Module 01 — Reconnaissance & OSINT¶
Type 1 · Concept Autopsy — pin down the passive/active boundary by mapping a target's external attack surface from public sources (CT logs, DNS, tech fingerprints) and writing the principle memo that draws the line. (Secondary: Tool-Build — the lab ships a reusable recon/attack-surface harness.) Go to the hands-on lab →
Last reviewed: 2026-06
Offensive Security — the engagement starts here; the wider the attack surface you find, the more there is to test.
In 60 seconds
Recon is building the map of a target's externally-visible footprint — and the size of that map sets the size of your opportunity. The discipline that separates a pro from a tool-runner is the passive/active line: passive recon (CT logs, DNS, public records) never touches the target; active recon makes contact and can put you out of scope. The attack surface is almost always bigger than the target believes, because nobody keeps an accurate inventory — and the assets that fell off it are exactly where the critical bugs live.
Why this matters¶
You can't attack what you can't see. Recon — passive OSINT and active mapping — is where every real engagement and bug-bounty hunt begins, and the operators who find the most surface find the most bugs. Done carelessly it's also where you wander out of scope and into legal trouble, so disciplined, authorized recon is a skill in itself.
Objective¶
Map a target's external attack surface from public information — domains, hosts, technologies, and exposed services — without touching anything out of scope.
The core idea¶
You can't attack what you can't see, and the size of your map sets the size of your opportunity. Recon is building that map — and the discipline that separates a professional from someone running tools is the passive/active line. Passive recon (certificate-transparency logs, DNS, public records, leaked credentials, code repos) never touches the target: invisible, legal almost anywhere, and surprisingly rich. Active recon (resolving hosts, probing) makes contact and can put you out of scope — or into legal trouble. The mental model: you're reconstructing an organisation's externally-visible footprint the way the organisation itself has lost track of it — forgotten subdomains, shadow IT, the dev box someone exposed "just for a minute" in 2023.
The mental model
You're reconstructing an organisation's externally-visible footprint the way the organisation itself has lost track of it. The attack surface is almost always bigger than the target believes, because nobody keeps an accurate inventory of what they expose — recon is the hunt for the assets that fell off it. Certificate Transparency is the cheat code: every TLS certificate is logged publicly, so every subdomain anyone ever got a cert for is discoverable without sending a single packet.
That last point is the whole game. The assets that fall off the inventory are exactly where the critical bugs live: the forgotten edge device — a FortiGate, a Jira instance, a VPN appliance — running a version vulnerable to something like FortiOS CVE-2024-21762 (a CVSS 9.8 pre-auth RCE in the SSL-VPN, on CISA's Known Exploited Vulnerabilities list). Recon that finds and fingerprints that box is the whole engagement; everything after is just walking through the door it left open.
The gotcha
Scope is what turns recon from a skill into a liability. "Passive" does not automatically mean "in scope" — and a subdomain you find passively may belong to someone else entirely. Confirm it resolves and that it's in your authorisation before you touch it.
AI caveat
A model will happily synthesise a tidy attack-surface map that includes a hallucinated subdomain
or one outside your authorisation. Treat AI output as leads to verify — does it resolve? is it
in scope? — never as confirmed assets. Anyone can run amass; the value is the operator who
confirms, contextualises, and stays in bounds.
Learn (~3 hrs)¶
Methodology - The Bug Hunter's Methodology v4 — Recon Edition (Jason Haddix, ~50 min) — the canonical talk on how real hunters map an attack surface; watch once, then keep as a reference. - MITRE ATT&CK — Reconnaissance (TA0043) — the taxonomy of recon techniques you'll map findings to.
Sources & tooling - OSINT Framework — a navigable map of open-source intelligence sources. - OWASP Web Security Testing Guide — read the Information Gathering chapter for web-specific recon. - CISA Known Exploited Vulnerabilities catalog — the list of CVEs being actively exploited (e.g. FortiOS CVE-2024-21762); cross-reference what your recon fingerprints against it to find what's worth attacking.
Key concepts¶
- Passive vs active reconnaissance (and why the line matters legally)
- Subdomain enumeration (DNS, certificate transparency)
- Technology fingerprinting (and matching versions to known-exploited CVEs, e.g. FortiOS CVE-2024-21762)
- OSINT: people, emails, leaked credentials, metadata
- Defining and staying inside scope
AI acceleration¶
A model will synthesise scattered recon output into a tidy attack-surface map fast — and just as fast hallucinate a subdomain that doesn't resolve. Treat its output as leads to verify, never as confirmed assets, and never let it talk you out of scope.
Check yourself
- Where exactly is the line between passive and active recon, and why does it matter legally?
- How does Certificate Transparency let you enumerate subdomains without sending the target a packet?
- You find a live host via OSINT that resolves cleanly — what must you confirm before probing it?
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).