Listen to this Post
Introduction:
Open-Source Intelligence (OSINT) has become the foundational phase of modern cybersecurity operations, from bug bounty hunting to penetration testing. Mastering automated reconnaissance tools and techniques allows security professionals to discover exposed assets, identify vulnerabilities, and map attack surfaces before malicious actors do.
Learning Objectives:
- Understand and implement advanced OSINT data collection methodologies using command-line tools.
- Automate the discovery of subdomains, exposed files, and sensitive information leaks.
- Synthesize multiple reconnaissance tools into a cohesive intelligence-gathering workflow.
You Should Know:
1. Subdomain Enumeration with `subfinder` and `amass`
`subfinder -d target.com -o subdomains.txt`
`amass enum -passive -d target.com -o amass_subs.txt`
`sort subdomains.txt amass_subs.txt | uniq > all_subs.txt`
Subdomain discovery is the first step in expanding your target’s attack surface. Subfinder uses passive sources to find subdomains without direct interaction, while Amass can perform both passive and active enumeration. The `sort | uniq` command merges and deduplicates results from both tools, creating a comprehensive list for further analysis. Always check the scope and permissions of your bug bounty program before scanning.
2. Probing for Live Hosts with `httpx`
`cat all_subs.txt | httpx -silent -threads 100 -status-code -title -tech-detect -o live_hosts.txt`
Once you have subdomains, identifying active web services is crucial. Httpx takes your subdomain list and rapidly probes them to determine which are alive, returning HTTP status codes, page titles, and detected technologies. The `-threads 100` parameter accelerates the process by running multiple checks simultaneously, while `-silent` removes unnecessary clutter from the output.
3. Discovering Hidden Paths with `feroxbuster`
`feroxbuster -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,json -o ferox_scan.txt`
Directory and file brute-forcing often reveals hidden administrative panels, backup files, and API endpoints. Feroxbuster is a recursive content discovery tool that uses wordlists to find unlinked resources. The `-x` flag specifies extensions to append to each word, and `-o` saves your results for later analysis. Start with common wordlists before moving to more comprehensive ones.
- Extracting Intelligence from JavaScript with `subjs` and `waybackurls`
`echo “https://target.com” | waybackurls | grep “\.js$” > js_urls.txt`
`cat js_urls.txt | subjs | tee js_files.txt`
`cat js_files.txt | httpx -silent | while read url; do curl -s $url | grep -oE “apiKey|password|token[^”]” >> secrets_scan.txt; done`
JavaScript files often contain hardcoded API keys, tokens, and internal endpoints. This pipeline first gathers historical JavaScript URLs from Wayback Machine, finds current JS files with subjs, then searches for sensitive patterns within the file contents. Always handle any discovered credentials responsibly according to your program’s guidelines.
5. Network Mapping with `nmap` and `naabu`
`naabu -list all_subs.txt -top-ports 1000 -o naabu_ports.txt`
`nmap -sV -sC -p 80,443,22,21,25,53,110,143,993,995 -iL all_subs.txt -oA nmap_scan`
Port scanning reveals services beyond web applications. Naabu provides fast port discovery, while Nmap delivers detailed service version detection and script scanning. The `-sC` flag runs default scripts against detected services, often revealing valuable information like SSH keys, SMTP configurations, or DNS details.
6. Visual Reconnaissance with `aquatone`
`cat live_hosts.txt | aquatone -ports 80,443,8080,8443 -screenshot-timeout 10000`
Aquatone takes your list of live hosts and captures screenshots, providing visual context to your reconnaissance data. This helps quickly identify interesting applications, default pages, or development environments. The tool also generates a comprehensive HTML report organizing all discovered hosts with their technologies and screenshots.
7. Cloud Asset Discovery with `cloud_enum`
`python3 cloud_enum.py -k target -k companyname -l cloud_results.txt`
Many organizations inadvertently expose cloud storage buckets, Azure apps, or Google Cloud resources. Cloud_enum uses multiple keywords to check for existence across various cloud platforms. The `-k` flag allows you to specify multiple keywords—try company names, project names, and common environment prefixes like “dev,” “staging,” or “test.”
8. GitHub Reconnaissance with `gitrob` and `truffleHog`
`gitrob -q target-company -o gitrob_results.json`
`truffleHog –regex –entropy=False https://github.com/target-company/repo.git`
Source code repositories often contain accidentally committed secrets. Gitrob scans organization repositories for sensitive files, while TruffleHog specifically searches for high-entropy strings and API keys patterns. These tools should only be used against targets you’re authorized to test, as aggressive scanning may trigger abuse detection systems.
9. SSL Certificate Analysis with `ctfr`
`python3 ctfr.py -d target.com -o cert_subdomains.txt`
Certificate Transparency logs provide legitimate subdomains that might be missed by other enumeration methods. CTFR queries these public logs to discover certificates issued for your target domain, often revealing internal systems, development environments, and third-party services.
10. Automated Reconnaissance Pipeline
!/bin/bash domain=$1 echo "[+] Starting reconnaissance for $domain" subfinder -d $domain -o sub1.txt amass enum -passive -d $domain -o sub2.txt cat sub1.txt sub2.txt | sort -u > all_subs.txt cat all_subs.txt | httpx -silent > live_hosts.txt cat live_hosts.txt | waybackurls | tee wayback_urls.txt cat live_hosts.txt | feroxbuster -x php,html,json --stdin -o ferox_$domain.txt echo "[+] Reconnaissance complete for $domain"
This bash script automates the basic reconnaissance workflow, chaining multiple tools together for efficiency. Save it as recon.sh, make it executable with chmod +x recon.sh, and run with ./recon.sh target.com. Expand this script based on your specific needs and the target’s environment.
What Undercode Say:
- Comprehensive OSINT reconnaissance is no longer optional—it’s the critical first step that determines the success or failure of security assessments.
- Automation transforms reconnaissance from a tedious manual process into a scalable, repeatable methodology that consistently delivers actionable intelligence.
The evolution of OSINT tools has democratized advanced reconnaissance capabilities, allowing security professionals to operate at unprecedented scale and depth. However, this power comes with responsibility—the same techniques used by defenders are equally available to attackers. The strategic advantage no longer lies in knowing obscure tools, but in developing sophisticated workflows that synthesize multiple data sources into coherent intelligence. Organizations must assume that all publicly exposed information has already been collected and weaponized by adversaries, making continuous attack surface monitoring an essential defensive control. The future of cybersecurity reconnaissance will be dominated by AI-driven correlation engines that can automatically connect disparate data points across the clear, deep, and dark web, fundamentally changing how we approach both attack and defense.
Prediction:
Within two years, AI-powered reconnaissance platforms will autonomously correlate disparate OSINT data points to predict vulnerable attack paths with 85% accuracy, forcing organizations to adopt continuous attack surface management as a fundamental security control. This will create a new era where defensive security becomes less about building walls and more about managing digital footprints across an increasingly blurred perimeter.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Rahmansec Osint – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
