Post

Web Reconnaissance & Enumeration Cheatsheet

Quick reference for web reconnaissance and enumeration.

Posted Updated
By Nairpaa
5 min read
Web Reconnaissance & Enumeration Cheatsheet

Introduction

Reconnaissance and enumeration are the foundation of web application pentesting. Without thorough recon, we miss targets, waste time on irrelevant paths, and fail to map the complete attack surface.

This cheatsheet covers essential techniques and tools for web reconnaissance and enumeration.

Important:

  • This cheatsheet provides baseline actions - manual analysis and verification are essential
  • Tool versions may affect command syntax and output format - adjust accordingly
  • Reconnaissance is not a one-size-fits-all process - adapt techniques to your specific target
  • Think outside the box when standard methods fail
  • This article is under active development and will be continuously updated

Project Setup

1
2
3

# Create project structure
mkdir -p 2026/target.com && cd 2026/target.com
mkdir subdomains ports dirs ssl

Root Domain Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

cd subdomains

# Find ASN by organization name
amass intel -org "Organization Name" -o asn.txt

# Alternative: https://bgp.he.net/ (manual, faster)

# Find domains by ASN
amass intel -asn "AS12345" -o asn-subnet.txt

# Alternative: https://ipinfo.io/AS12345 (requires login)

# Find ASN from domain
dig +short target.com
curl https://ipinfo.io/{ip}/json

# WHOIS lookup
whois target.com

# Historical WHOIS: https://whois-history.whoisxmlapi.com/

Subdomain Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

domain='target.com'

# OSINT discovery - subfinder
subfinder -d "$domain" -o domain-ip-subfinder.txt -active -ip
awk -F"," '{print $1}' domain-ip-subfinder.txt > domain-subfinder.txt
awk -F"," '{print $2}' domain-ip-subfinder.txt > ip-subfinder.txt

# OSINT discovery - amass
amass enum -d "$domain" -active -oA domain-ip-amass
sed 's/\x1B\[[0-9;]*[mK]//g' domain-ip-amass.txt | grep -Eo "([a-zA-Z0-9_-]+\.)+${domain}" | sort -u > domain-amass.txt
grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' domain-ip-amass.txt | sort -u > ip-amass.txt

# Brute-force discovery
gobuster dns --domain "$domain" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
  -o domain-ip-brute.txt --resolver 1.1.1.1 --delay 100ms --timeout 5s

sed 's/\x1B\[[0-9;]*[mK]//g' domain-ip-brute.txt | awk '{print $1}' | sort -u > domain-brute.txt

# Merge results
cat domain-amass.txt domain-brute.txt domain-subfinder.txt | sort -u > all-subdomains.txt
cat ip-amass.txt ip-brute.txt ip-subfinder.txt | sort -u > all-ip.txt

# Generate permutations
dnsgen all-subdomains.txt > permutations-temp.txt
cat all-subdomains.txt permutations-temp.txt | sort -u > permutations.txt
rm permutations-temp.txt

# Validate with DNS
dnsx -l permutations.txt -o valid-subdomains.txt -stats -silent -r 1.1.1.1
echo "$domain" >> valid-subdomains.txt

Port Scanning

1
2
3
4
5
6
7
8
9
10
11

cd ../ports

# Passive scanning (Shodan via nrich)
cat ../subdomains/all-ip.txt | xargs -I{} -n1 sh -c 'echo {} | nrich -; sleep 2' > shodan-ips.txt

# Active scanning - naabu
naabu -l ../subdomains/all-ip.txt -top-ports 100 -o naabu-ips.txt

# Active scanning - nmap
nmap -p- -oN {target}-allports.nmap {target} -vv
nmap -sV -sC --script vuln -p{ports} -oN {target}.nmap {target} -vv

Live Host Discovery

1
2
3
4
5
6
7
8
9
10

# Probe subdomains
cat ../subdomains/valid-subdomains.txt | httpx -o http.txt -title -status-code -tech-detect

# Probe IPs
cat ../subdomains/all-ip.txt | httpx -o http-ip.txt -title -status-code -tech-detect

# Merge and screenshot
cat http-ip.txt http.txt | sort -u > http-all.txt
awk '{print $1}' http-all.txt > http-all-clean.txt
gowitness scan file -f http-all-clean.txt

