This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Passive Reconnaissance

Methodology Framework

This methodology follows established OSINT frameworks for systematic information gathering without direct target interaction, ensuring zero detection while maximizing intelligence collection.

Reconnaissance Flow

Target Identification → Domain Intelligence → Infrastructure Enumeration → Technology Analysis → Human Intelligence → Digital Assets → Analysis → Documentation

Core Principles

  • Zero Detection: No direct interaction with target systems

  • Public Sources Only: All information from publicly accessible resources

  • Systematic Approach: Structured progression through intelligence domains

  • Evidence-Based: All findings documented with sources and timestamps

Phase 1: Target Identification

1.1 Organization Profiling

Objective: Establish comprehensive organizational context and scope

Step 1.1.1: Business Registration Lookup

  • Execute whois target.com for domain registration details

  • Execute whois target-ip-range for network allocation information

  • Research corporate structure through business registration databases

Step 1.1.2: Corporate Structure Research Manual research areas include:

  • SEC filings and annual reports

  • Business registration databases

  • Parent and subsidiary relationships

  • Recent acquisitions and mergers

  • Corporate governance structure

1.2 Initial Domain Enumeration

Objective: Identify primary domains and naming conventions

Step 1.2.1: Root Domain Validation

  • Query dig target.com A for IPv4 addresses

  • Query dig target.com AAAA for IPv6 addresses

  • Query dig target.com MX for mail server records

  • Query dig target.com NS for name server information

Step 1.2.2: Alternative Domain Discovery Research domain variations including:

  • Alternative TLDs: target.org, target.net, target.biz

  • Corporate variations: target-corp.com, targetcompany.com

  • Regional variations: target-uk.com, eu.target.com

  • Acquired company domains from merger history

1.3 Scope Definition

Objective: Define reconnaissance boundaries and prioritization

Asset Priority Matrix:

Priority
Asset Type
Examples

Critical

Primary domains, main infrastructure

target.com, www.target.com

High

Subdomains, email systems

mail.target.com, api.target.com

Medium

Development environments

dev.target.com, staging.target.com

Low

Legacy domains, archived sites

old.target.com, archive.target.com

Phase 2: Domain Intelligence

2.1 DNS Infrastructure Analysis

Objective: Map DNS infrastructure and hosting relationships

Step 2.1.1: Name Server Analysis

  • Execute dig target.com NS to identify authoritative name servers

  • Execute dig target.com SOA for zone authority information

  • Analyze name server hosting patterns and providers

Step 2.1.2: MX Record Analysis

  • Execute dig target.com MX for mail server configuration

  • Identify mail hosting providers and security services

  • Analyze mail server priority and redundancy

Step 2.1.3: TXT Record Enumeration

  • Execute dig target.com TXT for policy and verification records

  • Identify SPF, DKIM, and DMARC configurations

  • Discover verification tokens for third-party services

Step 2.1.4: Historical DNS Data Research historical DNS information using:

  • SecurityTrails for DNS history analysis

  • DNSdumpster for comprehensive DNS mapping

  • Wayback Machine for historical DNS records

  • PassiveTotal for infrastructure correlation

2.2 Subdomain Discovery

Objective: Enumerate all discoverable subdomains

Step 2.2.1: Certificate Transparency Logs

  • Query certificate transparency databases using curl -s "https://crt.sh/?q=%.target.com&output=json"

  • Extract subdomain information from SSL certificates

  • Analyze certificate issuance patterns and authorities

Step 2.2.2: Search Engine Enumeration Google search operators for subdomain discovery:

  • site:target.com -www to exclude main domain

  • site:*.target.com to find subdomain references

  • inurl:target.com to find URL patterns

Step 2.2.3: Dictionary-Based Discovery Common subdomain patterns to research:

  • Administrative: admin, management, control, console

  • Development: dev, test, staging, beta, demo

  • Services: api, mail, ftp, vpn, portal, cdn

  • Departments: hr, finance, sales, support, marketing

  • Geographic: us, uk, eu, asia, americas

2.3 Domain Relationships

Objective: Map domain relationships and trust boundaries

Step 2.3.1: Related Domain Discovery Research naming pattern variations:

  • Division-based domains: target-[division].com

  • Geographic domains: [country].target.com, target.[country]

