Field Manual

Web Recon Cheat Sheet

3 min read

🛡️ Methodology Checklist

  • Passive recon: WHOIS, crt.sh, Wayback, Shodan, Google dorks
  • DNS enumeration: zone transfer, brute-force, vhost fuzzing
  • Active recon: Nmap web ports, Nikto, whatweb
  • Directory/file brute-force: ffuf -u http://[TARGET]/FUZZ -w [WORDLIST]
  • Subdomain + vhost discovery
  • Technology fingerprinting and CVE mapping
  • Manual content review: source code, JS files, error messages

🎯 Operational Context

Use when: Planning web recon engagement — reference to select the right tool for each phase without context switching. Think Dumber First: Start with passive (WHOIS, CT logs, Wayback, Shodan). Then active (vhost, subdomain brute, crawl, fingerprint). Resist jumping to SQLMap before mapping the full surface. Skip when: N/A — this is a reference document, not an operational procedure.

⚡ Tactical Cheatsheet

CommandTactical Outcome
whois [DOMAIN]WHOIS registrar, contacts, nameservers
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | .name_value' | sed 's/\*\.//g' | sort -u > crt_sh_results.txtCT log subdomain extraction
site:[DOMAIN] -site:www.[DOMAIN]Google — find subdomains
site:[DOMAIN] (inurl:login OR inurl:admin OR inurl:portal)Google — find admin panels
site:[DOMAIN] filetype:pdfGoogle — exposed documents
site:[DOMAIN] (ext:conf OR ext:env OR filetype:sql OR filetype:bak)Google — configs and backups
site:[DOMAIN] intitle:"index of" "parent directory"Google — directory listings
CommandTactical Outcome
dig [DOMAIN] AIPv4
dig [DOMAIN] MXMail servers
dig [DOMAIN] NSNameservers
dig [DOMAIN] TXTTXT records (SPF, third-party services)
dig [DOMAIN] SOAZone admin info
dig @[NAMESERVER] [DOMAIN]Query specific nameserver
dig +trace [DOMAIN]Full resolution path
dig -x [TARGET_IP]Reverse lookup
dig axfr [DOMAIN] @[TARGET_IP]Zone transfer
echo "[TARGET_IP] [DOMAIN]" | sudo tee -a /etc/hostsMap domain locally
CommandTactical Outcome
dnsenum --enum [DOMAIN] -f [WORDLIST] -rDNS brute-force with recursion
fierce --domain [DOMAIN]Wildcard detection + recursive
gobuster vhost -u http://[DOMAIN] -w [WORDLIST] --append-domain -t 50VHost fuzzing
ffuf -w [WORDLIST]:FUZZ -u http://[TARGET_IP] -H "Host: FUZZ.[DOMAIN]" -fs [SIZE]ffuf VHost (with size filter)
gobuster vhost -u http://[DOMAIN] -w [WORDLIST] --append-domain --exclude-length [SIZE]Filter false positives
cewl -d 2 -m 5 https://[DOMAIN] -w keywords.txtCustom wordlist from site
CommandTactical Outcome
curl -I http://[TARGET_IP]HTTP headers — server, OS, CMS
wafw00f [DOMAIN]WAF detection
nikto -h [TARGET_IP] -Tuning bSoftware identification
gobuster dir -u http://[TARGET_IP]:[PORT] -w /usr/share/wordlists/dirb/common.txtDirectory brute-force
curl http://[TARGET_IP]/robots.txtRobots.txt — disallowed paths
curl -v https://[TARGET_IP]/.well-known/openid-configurationOIDC auth endpoints
curl http://[TARGET_IP]/.well-known/security.txtSecurity contact
CommandTactical Outcome
python3 ReconSpider.py http://[DOMAIN]Crawl — outputs results.json
cat results.json | jq -r '.emails'Extract emails
cat results.json | jq -r '.comments'Extract dev comments
python3 finalrecon.py --full --url http://[DOMAIN] | tee finalrecon_full.log &Full auto-recon in background
python3 finalrecon.py --wayback --url http://[DOMAIN]Wayback URL harvest
CommandTactical Outcome
echo "dev.[DOMAIN]" > list.txtCreate new list
echo "test.[DOMAIN]" >> list.txtAppend to list
sort -u master_list.txt -o master_list.txtDeduplicate list
echo {dev,test,prod}-{api,web,mail}.[DOMAIN] | tr ' ' '\n' >> list.txtGenerate patterns

🔬 Deep Dive & Workflow

DNS Enumeration

Subdomain & VHost

Fingerprinting

Crawling & Automation

Wordlist Management

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
Unsure which tool to start withToo many optionsStart with: WHOIS → subfinder → dnsx → whatweb → ffuf (dirs) → nikto — in that order
Recon taking too longUnfocused toolingSet time-box: 30 min passive, 30 min active enumeration before switching to exploitation
Tools return conflicting informationDifferent data sourcesTrust active results over passive; passive sources lag by hours to days
VPN drops mid-reconHTB/THM infrastructure issueRe-establish VPN; resume from last completed tool — save all outputs to files
Results lost after terminal closeNo output loggingAlways redirect: tool [args] | tee -a output.txt; use screen or tmux

📝 Reporting Trigger

Finding Title: Insufficient Web Application Enumeration Controls Impact: Lack of web application inventory and perimeter monitoring allows external enumeration to discover attack surface without detection, enabling targeted exploitation of exposed services. Root Cause: No external attack surface management (EASM) program. Absence of automated monitoring for new subdomain creation, certificate issuance, and web asset changes. Recommendation: Implement continuous EASM tooling (e.g., Shodan Monitor, SecurityTrails alerts). Conduct quarterly web recon audits. Establish a web asset inventory with ownership tracking.

🔗 Related Nodes

Graph View

Backlinks