Phase 1: Reconnaissance (RECON)¶
Overview¶
Phase 1 expands the attack surface discovered in Phase 0.5 by performing comprehensive passive and active reconnaissance. This phase identifies additional subdomains, unused/legacy endpoints, historical vulnerabilities, and infrastructure details.
Purpose: Map the complete external attack surface before moving to detailed endpoint discovery.
When to Skip Phase 1¶
Exception: The --fast flag ONLY skips Phase 1. This is appropriate when:
- Scope is pre-defined and tight (e.g., "test api.example.com only")
- Subdomain enumeration is not relevant
- Time is critical and internal scope is well-known
All other flags and execution modes require Phase 1.
Wave-Based Parallel Execution¶
Phase 1 uses three parallel waves for efficiency:
graph TB
A["Start Phase 1<br/>Recon"] --> B["Wave A<br/>3 parallel tools"]
B --> C["Merge Results<br/>Subdomain list"]
C --> D["Wave B<br/>3 parallel tools"]
D --> E["Active Testing<br/>httpx, naabu"]
E --> F["Wave C<br/>Bug-bounty only"]
F --> G["Aggregate<br/>recon-results.json"]
G --> H["Continue to<br/>Phase 2: Discovery"]
style A fill:#4a148c,color:#fff
style H fill:#4a148c,color:#fff
style C fill:#ab47bc,color:#fff
style E fill:#ab47bc,color:#fff
style G fill:#0277bd,color:#fffWave A: Subdomain Enumeration (3 parallel agents)¶
Agent 1: Certificate Transparency + DNS Enumeration¶
Tools: subfinder, crt.sh
Enumerates subdomains from SSL certificate transparency logs. These are official subdomains that were registered for SSL certificates.
Output example:
api.example.com
app.example.com
admin.example.com
mail.example.com
staging.example.com
test.example.com
dev.example.com
old.example.com
Value: Discovers legitimate subdomains often not documented in public records.
Agent 2: Historical Archives + HTTP Archive¶
Tools: waybackurls, gau, waymore
Query the Internet Archive (Wayback Machine) for all URLs ever crawled on the domain. These reveal:
- Endpoints that existed but were removed
- Legacy API versions (e.g., /api/v1/ when current is /api/v3/)
- Old functionality (e.g., /admin/, /test/)
- Subdomain discovery from archived URLs
docker run --rm -v $(pwd):/work pentest-tools \
waybackurls example.com | tee recon/wayback-urls.txt
docker run --rm -v $(pwd):/work pentest-tools \
/opt/pentest-venv/bin/python3 << 'PYEOF'
import subprocess
result = subprocess.run(['gau', 'example.com'], capture_output=True, text=True)
with open('recon/gau-urls.txt', 'w') as f:
f.write(result.stdout)
PYEOF
docker run --rm -v $(pwd):/work pentest-tools \
waymore -i example.com -mode B -oG recon/waymore-urls.txt
Output: List of historical URLs, many revealing forgotten endpoints.
Value: Reveals endpoints that were deprecated/removed but may still be accessible or leave data behind.
Agent 3: SSL/TLS Enumeration + Tech Stack Fingerprinting¶
Tools: openssl, tech fingerprinting scripts
Extract SSL certificate information and server details:
openssl s_client -connect example.com:443 -servername example.com < /dev/null \
| openssl x509 -noout -text > recon/ssl-cert.txt
Extract from certificate: - Issuer: Certificate authority (indicates infrastructure choices) - Subject Alternative Names (SAN): All domains covered by the cert (reveals subdomains) - Serial Number: Track organizational patterns - Validity Period: Certificate lifecycle
Value: Additional subdomains from SAN field often missed by CT log enumerators.
Wave A Merge Point¶
After all three agents complete, merge subdomain lists:
cat recon/subdomains-ct.txt recon/wayback-urls.txt recon/gau-urls.txt \
| grep -oE '([a-zA-Z0-9-]+\.)*example\.com' \
| sort -u > recon/subdomains-merged.txt
Result: 50-500 subdomains depending on organization size.
Wave B: Active Testing (3 parallel agents)¶
After subdomain enumeration, test which hosts are actually alive and responding:
Agent 1: DNS Resolution¶
Tool: dnsx
Resolve all subdomains to IP addresses to identify typosquatting and shadowed infrastructure:
docker run --rm -v $(pwd):/work pentest-tools \
dnsx -l recon/subdomains-merged.txt -o recon/dns-resolved.txt
Output:
api.example.com [1.2.3.4]
staging.example.com [CNAME staging-aws.example.com]
old.example.com [NXDOMAIN]
Value: Distinguishes active from inactive subdomains; reveals CDN/infrastructure via CNAME targets.