  • Temporal domains: target[year].com, target-[quarter].com

  • Product domains: [product].target.com

Step 2.3.2: Acquisition Research

  • Identify recently acquired companies through business intelligence

  • Check for maintained separate domain infrastructure

  • Research integration timelines and migration patterns

Phase 3: Infrastructure Enumeration

3.1 IP Address Intelligence

Objective: Map IP infrastructure and hosting providers

Step 3.1.1: IP Address Resolution

  • Execute dig target.com A for IPv4 address mapping

  • Execute dig target.com AAAA for IPv6 address information

  • Document all resolved IP addresses with timestamps

Step 3.1.2: Reverse DNS Enumeration

  • Execute dig -x target-ip for reverse DNS resolution

  • Identify hostname patterns and naming conventions

  • Map IP-to-hostname relationships

Step 3.1.3: IP Range Analysis

  • Execute whois target-ip for network allocation details

  • Identify hosting provider and geographic location

  • Determine allocated IP range and subnet information

  • Research ASN (Autonomous System Number) details

3.2 Hosting and Cloud Provider Analysis

Objective: Identify hosting infrastructure and cloud services

Step 3.2.1: Hosting Provider Identification Analyze infrastructure components:

  • ASN information for network ownership

  • IP geolocation for data center locations

  • Hosting company business relationships

  • Service level and infrastructure tier analysis

Step 3.2.2: Cloud Service Detection Identify cloud platform indicators:

  • AWS: amazonaws.com, cloudfront.net, s3.amazonaws.com

  • Azure: azurewebsites.net, azure.com, blob.core.windows.net

  • Google Cloud: googleusercontent.com, appspot.com, googleapis.com

  • Cloudflare: cloudflare.com, cdnjs.cloudflare.com

3.3 Content Delivery Networks

Objective: Map CDN usage and edge infrastructure

Step 3.3.1: CDN Detection Identify CDN provider usage:

  • Cloudflare through NS records and IP ranges

  • Akamai through CNAME patterns and edge servers

  • MaxCDN through hostname patterns

  • Amazon CloudFront through distribution domains

Step 3.3.2: Edge Location Mapping

  • Determine geographic distribution of edge servers

  • Analyze caching policies and content delivery strategies

  • Identify performance optimization patterns

Phase 4: Technology Stack Analysis

4.1 Web Technology Fingerprinting

Objective: Identify web technologies without direct scanning

Step 4.1.1: HTTP Header Analysis Analyze publicly cached headers from sources including:

  • Wayback Machine for historical header information

  • Search engine cached pages

  • Third-party scanning service results

  • Security research databases

Step 4.1.2: Technology Indicators Identify technology patterns in public content:

  • URL patterns: /wp-content/ indicates WordPress

  • File extensions: .aspx indicates ASP.NET

  • Error pages revealing server information

  • Default installation content and pages

4.2 Third-Party Service Integration

Objective: Identify integrated third-party services

Step 4.2.1: JavaScript Library Analysis From cached pages and public content, identify:

  • jQuery versions and implementation patterns

  • Bootstrap versions and customization

  • Analytics tracking codes and configuration

  • CDN-hosted library versions and sources

Step 4.2.2: API and Service Discovery Research references to external services:

  • Payment processors: Stripe, PayPal, Square

  • Analytics platforms: Google Analytics, Mixpanel, Adobe

  • Customer support: Zendesk, Intercom, Freshdesk

  • Marketing automation: Mailchimp, HubSpot, Marketo

  • Cloud services: AWS, Azure, Google Cloud integrations

4.3 Software Version Intelligence

Objective: Determine software versions for vulnerability research

Version Discovery Sources:

  • Generator meta tags in HTML source code

  • CSS and JavaScript file naming conventions

  • Error pages and debug information disclosure

  • Job postings mentioning specific technology versions

  • Developer blog posts and technical documentation

  • Conference presentations and technical talks

Phase 5: Human Intelligence Gathering

5.1 Employee Enumeration

Objective: Build comprehensive employee database

Step 5.1.1: LinkedIn Intelligence Gather professional information including:

  • Employee names, titles, and department assignments

  • Organizational structure and reporting relationships

  • Tenure information and career progression

  • Technical skills and technology expertise

  • Professional connections and network analysis

Step 5.1.2: Social Media Analysis Research employee presence on platforms:

  • Twitter for technical discussions and opinions

  • GitHub for personal and professional code repositories

  • Professional forums and technical communities

  • Industry conferences and speaking engagements

  • Technical blogs and publication contributions

5.2 Email Pattern Analysis

Objective: Determine email addressing conventions

Common Email Patterns:

