns in code or HTTP responses you capture during testing.

Google Dorks

Google indexes things that shouldn't be public. Effective dorks for recon:

site:example.com filetype:pdf
site:example.com inurl:admin
site:example.com inurl:api
site:example.com "index of /"
site:example.com ext:env OR ext:config OR ext:bak
inurl:"example.com/swagger"
inurl:"example.com" "api documentation"

Phase 2: Active Enumeration

Active recon sends requests to targets. Confirm you're authorized before starting.

Subdomain Brute Forcing

Even after exhausting passive sources, there are subdomains that were never externally referenced. Brute force them with a quality wordlist:

# amass — comprehensive, pulls passive + active
amass enum -d example.com -o amass-results.txt

# subfinder — fast passive enumeration
subfinder -d example.com -o subfinder-results.txt

# shuffledns — brute force with massdns backend
shuffledns -d example.com -w /opt/wordlists/subdomains-top1million.txt -r resolvers.txt

# combine and deduplicate
cat amass-results.txt subfinder-results.txt | sort -u | httprobe

The Subdomain Wordlist Generator builds targeted wordlists based on the target's technology stack and industry, dramatically improving brute force hit rates.

Port Scanning

After discovering IPs, scan for open ports. Use a staged approach: fast scan first, then service detection on open ports only.

# Stage 1: Fast all-port scan with masscan
masscan -p1-65535 --rate=10000 1.2.3.0/24 -oL masscan-output.txt

# Stage 2: Service detection on open ports
nmap -sV -sC -p $(grep open masscan-output.txt | awk '{print $3}' | tr '
' ',') 1.2.3.4

The Network Recon Tool provides a guided interface for building nmap commands and interpreting output across large IP ranges.

Technology Fingerprinting

Knowing the tech stack tells you which CVEs to check and which logic paths to explore:

whatweb -a 3 https://example.com   # aggressive fingerprinting
wappalyzer https://example.com     # browser-based detection
curl -I https://example.com        # response headers reveal server, frameworks

Look for framework version disclosures in X-Powered-By, Server, and custom headers like X-AspNet-Version.

Mapping the Attack Surface

Consolidate your findings into an attack surface map:

• Endpoints — discovered via crawling, JavaScript analysis, and API docs
• S3 Buckets — enumerate with aws s3 ls s3://example-backup or tools like s3scanner
• Exposed APIs — Swagger/OpenAPI specs often at /swagger.json, /api-docs, /openapi.yaml
• Leaked credentials — from GitHub dorking and CT log analysis

Recon Automation Script

#!/bin/bash
DOMAIN=$1
mkdir -p recon/$DOMAIN/{subs,ports,screenshots}

# Passive subdomain enumeration
subfinder -d $DOMAIN -silent -o recon/$DOMAIN/subs/subfinder.txt
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" |   jq -r '.[].name_value' | sort -u > recon/$DOMAIN/subs/crtsh.txt
cat recon/$DOMAIN/subs/*.txt | sort -u > recon/$DOMAIN/subs/all.txt

# Probe for live hosts
cat recon/$DOMAIN/subs/all.txt | httprobe -c 50 > recon/$DOMAIN/live-hosts.txt

# Screenshot live hosts
gowitness file -f recon/$DOMAIN/live-hosts.txt -P recon/$DOMAIN/screenshots/

echo "[*] Recon complete. $(wc -l < recon/$DOMAIN/live-hosts.txt) live hosts."

OSINT for Bug Bounty

In bug bounty, the most valuable recon targets are assets in scope that other hunters haven't tested. Focus on:

• Recently registered subdomains (CT log monitoring)
• Acquired company domains (WHOIS, Crunchbase, LinkedIn)
• Mobile API backends (extract from APK with apktool)
• Third-party integrations mentioned in documentation

Use Email Header Analyzer to identify mail infrastructure — SPF and DKIM records often reveal cloud email providers and internal hostnames used for outbound mail routing.