- Zero-Day Wire
- Posts
- Break the Web (Week 1): Recon & Attack Surface
Break the Web (Week 1): Recon & Attack Surface
Web Application Reconnaissance: Step-by-Step Tutorial with Nmap, Subfinder & Recon Tools
π― Week 1: Recon & Attack Surface
Break the Web: Part 1 of 8
Welcome to Offensive Tuesday.
Hey π
Welcome to the first edition of our 8-week break the web series.
Today we're covering the most important phase of any hack: Reconnaissance.
Here's the deal β before you can exploit anything, you need to find it. And recon is how you find it.
Let's get into it.
π§ What is Reconnaissance?
Recon is information gathering. You're collecting data about your target to identify potential entry points.
Think of it as research before the attack. The more you know, the better your attack plan.
There are two types:
Passive Recon β You gather info without directly touching the target. No packets sent. No logs created. You're invisible.
Active Recon β You interact with the target directly. Sending probes, scanning ports, testing responses. This can be detected.
Both are useful. Most engagements use a combination.
π What is an Attack Surface?
Your attack surface is everything that's exposed to the internet:
Subdomains
IP addresses
Open ports
Running services
APIs
Cloud assets
Forgotten staging servers
Employee email addresses
The bigger the attack surface, the more potential entry points. Your job during recon is to map this out completely.
π§ The Recon Process (Step by Step)
Here's a practical workflow you can follow:
Step 1: Domain & Subdomain Discovery
Start with the target's main domain. Then find every subdomain connected to it.
Why? Subdomains often host:
Internal tools
Staging environments
Forgotten servers
Admin panels
These are usually less secure than the main site.
Tools to use:
Subfinder (Passive)
subfinder -d target.com -o subdomains.txt
Subfinder queries 80+ passive sources like Censys, Shodan, and VirusTotal. Fast and stealthy.
Amass (Passive + Active)
amass enum -d target.com -o amass-results.txt
Amass is the Swiss Army knife for subdomain enumeration. It combines OSINT sources, DNS brute-forcing, and certificate transparency logs.
For passive-only mode:
amass enum -passive -d target.com
Assetfinder
assetfinder --subs-only target.com
Quick and lightweight. Good for fast results.
Pro tip: Run multiple tools and merge results. Each tool has unique sources.
cat subfinder.txt amass.txt assetfinder.txt | sort -u > all-subs.txt
Step 2: DNS Enumeration
Once you have subdomains, dig deeper into DNS records.
DNS records reveal:
IP addresses (A records)
Mail servers (MX records)
Text records with SPF/DKIM info (TXT records)
Aliases (CNAME records)
Using dig:
dig target.com ANY
dig target.com MX
dig target.com TXT
Using DNSRecon:
dnsrecon -d target.com
Step 3: IP & Port Discovery
Now you need to know what's running on those IPs.
Nmap is the gold standard.
Basic scan (top 1000 ports):
nmap target.com
Scan all ports:
nmap -p- target.com
Service version detection:
nmap -sV target.com
Aggressive scan (OS detection + scripts + version):
nmap -A target.com
Stealth SYN scan (requires root):
sudo nmap -sS target.com
UDP scan:
sudo nmap -sU target.com
Understanding port states:
Open β Service is listening and accepting connections
Closed β Port is accessible but no service running
Filtered β Firewall is blocking probes
Common ports to watch:
Port | Service |
|---|---|
21 | FTP |
22 | SSH |
23 | Telnet |
25 | SMTP |
53 | DNS |
80 | HTTP |
443 | HTTPS |
3306 | MySQL |
3389 | RDP |
8080 | HTTP Proxy |
Step 4: OSINT β Emails, Names, Metadata
Gather intel from public sources.
theHarvester collects emails, subdomains, and IPs:
theHarvester -d target.com -b all
Specify sources:
theHarvester -d target.com -b google,bing,linkedin
This finds:
Employee email addresses
Email naming conventions ([email protected])
Subdomains indexed by search engines
Publicly exposed hosts
Step 5: Search Engine Recon (Google Dorking)
Google has already indexed a ton of useful info. You just need the right queries.
Google Dorks use special operators to find hidden content:
Operator | What it does |
|---|---|
| Search within a specific domain |
| Find specific file types |
| Search for words in URLs |
| Search page titles |
| Search page content |
Examples:
Find login pages:
site:target.com inurl:login
Find PDF files:
site:target.com filetype:pdf
Find exposed directories:
site:target.com intitle:"index of"
Find config files:
site:target.com filetype:env OR filetype:config
Find admin panels:
site:target.com inurl:admin
β οΈ Warning: Only use Google Dorks on targets you have permission to test. Using this on unauthorized systems can get you in trouble.
Check out the Google Hacking Database (GHDB) at exploit-db.com for a massive list of dorks.
Step 6: Internet-Wide Search Engines
These tools have already scanned the entire internet. You just query their databases.
Shodan (shodan.io) Searches for internet-connected devices. Find open ports, services, and banners.
hostname:target.com
org:"Target Company"
Censys (search.censys.io) Strong for SSL/TLS certificate analysis. Find assets by certificate data.
services.tls.certificates.leaf.names: target.com
Both tools are insanely useful for:
Finding exposed databases
Discovering cloud instances
Identifying misconfigured services
Mapping infrastructure without scanning
π οΈ Complete Tool List
Passive Recon
Tool | Purpose | Link |
|---|---|---|
Subfinder | Subdomain discovery | |
Amass | Attack surface mapping | |
theHarvester | Email/subdomain OSINT | |
Shodan | Internet device search | |
Censys | Certificate & host search | |
Google Dorks | Search engine recon | |
Wayback Machine | Historical site data | |
Certificate transparency |
Active Recon
Tool | Purpose | Link |
|---|---|---|
Nmap | Port & service scanning | |
Masscan | Fast port scanning | |
DNSRecon | DNS enumeration | |
Gobuster | Directory brute-forcing | |
HTTPX | HTTP probing |
π Learning Resources
Practice Labs:
TryHackMe (tryhackme.com) β Start with their "Nmap" and "Passive Recon" rooms
Hack The Box (hackthebox.com) β Good for realistic scenarios
PentesterLab (pentesterlab.com)
Reading:
Nmap Network Scanning (nmap.org/book)
NahamSec: Recon & Attack Surface Management (YouTube)
OWASP Testing Guide
Cheat Sheets:
Nmap Cheat Sheet: highon.coffee/blog/nmap-cheat-sheet
Google Dorking: exploit-db.com/google-hacking-database
β Week 1 Checklist
Before moving on, make sure you can:
[ ] Enumerate subdomains using at least 2 tools
[ ] Perform DNS lookups and understand record types
[ ] Run Nmap scans and interpret results
[ ] Use theHarvester to gather OSINT
[ ] Write basic Google Dorks
[ ] Search Shodan or Censys for target info
π― Key Takeaways
Recon is the foundation. Skip this and you'll miss critical attack vectors.
Passive first, active second. Stay under the radar as long as possible.
Layer your tools. Each tool has different sources. Combine them for complete coverage.
Document everything. Keep notes on what you find. You'll need it later.
Subdomains are gold. Forgotten servers and staging environments are where vulnerabilities hide.
That's Week 1. π₯
Tomorrow (Wednesday) we'll cover the defensive side β how to reduce your attack surface and detect reconnaissance attempts.
Next Tuesday: Authentication & Session Management β we're breaking logins.
See you then.
β ZwireβοΈ
Your Feedback MattersDid You Enjoy This Weekβs Offensive Tutorial? |
P.S. Got questions? Reply to this email. I read everything.
Reply