Pattern
Example
Usage

first.last

john.doe@target.com

Most common

firstlast

johndoe@target.com

Common

first_last

john_doe@target.com

Less common

flast

jdoe@target.com

Abbreviation

first

john@target.com

Small organizations

Pattern Validation Methods:

  • LinkedIn contact information analysis

  • Corporate directory research

  • Press release contact information

  • Conference registration data

  • Public email signatures

5.3 Organizational Structure Mapping

Objective: Understand business hierarchy and relationships

Intelligence Sources:

  • LinkedIn company pages and employee listings

  • Press releases and corporate announcements

  • SEC filings and regulatory documents

  • Annual reports and investor presentations

  • Conference speaker biographical information

  • Industry publication author profiles

Phase 6: Digital Asset Discovery

6.1 Search Engine Intelligence

Objective: Discover exposed information through search engines

Google Dorking Methodology

6.1.1 Administrative Interface Discovery

Administrative Panels:

  • site:target.com inurl:admin

  • site:target.com intitle:"Admin Panel"

  • site:target.com inurl:wp-admin

  • site:target.com inurl:phpmyadmin

  • site:target.com inurl:cpanel

Login Interfaces:

  • site:target.com inurl:login

  • site:target.com intitle:"Login"

  • site:target.com "administrative interface"

6.1.2 Configuration File Exposure

Environment Files:

  • site:target.com filetype:env

  • site:target.com filetype:env "DB_PASSWORD"

  • site:target.com filetype:env "API_KEY"

Configuration Files:

  • site:target.com filetype:config

  • site:target.com filetype:yml "secret"

  • site:target.com filetype:json "password"

  • site:target.com filetype:properties

6.1.3 Database and Backup Discovery

Database Files:

  • site:target.com filetype:sql

  • site:target.com filetype:sql "CREATE TABLE"

  • site:target.com filetype:db

Backup Files:

  • site:target.com filetype:bak

  • site:target.com filetype:backup

  • site:target.com filetype:old

  • site:target.com inurl:backup "Index of"

6.1.4 Directory Listing Enumeration

Directory Browsing:

  • site:target.com intitle:"Index of /" "Parent Directory"

  • site:target.com intitle:"Directory Listing For"

  • site:target.com inurl:"/uploads/" "Index of"

  • site:target.com inurl:"/.git/" "index"

6.1.5 Error Message Harvesting

Database Errors:

  • site:target.com "mysql_fetch_array()"

  • site:target.com "mysqli_connect"

  • site:target.com "PostgreSQL query failed"

  • site:target.com "Microsoft OLE DB Provider"

  • site:target.com "Warning: mysql_"

Application Errors:

  • site:target.com "Fatal error"

  • site:target.com "Warning:"

  • site:target.com "Parse error"

  • site:target.com "Notice:"

6.1.6 API Documentation Discovery

API Endpoints:

  • site:target.com inurl:api/v1

  • site:target.com inurl:api/v2

  • site:target.com inurl:rest

  • site:target.com inurl:graphql

Documentation:

  • site:target.com "swagger" OR "openapi"

  • site:target.com "API Documentation"

  • site:target.com intitle:"API" "documentation"

6.2 Code Repository Analysis

Objective: Discover sensitive information in public repositories

Step 6.2.1: GitHub Organization Discovery Search methodology includes:

  1. Official organization account identification

  2. Employee personal repository analysis

  3. Forked repository examination

  4. Archived project investigation

Step 6.2.2: Sensitive Data Patterns Repository content analysis for:

  • Domain references: "target.com" in configuration files

  • Database connection strings and credentials

  • API keys, tokens, and authentication secrets

  • Private keys and certificate materials

  • Internal URLs and hostname references

GitHub Search Operators:

Organization Repositories:

  • org:target-company

  • user:target-company

Domain References in Code:

  • "target.com" language:javascript

  • "target.com" language:python

  • "target.com" language:php

Credential Patterns:

  • "password" "target.com"

  • "api_key" "target.com"

  • "secret" "target.com"

6.3 Cloud Storage Discovery

Objective: Identify publicly accessible cloud storage

Step 6.3.1: S3 Bucket Enumeration Common naming patterns to research:

