Skip to main content

Overview

External reconnaissance is the process of discovering everything a company owns that is publicly accessible on the internet — before touching any target system. The goal is to build a complete picture of the attack surface.

Asset Discovery

Acquisitions

Start by finding all companies owned by the main company (subsidiaries expand scope):
  • Crunchbase — search company → click “acquisitions”
  • Wikipedia — search the company’s page for acquisition history
  • SEC/EDGAR filings and investor relations pages (for public companies)
  • OpenCorporates and the GLEIF LEI database

ASNs (IP Ranges)

An Autonomous System Number (ASN) identifies an organization’s IP ranges. Find them by company name, IP, or domain: 
# Enumerate ASNs with amass
amass intel -org tesla
amass intel -asn 8911,50313,394161

# BBOT automatically summarizes ASNs at scan end
bbot -t tesla.com -f subdomain-enum

Domains

Reverse DNS

dnsrecon -r <DNS_Range> -n <IP_DNS>
dnsrecon -d facebook.com -r 157.240.221.35/24
dnsrecon -r 157.240.221.35/24 -n 1.1.1.1

Reverse Whois

Search for other assets linked to the same organization name, address, or email: 
amass intel -d tesla.com -whois

Trackers & Favicon Hashes

Find related domains by sharing the same Google Analytics ID, Adsense ID, or favicon hash: 
# Favicon hash search via Shodan
shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port

import mmh3, requests, codecs

def fav_hash(url):
    response = requests.get(url)
    favicon = codecs.encode(response.content, "base64")
    fhash = mmh3.hash(favicon)
    print(f"{url} : {fhash}")
    return fhash

Certificate Transparency

Discover domains via CT logs:

Subdomains

OSINT Tools

# BBOT — comprehensive subdomain enumeration
bbot -t tesla.com -f subdomain-enum
bbot -t tesla.com -f subdomain-enum -rf passive  # passive only

# Amass
amass enum -d tesla.com
amass enum -active -ip -d tesla.com

# Subfinder
subfinder -d tesla.com -silent

# theHarvester
theHarvester -d tesla.com -b "anubis,bing,crtsh,dnsdumpster,google,virustotal"

# assetfinder
assetfinder --subs-only tesla.com

DNS Brute Force

# massdns — fast but may have false positives
sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt

# gobuster
gobuster dns -d mysite.com -t 50 -w subdomains.txt

# puredns
puredns bruteforce all.txt domain.com

# shuffledns
shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt

Permutation Generation

Generate subdomain mutations to find more targets: 
# dnsgen
cat subdomains.txt | dnsgen -

# alterx
cat subdomains.txt | alterx | dnsx -silent

# gotator
gotator -sub subdomains.txt -silent

Virtual Host Brute Force

Fuzz the Host header to find hidden vhosts: 
ffuf -u http://10.10.10.10 -H "Host: FUZZ.example.com" \
  -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -ac

gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt

IPs, Web Servers, and Cloud Assets

1

Collect All IPs

Gather IPs from discovered ranges, domains, and subdomains. Check SecurityTrails for historical IP records to find CloudFlare bypass IPs.
2

Port Scan Non-CDN IPs

Run port scans against IPs not belonging to CDNs to find running services. Check each service against this book’s guides.
masscan -p80,443,8000-8100,8443 199.66.11.0/24
3

Screenshot All Web Servers

Take screenshots to get a quick visual overview of discovered web apps.Tools: EyeWitness, Gowitness, Aquatone
4

Search Cloud Assets

Use company keywords and wordlists to find open S3 buckets, cloud functions, and storage:Tools: cloud_enum, CloudScraper, S3Scanner

Emails, Credential Leaks, and Secret Leaks

Email Discovery

Credential Leaks

GitHub Leaks

Search public repos of the company and its developers for exposed credentials and API keys.
# Run gitleaks on organization repos
gitleaks detect --source=./org-repos

Google Dorks

Use the Google Hacking Database or tools like Gorks to automate dork searches.

Full Recon Automation Tools

Checklist Summary

By the end of external recon you should have:
  1. All companies inside the scope
  2. All assets belonging to those companies (with basic vuln scans if in scope)
  3. All domains belonging to the companies
  4. All subdomains (check for subdomain takeovers!)
  5. All IPs from CDN and non-CDN sources
  6. All web servers with screenshots (anything weird?)
  7. Potential public cloud assets
  8. Emails, credential leaks, and secret leaks

References

Build docs developers (and LLMs) love

Get started for freeTalk to us