Agent 2: HTTP/HTTPS Live Host Detection¶
Tool: httpx
Probe each subdomain for web services on ports 80, 443, and common alternatives:
docker run --rm -v $(pwd):/work pentest-tools \
httpx -l recon/dns-resolved.txt -o recon/httpx-results.txt -status-code
Output:
https://api.example.com [200] [12.3 KB] [Spring Boot 3.0]
http://staging.example.com [502] [Bad Gateway]
https://old.example.com [200] [8KB] [Apache 2.4]
Value: Identifies responsive web services and basic tech fingerprinting.
Agent 3: Port Scanning¶
Tool: naabu
Scan for non-standard web ports (8080, 8443, 3000, 5000, etc.) that may be exposed APIs or admin panels:
docker run --rm -v $(pwd):/work pentest-tools \
naabu -l recon/subdomains-merged.txt -p 8080,8443,3000,5000,9000,9001 \
-o recon/naabu-results.txt
Output:
api.example.com:8080 [OPEN]
staging.example.com:5000 [OPEN] [Flask development server]
old.example.com:3000 [OPEN] [Node.js]
Value: Discovers non-standard services and development/staging servers exposed to internet.
Wave B Result¶
After Wave B, you have: - ✅ All active subdomains - ✅ IP addresses and infrastructure - ✅ Responsive web services - ✅ Open non-standard ports - ✅ Initial tech stack hints
Wave C: Advanced Enumeration (Bug-Bounty Mode Only)¶
When --bug-bounty flag is used, additional aggressive enumeration:
Agent 1: Permutation-Based Subdomain Generation¶
Tool: alterx, puredns
Generate potential subdomain names based on patterns, then validate:
docker run --rm -v $(pwd):/work pentest-tools \
alterx -l wordlist.txt -d example.com -o recon/alterx-subdomains.txt
docker run --rm -v $(pwd):/work pentest-tools \
puredns bruteforce wordlist.txt example.com -r resolvers.txt \
-o recon/puredns-subdomains.txt
Wordlist patterns: admin, api, test, staging, dev, old, backup, cdn, etc.
Agent 2: ASN Enumeration + IP Range Enumeration¶
Tools: asnmap, uncover
For large organizations, enumerate ASN (Autonomous System Number) and all IP ranges:
docker run --rm -v $(pwd):/work pentest-tools \
asnmap -asn AS1234 -o recon/asn-ips.txt
docker run --rm -v $(pwd):/work pentest-tools \
uncover -q "org:example.com" -e shodan,censys,fofa -o recon/uncover-ips.txt
Value: Discovers infrastructure owned by parent company or related entities.
Output Files¶
| File | Content | Size |
|---|---|---|
recon/subdomains-merged.txt |
Unique subdomains (one per line) | 50-500 subdomains |
recon/dns-resolved.txt |
Subdomains with DNS records | JSON format |
recon/httpx-results.txt |
Live web services with status | CSV format |
recon/naabu-results.txt |
Open ports and services | JSON format |
recon-report.md |
Human-readable summary | Markdown |
Key Statistics¶
Track these metrics: - Subdomains discovered: Total unique subdomains from all sources - Live hosts: Subdomains with DNS A/CNAME records - Web services: Subdomains responding to HTTP/HTTPS - Open ports: Non-standard ports discovered - Tech stack: Framework/server versions identified
Common Findings¶
| Finding | Impact | Example |
|---|---|---|
| Staging environment exposed | High | staging.example.com accessible without auth |
| Development server on internet | High | dev.example.com:3000 with debug mode ON |
| Old API version still accessible | Medium | /api/v1/ still responds when current is /api/v3/ |
| Subdomain takeover risk | High | old.example.com DNS points to unclaimed AWS bucket |
| Shadow IT infrastructure | Medium | backup.example.com with custom database |
Scope Confirmation¶
After Phase 1, confirm all discovered assets are in scope:
- ❌ Exclude any subdomains explicitly listed in scope.txt with ! prefix
- ✅ Include only example.com and *.example.com patterns
- ❌ Stop if out-of-scope domains discovered (clarify with client)
Next Phase¶
After Phase 1 completes, proceed to Phase 2: Discovery to enumerate endpoints, parameters, and hidden files on all discovered hosts.