Infrastructure Reconnaissance

Deep infrastructure reconnaissance reveals attack surfaces that casual observation misses. Understanding how organizations structure their internet presence—domains, subdomains, hosting, and exposed services—provides a map for systematic exploitation.

Domain Intelligence

Organizations often own more domains than their primary presence suggests. Acquisitions bring legacy domains. Projects spawn dedicated infrastructure. Regional offices might have independent web presence. Mapping this domain landscape reveals attack surface.

WHOIS records provide ownership information, though privacy services increasingly obscure details. Historical WHOIS shows past ownership and contact information that might remain relevant.

Reverse WHOIS searches find domains sharing registrant information. An organization's registration email or organization name might appear across many domains, revealing infrastructure the primary domain doesn't reference.

DNS records of all types deserve examination. A records point to IP addresses. MX records reveal mail infrastructure. TXT records sometimes contain interesting information. SPF and DKIM configuration reveals email ecosystem.

Subdomain Enumeration

Subdomains frequently host development environments, internal applications, or legacy systems with weaker security than primary domains. Systematic subdomain discovery reveals these opportunities.

Passive enumeration gathers subdomains without directly touching target infrastructure. Certificate transparency logs record SSL certificates issued for domains, including subdomains. Services like crt.sh provide searchable indexes.

Active enumeration directly probes for subdomains through DNS requests. Brute-forcing common subdomain names (www, mail, dev, staging, api) against target domains reveals what exists. Tools like Amass, Sublist3r, and subfinder automate this process.

Combining techniques maximizes discovery. Passive sources reveal unique names that brute-forcing would miss. Active testing confirms existence and provides current resolution data.

Service Discovery

IP addresses and domains lead to service enumeration. What ports are open? What services run on them? What versions and configurations exist?

Port scanning identifies listening services. Nmap provides comprehensive scanning with service fingerprinting. Masscan offers speed for broad sweeps. Balancing thoroughness against stealth depends on engagement constraints.

Service fingerprinting identifies specific software and versions. Version information enables vulnerability research. Banner grabbing reveals configuration details. Even generic responses provide clues about underlying technology.

Web technology identification reveals application stacks. Wappalyzer, WhatWeb, and similar tools identify frameworks, CMS platforms, and libraries. This knowledge shapes subsequent testing focus.

Continuous Monitoring

Attack surfaces change continuously. Organizations deploy new systems, modify configurations, and sometimes accidentally expose sensitive services. Continuous reconnaissance catches these changes.

Automated scanning on schedule detects new subdomains, ports, and services. Alerting on changes ensures timely notification. This approach transforms reconnaissance from point-in-time to ongoing visibility.