# Internal Recon Basics

### Scope Use Case

The scope of engagement will determine what your recon will look like. WebApps, White-boxing, Netblocks, and Wide Open ROEs will all have their own recon flows. 

![Simple Example](/files/OxqKBwIt1TOHuGjBQVjJ)

### The Recon Cycle

The important thing to understand when doing recon is that; searches that came back empty before may come back with results later as you get more intel to include. For example maybe you do a facebook search for John Smith and realize there are to many results. But later you get his office location, cell, and middle name. Then you can go back and find him with that extra info.

{% hint style="info" %}
OSINT will continue to give you more information as you cycle back. Kepp doing this until you have what you need.
{% endhint %}

![](/files/-McqcRhhPzbpVhiHA0Qt)

Its best to use mind mapping software to keep track. You can even match it to the [OSINTFramework](https://osintframework.com/).

### Recon Tips

#### <mark style="color:purple;">Infrastructure:</mark>&#xD;

* <mark style="color:purple;">Network Maps</mark>&#x20;
* <mark style="color:purple;">Network Blocks</mark>&#x20;
* <mark style="color:purple;">IP Addresses / Virtual Hosts</mark>
* <mark style="color:purple;">Ports</mark>&#x20;
* <mark style="color:purple;">Services</mark>&#x20;
* <mark style="color:purple;">DNS/Domains/Sub-Domains/TLDs</mark>
* <mark style="color:purple;">OS's</mark>&#x20;
* <mark style="color:purple;">Alive machines</mark>
* <mark style="color:purple;">Web Servers/CMS/Databases</mark>
* <mark style="color:purple;">Application logic</mark>

<mark style="color:blue;">**Business:**</mark>

* <mark style="color:blue;">Web presence</mark>&#x20;
* <mark style="color:blue;">Physical locations</mark>&#x20;
* <mark style="color:blue;">Employees/departments</mark>&#x20;
* <mark style="color:blue;">Emails</mark>&#x20;
* <mark style="color:blue;">Partners and third parties</mark>&#x20;
* <mark style="color:blue;">Press / news releases</mark>&#x20;
* <mark style="color:blue;">Documents</mark>&#x20;
* <mark style="color:blue;">Financial information</mark>&#x20;
* <mark style="color:blue;">Job postings</mark>

<mark style="color:green;">**Whaling/Spear phishing:**</mark>

* <mark style="color:green;">WorkFlows of the company</mark>
* <mark style="color:green;">Who talks to who</mark>
* <mark style="color:green;">Company email letterhead</mark>
* <mark style="color:green;">Terminology; talk the talk</mark>
* <mark style="color:green;">OS: Phone and Laptop</mark>
* <mark style="color:green;">Current Projects and Needs (Job postings, Social Media)</mark>

### &#xD;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/reconnaissance/reconnaissance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.