Cyber Security Reconnaissance Workflow
Methodical asset discovery and enumeration for professional engagements.
Reconnaissance is the most critical phase of the cyber kill chain. Its purpose is to gain a holistic understanding of the target's infrastructure, technology stack, and attack surface before probing for vulnerabilities.
- Passive Recon: Gathering information without directly interacting with the target (e.g., Whois, OSINT). Low risk, highly stealthy.
- Active Recon: Directly probing the target (e.g., Port scanning, Fuzzing). Higher risk of detection, requires authorization.
⚠️ This workflow is intended for legal, authorized penetration testing and bug bounty hunting only.
Prepare your environment to ensure efficiency and effective data management. A dedicated VPS or isolated local lab is recommended to avoid IP blacklisting on your home network.
Essential Toolkit Configuration
Amass: The heavyweight of passive recon. Requires API keys for best results (Shodan, Censys, VirusTotal).
Subfinder: Faster than Amass, excellent for quick wins using modular sources.
WaybackURLs / GAU: Fetch archived URLs from Wayback Machine, AlienVault, and Common Crawl.
Workspace Notes
Track your VPS IP, specific configurations, or tool versions here.
The goal is to find every sub-asset. Combining passive sources with active bruteforcing and permutation scanning usually yields the best results.
Enumeration Strategy
Subfinder
subfinder -d target.com -all -recursive -o subdomains/subfinder.txt-all: Use all sources. -recursive: look for sub.sub.target.com.
Amass
amass enum -d target.com -config ~/.config/amass/config.ini -o subdomains/amass.txtFindings & Anomalies
Note down any star (*) wildcards or specific environments (dev, stg).