Recon Methods Part 2 – OSINT Host Discovery Continued

By Red Siege | February 19, 2020

In part 1, we discussed how to start with a target’s name and research a company’s history through Wikipedia, gain information about external hosts with DNSDumpster, and continue host discovery with Hurricane Electric’s BGP Toolkit. We will continue our recon by searching Shodan, using SSL certificate search engines, SpyOnWeb,, and viewing job listings. As an example, we will take a look at a company that recently restructured. Although this information is publicly available, we have chosen to redact the name of the company and identifiable information from the results.

Links to posts in this series:

Recon Methods Part 1 – OSINT Host Discovery

Recon Methods Part 3 – OSINT Employee Discovery

Recon Methods Part 4 – Automated OSINT

Recon Methods Part 5 – Traffic on the Target


We’ll continue our recon with the Shodan. Shodan is a search engine for devices on the internet. When a device is found, they record details about the available services, headers returned during interactions, and geolocation of the physical host. We can use this information when profiling the attack surface of our target. Shodan offers a web interface and a command line tool. The web interface offers a concise rundown of the available services and recorded headers/SSL session information while interacting with the host, ASN and ISP information for the IP address, and the geolocation of the IP address.

Shodan also offers a command line interface (CLI). The Shodan CLI is easier to use when needing to perform searches against a target with large numbers of hosts/IP addresses. While the web interface will have the same results, we would have to go through each result one by one. The Shodan CLI can return all of the results in JSON format for further parsing.

SSL Certificate Search

Another host discovery method we use are SSL certificate
search engines such as and Censys. Both search engines provide results based
on SSL certificates observed while scanning the internet. We use the domains
shown in the results from both to help find additional hosts. Censys also
offers API access which can be used programmatically to pull results. An example
of and Censys results can be seen below.


SpyOnWeb is a great tool for finding alternate domains for
an IP address or URL. SpyOnWeb accepts IP addresses or URLs and returns
information about what is hosted. An example can be seen below after searching
for The application found another domain hosted on the same IP
address which can be researched for additional attack surface., also known
as the WayBack Machine, is constantly archiving websites and making them searchable.
Once we find a backup of a website, we use the tool Wayback Machine
to pull an offline copy. We can then browse the site without
generating traffic on the target’s host. If the backup is recent enough, we can
also use the backup during social engineering attacks by hosting the files on a
server we control and coercing the target’s employees into interacting with the
fake site.

Job Listings

A good way to find which software and security suites a company employs is to search through job postings. We look for keywords such as ‘IT’, ‘helpdesk’, ‘cybersecurity analyst’, ‘developer’, or ‘programmer’. Job postings often contain software suites, frameworks, and security platforms as requirements for the applicants. Using this information, we often know what kinds of hurdles we’ll have to overcome before we ever send the first packet or phishing email to the target. We usually search Google, Glassdoor, Indeed, Monster, and Zip Recruiter for the job postings. 


Using the methods outlined here, we have continued gathering actionable information on our target without ever interacting with their external hosts. We’ve gained insight into additional domains and IP addresses belonging to the target, reachable services on each of the hosts, interacted with the target’s web presence offline, and potentially found information about the infrastructure in use through job postings. In the next part, we’ll start tracking down employee email addresses through LinkedIn,, and public breach data.

Dumping LSASS Like it’s 2019

By Red Siege | March 4, 2024

By Alex Reid, Current Red Siege Intern   A long-time tactic of threat actors and offensive security professionals alike, tampering with LSASS.exe in order to recover credentials remains a highly […]

Learn More
Dumping LSASS Like it’s 2019

Better Living Through OpenSSH Config Files

By Red Siege | February 15, 2024

By: Justin Palk, Senior Security Consultant   SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]

Learn More
Better Living Through OpenSSH Config Files

GraphStrike: Anatomy of Offensive Tool Development

By Red Siege | January 22, 2024

By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]

Learn More
GraphStrike: Anatomy of Offensive Tool Development

Find Out What’s Next

Stay in the loop with our upcoming events.