Internal Recon Basics

Scope Use Case

The scope of engagement will determine what your recon will look like. WebApps, White-boxing, Netblocks, and Wide Open ROEs will all have their own recon flows.

The Recon Cycle

The important thing to understand when doing recon is that; searches that came back empty before may come back with results later as you get more intel to include. For example maybe you do a facebook search for John Smith and realize there are to many results. But later you get his office location, cell, and middle name. Then you can go back and find him with that extra info.

OSINT will continue to give you more information as you cycle back. Kepp doing this until you have what you need.

Its best to use mind mapping software to keep track. You can even match it to the OSINTFramework.

Recon Tips

Infrastructure:

Network Maps
Network Blocks
IP Addresses / Virtual Hosts
Ports
Services
DNS/Domains/Sub-Domains/TLDs
OS's
Alive machines
Web Servers/CMS/Databases
Application logic

Business:

Web presence
Physical locations
Employees/departments
Emails
Partners and third parties
Press / news releases
Documents
Financial information
Job postings

Whaling/Spear phishing:

WorkFlows of the company
Who talks to who
Company email letterhead
Terminology; talk the talk
OS: Phone and Laptop
Current Projects and Needs (Job postings, Social Media)

PreviousPentesting Pocket Book for hackers and developers.NextOSINT

Last updated 2 years ago

Was this helpful?