Read as

Last updated: April 29, 2026

Recon is the cheapest, highest-yield phase of any engagement. Tools that pay back the time investment.

Subdomain enumeration

# Passive (no traffic to target)
subfinder -d target.com -all -silent
amass enum -passive -d target.com
crt.sh search ("%.target.com")

# Active (more thorough)
amass enum -active -d target.com
ffuf -w subdomains.txt -u https://FUZZ.target.com

Search engines for hackers

Shodan — internet-connected device search; shodan search "Apache" country:IN
Censys — similar; certificate-focused
FOFA — China-origin alternative; large scope
ZoomEye — same niche

Email + people

theHarvester — email/subdomain via search engines
Hunter.io — corporate email patterns
linkedin2username — generate username candidates
dehashed.com — leaked credential search (paid)
HaveIBeenPwned — breach exposure (free)

Tech fingerprinting

Wappalyzer browser extension
httpx — fast tech detection on subdomain lists
nuclei — vulnerability templates

Cloud asset discovery

cloud_enum — AWS S3, Azure blobs, GCS buckets by naming pattern
ScoutSuite — assess cloud accounts you have access to

🧠

Check your understanding

Module Quiz · 6 questions

Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Module 13 · OSINT & External Recon