Organized notes for Open Source Intelligence and passive reconnaissance. Last Updated: 2026-03-27
Passive reconnaissance gathers information about a target without directly interacting with their systems. This is the first phase of any engagement and can reveal a surprising amount of actionable intelligence.
# Passive DNS lookup
dig any domain.com
dig mx domain.com
dig txt domain.com
dig ns domain.com
# WHOIS
whois domain.com
# Subdomain enumeration
subfinder -d domain.com -silent
amass enum -passive -d domain.com
# Subdomain + live check pipeline
echo domain.com | subfinder -silent | httpx -silent -sc -title -td -ip -cname -cl -lc -server -efqdn -fr
# DNS recon
dnsrecon -d domain.com
# Certificate transparency log search
# https://crt.sh/?q=%25.domain.com
curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u
# theHarvester
theHarvester -d domain.com -l 500 -b google,bing,linkedin
# hunter.io
# https://hunter.io — email pattern discovery and verification
# phonebook.cz
# https://phonebook.cz — email, domain, and URL search
# Find exposed files
site:domain.com filetype:pdf
site:domain.com filetype:doc OR filetype:docx OR filetype:xls
site:domain.com filetype:sql OR filetype:bak OR filetype:log
site:domain.com filetype:env OR filetype:config OR filetype:ini
# Find login pages
site:domain.com inurl:login OR inurl:admin OR inurl:portal
# Find exposed directories
site:domain.com intitle:"Index of"
# Find error messages
site:domain.com "error" OR "warning" OR "syntax error"
# Find configuration files
site:domain.com ext:xml OR ext:conf OR ext:cnf OR ext:reg OR ext:inf
# Search for passwords
site:domain.com intext:"password" filetype:log
site:domain.com "password" OR "passwd" filetype:txt
# Find Git exposure
site:domain.com inurl:.git
# ExifTool — extract metadata from documents
exiftool document.pdf
exiftool -a -u *.pdf
# Extract usernames from metadata
exiftool *.pdf | grep -i "author\|creator\|producer"
# FOCA (Windows tool) for bulk metadata extraction
⚠️ CPTS Exam Tip: Download PDFs from target websites and extract metadata — they often contain usernames, software versions, and internal paths.
# GitHub search operators
# In browser: github.com/search
"domain.com" password
"domain.com" api_key
"domain.com" secret
"domain.com" token
org:target-org password
# Tools
# GitLeaks: https://github.com/gitleaks/gitleaks
gitleaks detect -v --source /path/to/repo
# TruffleHog
trufflehog github --org=target-org
# Shodan CLI
shodan search "hostname:domain.com"
shodan host <IP>
# Shodan web searches
# https://www.shodan.io/search?query=hostname%3Adomain.com
# https://www.shodan.io/search?query=org%3A%22Target+Corp%22
# Censys
# https://search.censys.io/
🔴 Warning: Only use breach data in authorized engagements. Verify legal authorization.
# Check if emails appear in breaches
# https://haveibeenpwned.com/
# https://dehashed.com/
# Check historical snapshots
# https://web.archive.org/web/*/domain.com
# Waybackurls tool
waybackurls domain.com | sort -u > wayback_urls.txt
# Check for old pages that may still work
cat wayback_urls.txt | httpx -silent -sc -mc 200
| Tool | URL | Purpose |
|---|---|---|
| web-check | https://web-check.as93.net/ | Comprehensive website analysis |
| Shodan | https://www.shodan.io/ | Internet-connected device search |
| Censys | https://search.censys.io/ | Internet-wide scan data |
| crt.sh | https://crt.sh/ | Certificate transparency logs |
| DNSdumpster | https://dnsdumpster.com/ | DNS reconnaissance |
| BuiltWith | https://builtwith.com/ | Technology profiling |
| Wayback Machine | https://web.archive.org/ | Historical website snapshots |
| Hunter.io | https://hunter.io/ | Email pattern discovery |
| HaveIBeenPwned | https://haveibeenpwned.com/ | Breach checking |