Advanced Red Team Recon

1. Passive OSINT

Start with no interaction with targets: collect publicly available data from sources like WHOIS records, domain registries, archived sites (Wayback Machine), SSL Labs, and DNS Dumpster.

Tools & Steps:

1. Use whois target.com and dig NS target.com.
2. Use a script like waybackurls to grab archived URLs: waybackurls target.com.
3. Run sslscan target.com and sslyze to gather certificate metadata and subdomains.

2. Subdomain Enumeration

Enumerating subdomains increases attack surface mapping:

• amass enum -passive -d target.com
• Sublist3r: sublist3r -d target.com
• DNS brute forcing with dnsvalidator and massdns

3. Visual Recon with EyeWitness

Scan active services and grab screenshots:

gau target.com | httprobe | eyewitness --web --timeout 10

Review UIs for login portals, documentation pages, or unsecured admin panels.

4. Port Scanning & Service Detection

Transition to active recon using Nmap:

nmap -sC -sV -p- target.com -oA nmap_full

Quick TCP service scan:

nmap -Pn -p80,443,8080 --script http-title,target.com

5. Web Application Enumeration

Use tools to map potential login endpoints:

• gobuster dir -u https://target.com -w wordlist.txt
• Nikto scan: nikto -h target.com
• Burp Suite for parameter discovery and crawling

6. Credential Harvesting via OSINT

Search breaches for leaked credentials or employee names:

python3 breach-credentials.py --domain target.com

Use haveibeenpwned and GitHub email searches for exposed passwords.

7. API & Subdomain Takeover Checks

Endpoints like dev.target.com or admin.target.com can be orphaned:

• Use subzy for takeover checks
• Run cmsmap to assess CMS-based services

8. Aggregating and Prioritizing Findings

Compile all data into a structured Recon Report:

• Hosts, IPs, subdomains, technologies
• Live endpoints (classified by criticality)
• Screenshots (e.g., EyeWitness)
• Vulnerable misconfigurations

9. Internal Reconnaissance (Optional)

If initial access is achieved, use internal scanners:

• Nmap internal scans like nmap -sS -A 10.10.10.0/24
• Enum4linux to collect SMB shares: enum4linux target-internal

10. Continuous Recon Automation

Create a pipeline with cron or CI/CD to rerun recon weekly:

*/7 * * * root amass enum -d target.com >> recon/master.txt

Store outputs in JSON/CSV and automate timestamped run insights.

By combining these phases—passive, active, visual, internal—your Red Team Recon becomes robust, repeatable, and comprehensive.