  • target-backup

  • target-prod-data

  • target-logs

  • target-assets

  • targetcompany-files

Step 6.3.2: Azure Blob Storage

  • Pattern analysis: https://target.blob.core.windows.net/

  • Container naming convention research

  • Access policy analysis

Step 6.3.3: Google Cloud Storage

  • Pattern analysis: https://storage.googleapis.com/target-bucket/

  • Bucket enumeration and access testing

  • Permission configuration analysis

Phase 7: Intelligence Analysis

7.1 Data Correlation and Validation

Objective: Cross-reference and validate collected intelligence

Step 7.1.1: Source Cross-Validation Verification process includes:

  • DNS records validation against certificate transparency logs

  • Employee information verification across multiple platforms

  • Technology indicators confirmation through multiple sources

  • Infrastructure mapping validation through independent sources

Step 7.1.2: Temporal Analysis Information freshness assessment:

  • Recent DNS record changes and patterns

  • New employee additions and departures

  • Technology stack updates and migrations

  • Infrastructure modifications and expansions

7.2 Threat Modeling and Prioritization

Objective: Assess and prioritize discovered intelligence

Risk Assessment Matrix:

Finding Type
Risk Level
Priority

Exposed credentials

Critical

Immediate

Admin interfaces

High

High

Development environments

High

High

Employee information

Medium

Medium

Technology versions

Medium

Research

General infrastructure

Low

Background

7.3 Attack Vector Development

Objective: Transform intelligence into actionable attack vectors

Intelligence-to-Attack Mapping:

  • Subdomain Discovery → Targeted scanning scope definition

  • Technology Fingerprinting → Specific exploit research and development

  • Employee Intelligence → Social engineering vector development

  • Credential Discovery → Direct access attempt planning

  • Administrative Interfaces → Authentication testing preparation

Phase 8: Attack Surface Documentation

8.1 Intelligence Consolidation

Objective: Organize and structure all collected intelligence

Step 8.1.1: Asset Inventory Generation Create structured documentation including:

  • Domain and subdomain comprehensive catalog

  • IP address and hosting provider mapping

  • Technology stack detailed documentation

  • Employee and organizational contact database

Step 8.1.2: Evidence Preservation Document findings with complete attribution:

  • Source URLs and discovery timestamps

  • Screenshot evidence for critical findings

  • Search queries and methodology documentation

  • Discovery process and technique recording

8.2 Attack Surface Analysis

Objective: Analyze complete attack surface exposure

Attack Surface Components:

  • External Infrastructure: Web applications, mail servers, VPN endpoints

  • Human Assets: Employee information, social media presence

  • Digital Footprint: Code repositories, cloud storage, cached content

  • Technology Stack: Software versions, third-party integrations

8.3 Reporting and Handoff

Objective: Generate actionable reports for active testing phase

8.3.1 Technical Intelligence Report

Infrastructure Overview:

  • Primary domains with risk prioritization

  • Subdomain count with risk categorization

  • Hosting providers with geographic distribution

  • Technology stack with detailed version inventory

High-Priority Targets:

  1. Administrative interfaces with access methodology

  2. Development environments and exposed staging systems

  3. API endpoints and discovered service interfaces

  4. Database management consoles and interfaces

Credential Intelligence:

  • Exposed secrets and credential discoveries

  • Email pattern validation and addressing conventions

  • Default password systems and likely targets

Vulnerability Research Targets:

  • Outdated software requiring immediate research

  • Known CVE matches for immediate exploitation

  • Configuration issues and misconfigurations discovered

8.3.2 Strategic Intelligence Brief

Organizational Context:

  • Business structure and corporate hierarchy

  • Geographic presence and office locations

  • Technology adoption patterns and recent initiatives

  • Compliance requirements and industry regulations

Human Intelligence:

  • Key personnel and technical leadership identification

  • Employee count by department and function

  • Turnover patterns and recent personnel changes

  • Social media exposure and public information sharing

Business Risk Assessment:

  • Data sensitivity and customer information exposure

  • Regulatory impact and compliance implications

  • Business continuity and critical system dependencies

  • Reputation risk and public exposure potential

Advanced Techniques and Automation

9.1 Automated Intelligence Collection

Automation Framework Components:

  1. Subdomain Discovery Automation

    • Certificate transparency log monitoring

    • DNS enumeration with multiple sources

    • Search engine result aggregation

  2. Technology Stack Monitoring

    • Wayback Machine content analysis

    • Error page and header information extraction

    • Third-party service integration discovery

  3. Intelligence Correlation Engine

    • Cross-source validation and verification

    • Temporal analysis and change detection

    • Risk prioritization and scoring

9.2 Continuous Monitoring Setup

Monitoring Framework:

  1. Change Detection Systems

    • DNS record modification alerts

    • New subdomain discovery notifications

    • Technology stack change identification

  2. Intelligence Update Processes

    • Employee information updates

    • Organizational structure changes

    • New digital asset discoveries

  3. Threat Landscape Monitoring

    • Vulnerability research for identified technologies

    • Exploit availability and proof-of-concept tracking

    • Security advisory and patch monitoring

Quality Assurance and Validation

10.1 Intelligence Verification Checklist

Source Validation Requirements:

  • All findings documented with complete source URLs

  • Screenshot evidence captured for critical discoveries

  • Multiple source confirmation for high-priority findings

  • Timestamp documentation for all intelligence collection

Scope Compliance Verification:

  • All reconnaissance activities within authorized scope

  • No direct interaction with target systems attempted

  • Public sources exclusively utilized throughout process

  • Legal compliance maintained for all activities

Technical Accuracy Standards:

  • DNS information cross-validated through multiple sources

  • Technology fingerprinting verified through independent methods

  • Employee information current and accuracy-verified

  • Infrastructure mapping complete and validated

10.2 Common Pitfalls and Mitigation

Information Overload Management:

  • Focus collection efforts on actionable intelligence over volume

  • Prioritize findings by potential impact and exploitability

  • Maintain clear categorization and structured organization

Stale Information Prevention:

  • Verify information freshness through timestamp analysis

  • Cross-reference discoveries with multiple contemporary sources

  • Document discovery dates for all findings and sources

False Positive Reduction:

  • Validate findings through multiple independent methods

  • Distinguish between current operational and historical data

  • Verify subdomain resolution and current accessibility

Operational Security Considerations

11.1 Attribution Management

IP Address Rotation Strategy:

  • Utilize VPN services for extensive research sessions

  • Implement IP address rotation for different research phases

  • Avoid patterns that could indicate automated or coordinated collection

Search Pattern Obfuscation:

  • Vary search timing and methodology throughout collection

  • Mix manual and systematic approaches to avoid detection

  • Space intensive search sessions over extended time periods

11.2 Legal and Ethical Guidelines

Authorized Scope Enforcement:

  • Limit all research activities to explicitly authorized targets

  • Document scope authorization clearly and comprehensively

  • Avoid accessing any restricted or private information sources

Public Information Restriction:

  • Utilize only publicly accessible information sources

  • Do not attempt to access restricted or private content

  • Maintain clear distinction between discovery and unauthorized access

Methodology Validation

12.1 Phase Completion Verification

Phase Validation Checklist:

  • Phase 1: Organizational context and scope clearly defined

  • Phase 2: DNS infrastructure and domain mapping completed

  • Phase 3: Hosting and cloud infrastructure comprehensively identified

  • Phase 4: Technology stack analysis thoroughly completed

  • Phase 5: Employee and human intelligence systematically gathered

  • Phase 6: Digital assets and exposure comprehensively documented

  • Phase 7: Intelligence analyzed, correlated, and prioritized

  • Phase 8: Attack surface documented and reported for handoff

12.2 Output Quality Standards

Documentation Requirements:

  • Structured data organization with clear categorical separation

  • Complete source attribution for all findings and discoveries

  • Risk assessment and prioritization for all intelligence

  • Actionable recommendations for subsequent active testing phases

Evidence Standards:

  • Screenshot documentation for all critical findings

  • URL and timestamp recording for complete source tracking

  • Search query documentation for methodology reproducibility

  • Chain of custody maintenance for all intelligence collected

Conclusion

This passive reconnaissance methodology provides a systematic approach to intelligence gathering that maximizes information collection while maintaining complete operational stealth. The methodology emphasizes:

  • Systematic Approach: Structured progression through comprehensive intelligence domains

  • Zero Detection: Complete avoidance of target system interaction and detection

  • Actionable Intelligence: Focus on findings that enable effective subsequent active testing

  • Professional Documentation: Evidence-based reporting suitable for enterprise security assessments

By following this methodology, security professionals can build comprehensive target intelligence that dramatically improves the effectiveness and efficiency of subsequent active testing phases while maintaining the highest standards of operational security and legal compliance.

PreviousPre-Engagement ActivitiesNextActive Reconnaissance

Last updated

Was this helpful?