Mastering Reconnaissance with Project Discovery

9 months ago 58

Ibrahim Abdulhaqq

Dissect your target during reconnaissance with Project Discovery

Information on a target system or network is gathered during reconnaissance in order to find any potential weaknesses that might be exploited. This can be done using a variety of methods, including examining publicly accessible information about the target, utilizing tools to check for open ports and services on the target’s network and systems, and attempting to learn more about the target’s staff and operational procedures.

The purpose of reconnaissance is to learn as much as you can about the target in order to build a comprehensive profile of the system or network and find any potential vulnerabilities that could be exploited. The target attack can then be successfully planned and carried out using the information provided.

Reconnaissance is of forms, passive reconnaissance, which involves gathering data from publicly accessible sources without actively interacting with the target system or network, and active reconnaissance, which involves actively interacting with the target to gather data.

Simply said, reconnaissance gives one the opportunity to gather resources and increase the target’s overall attack surface but does not ensure a weakness.

Passive reconnaissance, you rely on publicly available knowledge. It is the knowledge that you can access from publicly available resources without directly engaging with the target. Think of it like you are looking at target territory from afar without stepping foot on that territory.

Passive reconnaissance activities include many activities, for instance looking up DNS records of a domain from a public DNS server, checking job ads related to the target website, and, reading news articles about the target company.

Active reconnaissance, on the other hand, cannot be achieved so discreetly. It requires direct engagement with the target. Think of it like you check the locks on the doors and windows, among other potential entry points.

Examples of active reconnaissance activities include Connecting to one of the company servers such as HTTP, FTP, and SMTP, calling the company in an attempt to get information (social engineering), and, Entering company premises pretending to be a repairman

The degree of involvement with the target system or network is the primary distinction between active and passive reconnaissance. While passive reconnaissance entails acquiring information without actively interacting with the objective, active reconnaissance requires actively engaging with the target.

Subdomain enumeration is a crucial reconnaissance method in penetration testing and bug bounty hunting. It involves recognizing and listing a target domain’s subdomains through active or passive methods. Active subdomain enumeration involves actively engaging the target domain through tools like DNS requests or web crawlers. Passive subdomain enumeration, on the other hand, involves acquiring data on the target domain’s subdomains without actively engaging with the domain itself. This method is less risky and more moral than active techniques, as it can be obtained from publicly accessible sources like papers and databases. Both active and passive techniques are essential for effective reconnaissance in these fields.

Subfinder is a Go-based subdomain enumeration tool that efficiently finds valid subdomains for websites using passive online sources. Its modular architecture is optimized for speed and is specifically designed for passive subdomain enumeration.


subfinder -d

As soon as you execute the command, it will begin rapidly aggregating all accessible subdomains.

As you can see from the data, the subfinder performed the reconnaissance pretty effectively, finding 5000+ subdomains in about 35 seconds.

Subfinder is a fast tool that efficiently finds subdomains of a domain, providing results within minutes or less. It uses a passive method of subdomain enumeration, gathering information from publicly available sources and presenting it to the user, making it a stealthy tool that leaves no noticeable traces or logs on the target domain.

Active reconnaissance method known as “subdomain brute forcing” is connecting to a lot of subdomains in a domain to figure out which ones are legitimate. It entails attaching a target domain to a list of popular subdomain names, with the success or failure of these connections deciding whether subdomains are legitimate.

ShuffleDNS is a MassDNS wrapper written in Go that allows users to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support.


shuffledns -d -list example-subdomains.txt -r resolvers.txt

To locate a file containing a list of DNS resolvers, use the option -r. All the terms for subdomain brute-forcing are in wordlist.txt. (This might take a few minutes to complete).

After collecting all available subdomains (subdomain enumeration), the next step filters all valid subdomains based on their HTTP method and response content. The httpx tools is able to gather data about a web server, including the HTTP methods it supports and the information in its HTTP headers.

httpx is capable for doing reconnaissance to learn more about a web server. This data can be used to find the server’s weak points and vulnerabilities. It provides a number of options and capabilities that can be helpful for filtering legitimate subdomains, seeing response headers, figuring out HTTP methods, and displaying the IP of the subdomain. We can also use httpx with subfinder to get fast results.


subfinder -d | httpx -status-code -tech-detect -title

-status-code is used to specify the HTTP status code that is returned

-tech-detect allows you to identify the technologies & frameworks used

-title allows you to extract the title of a webpage from the HTML source code

In order to determine which network ports are open on a target system or network, port scanning is a method that can be employed as part of reconnaissance. Active reconnaissance is what this is. Network ports are used to recognize and distinguish between various forms of network traffic, and each port is connected to a particular service or application.

A port scan helps identify potential vulnerabilities or attack targets by gathering information about the running services and applications on a target system or network.

Naabu is a tool written in Go programming language that quickly and accurately find open ports on a target system or network. The target system is subjected to SYN/CONNECT scans, and the program identifies all ports that respond by returning information about the services and programs currently executing on the system. In order to determine which network ports are open on a target system or network, port scanning is a method that can be employed as part of reconnaissance(active reconnaissance). Network ports are used to recognize and distinguish between various forms of network traffic, and each port is connected to a particular service or application.


naabu -host

Template-based scanning is an active reconnaissance technique that uses predefined templates to identify vulnerabilities and misconfigurations in a target system or network. This method of reconnaissance allows users to customize the types of issues they look for and updates the templates as new vulnerabilities or misconfigurations are discovered.

nuclei is a tool developed by ProjectDiscovery that can be used to perform vulnerability scanning and reconnaissance. It is designed to be fast and efficient and can scan a target system or network for a wide range of vulnerabilities and misconfigurations.

Nuclei uses a library of editable templates that specifies the kinds of vulnerabilities and configuration errors it should search for Both active and passive scanning methods can be used to examine a target system or network.


nuclei -u -t technologies

-t option is used to specify the template for scanning.

technologies template to detect the technology of the target.


nuclei -u -t cves

cves template to perform the CVE scan on the target.

Crawling and spidering aid in identifying web server resources that may not be easily accessible through the application’s public interface, such as directories or files not linked to the application’s main pages.

GetAllUrls (GAU) is a tool used to enumerate, crawl and discover URLs and directories on a web server. GAU fetches known URLs from external sources, including AlienVault’s Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan.



Once you execute, the command gau will start crawling the target domain.

katana is a next-generation crawling and spidering framework


katana -jc -u <>

-jc (JS crawl) is a handy function in katana while performing recon. It allows endpoint parsing and crawling in JS (JavaScript) files.

-u to specify target domain.

Gau and Katana are fast and similar in scanning, but GAU focuses on URL discovery, while Katana offers more comprehensive options like in-depth JavaScript crawling and custom cookies for requests.

Directory enumeration is a method used to identify directories and files on a target system or network. It involves a systematic scan using a tool or script to identify potential targets, sensitive files, and information about the system’s layout and structure.

Dirsearch is a Python-based tool used to perform a brute-force search for directories and files on a target system or network by generating and testing many potential directories and file name


dirsearch -u -i 200 -e php, jsp, js

-i option is used to specify the status code

-e option is used to specify the file extension(s) that should be tested during the directory enumeration process.

Reconnaissance is an essential part of penetration testing and bug bounty hunting, as it is the process of gathering information about a target to identify potential attack vectors and vulnerabilities. This writeup provides an overview of the various reconnaissance techniques powered majorly by Project Discovery tools, as well as advice on how to effectively utilize them to maximize the chances of success.

Read Entire Article