π‘οΈ Methodology Checklist
- Define scope: IPs, domains, CIDRs, out-of-scope exclusions
- Run passive recon tools first (no direct target contact): WHOIS, crt.sh, Shodan
- Run active discovery: Nmap ping sweep + port scan on scope
- Enumerate web services: Gobuster, FFuF, EyeWitness
- Subdomain brute-force: amass, subfinder, dnsx
- Aggregate all findings into organised loot structure
- Feed results into vulnerability scanner (Nessus/OpenVAS)
- Review and triage scan output before manual testing
π― Operational Context
Think Dumber First: Automated recon tools accelerate coverage but miss context β always manually review the output. Tools like ReconFTW chain passive OSINT β subdomain enumeration β port scanning β web fingerprinting automatically. Run automation as a background baseline while manually investigating the most interesting initial findings.
When you land here: Large scope with many targets. Define scope clearly before running automation. Use automation for breadth, manual techniques for depth. Key workflow: passive first (no traffic to target) β active enumeration β service-specific probing.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
python3 finalrecon.py --full --url http://[DOMAIN] | tee finalrecon_full.log & | Run full recon in background, save log |
python3 finalrecon.py --sub --url http://[DOMAIN] | Subdomain enumeration only |
python3 finalrecon.py --dir --url http://[DOMAIN] | Directory brute-forcing only |
python3 finalrecon.py --crawl --url http://[DOMAIN] | Spider target |
python3 finalrecon.py --wayback --url http://[DOMAIN] | Fetch Wayback Machine URLs |
recon-ng | Launch Recon-ng framework |
workspaces add [PROJECT] | Create isolated workspace in Recon-ng |
db insert domains | Add target domain to Recon-ng DB |
marketplace search [KEYWORD] | Find modules in Recon-ng |
marketplace install [MODULE] | Install module |
modules load [MODULE] β run | Execute module |
echo "[TARGET_IP] [DOMAIN]" | sudo tee -a /etc/hosts | Pre-scan: map domain to IP |
nmap -sC -sV -oA nmap_scan [DOMAIN] | Parallel Nmap while automation runs |
π¬ Deep Dive & Workflow
Pre-Scan Setup (Critical)
Before any automation:
# Map domain to IP
echo "[TARGET_IP] [DOMAIN]" | sudo tee -a /etc/hosts
# Create workspace
mkdir Recon_Target && cd Recon_TargetFinalRecon Flags
| Flag | Description |
|---|---|
--full | Runs ALL modules: Headers, SSL, Whois, DNS, Subdomains, Crawling |
--sub | Subdomain enumeration |
--dir | Directory brute-force |
--crawl | Spider target |
--wayback | Wayback Machine URL harvesting |
Golden command: python3 finalrecon.py --full --url http://[DOMAIN] | tee finalrecon_full.log &
| teesaves to file AND shows on screen&puts in background β terminal returned immediately- Check
dumps/[DOMAIN]/for structured output files
Recon-ng Workflow
recon-ngworkspaces add [project]β isolates target datadb insert domainsβ enter domainmarketplace search [keyword]β find modulesmarketplace install [module]β installmodules load [module]βrun
Phase 3: Parallel Manual Checks (While Automation Runs)
While FinalRecon runs (10-20 min), immediately do:
- Manual browse β Wappalyzer, copyright dates, βPowered Byβ footers
curl http://[DOMAIN]/robots.txtβ note Disallow pathscurl https://[DOMAIN]/.well-known/security.txtβ internal emails- Separate tab:
nmap -sC -sV -oA nmap_scan [DOMAIN]
Troubleshooting FinalRecon
AttributeError: top_domain_under_public_suffixβ editfinalrecon.pyline ~201: change.top_domain_under_public_suffixβ.registered_domain- Tool crashes? β Donβt get stuck. Switch to manual:
- Subdomains:
gobuster dns -d [DOMAIN] -w [WORDLIST] - Directories:
feroxbuster -u http://[DOMAIN] - Vulns:
nikto -h http://[DOMAIN]
- Subdomains:
CPTS Golden Rule: Never let a broken tool stop your exam. If automation fails, switch to manual immediately. Documentation > perfect tooling.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| ReconFTW or similar tool times out on large scope | Too many targets for single tool run | Split by subnet or domain; run tool with --passive first, then --active in phases |
| Automated scan hits rate limit on OSINT APIs | API key exhaustion or rate limit reached | Register free API keys for Shodan, Censys, SecurityTrails; configure in toolβs config file |
| Automation misses custom/internal subdomains | Public OSINT only, internal DNS not queried | Combine passive automation with active DNS brute-force against discovered DNS servers |
| Tool produces duplicate results across multiple runs | No deduplication built into tool | Pipe output through sort -u; maintain a master hosts.txt with deduplication enforced |
| Automated web scan triggers WAF and IPs get blocked | Too aggressive scan rate | Configure toolβs delay settings; use rotating proxies if available; reduce thread count |
π Reporting Trigger
Finding Title: (Automating recon is operational methodology β document tools used, scope covered, and any access denied or rate-limited resources in the methodology section. Individual findings from automated tools become separate report entries.)