WAF Detection

1
2

cd ../dirs
wafw00f https://target.com/ | tee waf.txt

Finding origin IP behind WAF:

  • Check DNS history: SecurityTrails
  • Compare screenshots from Live Host Discovery
  • Virtual host enumeration with ffuf + gowitness

If found, test access:

1
2
3

# Replace 203.0.113.50 with actual origin IP
echo "203.0.113.50 target.com" | sudo tee -a /etc/hosts
curl -i http://target.com

Content Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Passive discovery
echo "https://target.com" | gau > gau.txt
echo "https://target.com" | waybackurls > waybackurls.txt
cat gau.txt waybackurls.txt | sort -u > osint-url.txt

# Active discovery - dirsearch
dirsearch -u "https://target.com/" -o dirsearch.txt
dirsearch -r -u "https://target.com/" -o dirsearch-recursive.txt

# Active discovery - gobuster
gobuster dir -u https://target.com/ -w /usr/share/dirb/wordlists/common.txt -o gobuster-common.txt
gobuster dir -u https://target.com/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -o gobuster-raftdir.txt

# Crawling - katana
katana -d 4 -jc -u https://target.com -o katana.txt

# Extract parameters
cat osint-url.txt | grep "="
grep -oP '(?<=\?).*' osint-url.txt | tr '&' '\n' | cut -d= -f1 | sort -u > parameters.txt

# Parameter discovery
paramspider -d target.com
arjun -u https://target.com

Browser Extensions

Browser extensions can assist with reconnaissance directly from your browser while browsing the target application.

Technology Detection:

  • Wappalyzer - Identifies web technologies, frameworks, CMS, and server software

Endpoint Discovery:

Credential Leak Detection:

These extensions complement automated tools by providing real-time analysis during manual browsing.

SSL/TLS Analysis

1
2
3

cd ../ssl
nmap --script "ssl*" -p443 -oN ssl.nmap target.com
testssl.sh target.com | tee testssl.txt

OSINT

GitHub

1
2
3
4
5
6
7

"target.com"
"target.com" password
"target.com" api_key
"target.com" secret
"target.com" path:**/.env
"target.com" path:**/config
"target.com" language:python password

Shodan

1
2
3
4
5

hostname:"target.com"
ssl.cert.subject.cn:"target.com"
http.title:"target.com"
org:"Organization Name"
net:"203.0.113.0/24"

Google Dorking

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

site:target.com
site:*.target.com

# Login pages
site:target.com inurl:login
site:target.com inurl:admin
site:target.com intitle:admin

# Sensitive files
site:target.com filetype:pdf
site:target.com filetype:sql
site:target.com filetype:log
site:target.com filetype:env
site:target.com filetype:config

# Sensitive directories
site:target.com inurl:backup
site:target.com inurl:api
site:target.com inurl:test
site:target.com inurl:dev

# Credentials
site:target.com intext:password
site:target.com intext:username

# Error messages
site:target.com intext:"sql syntax"
site:target.com intext:"stack trace"

# Technology info
site:target.com inurl:phpinfo
site:target.com intext:"powered by"

Bing

1
2
3

site:target.com
site:target.com filetype:pdf
site:target.com instreamset:(url title):login

Wayback Machine

1
2

https://web.archive.org/web/*/target.com
https://web.archive.org/web/*/subdomain.target.com

Censys

1
2
3
4
5

"target.com"
host.services.dns.names: "target.com"
host.services.http.response.html_title: "App Name"
host.services.port = 443 and host.services.dns.names: "target.com"
host.services.software.product: "nginx"

Pastebin

1
2

site:pastebin.com "target.com"
site:ghostbin.com "target.com"

Social Media

1
2

"target.com" site:x.com
"target.com" site:reddit.com

Conclusion

This cheatsheet covers essential reconnaissance techniques for web applications. Always combine automated tools with manual analysis for comprehensive results.

Reconnaissance is not a one-size-fits-all process - adapt techniques based on target context and be creative in your approach. Think outside the box when standard methods don’t yield results.

This article is still under development and will be updated with new techniques and tools.

Web App Security, WebApp Techniques
reconnaissance enumeration technology-detection osint
This post is licensed under CC BY 4.0 by the author.