Recon Methods Part 2 – OSINT Host Discovery Continued

By Red Siege | February 19, 2020

In part 1, we discussed how to start with a target’s name and research a company’s history through Wikipedia, gain information about external hosts with DNSDumpster, and continue host discovery with Hurricane Electric’s BGP Toolkit. We will continue our recon by searching Shodan, using SSL certificate search engines, SpyOnWeb,, and viewing job listings. As an example, we will take a look at a company that recently restructured. Although this information is publicly available, we have chosen to redact the name of the company and identifiable information from the results.

Links to posts in this series:

Recon Methods Part 1 – OSINT Host Discovery

Recon Methods Part 3 – OSINT Employee Discovery

Recon Methods Part 4 – Automated OSINT

Recon Methods Part 5 – Traffic on the Target


We’ll continue our recon with the Shodan. Shodan is a search engine for devices on the internet. When a device is found, they record details about the available services, headers returned during interactions, and geolocation of the physical host. We can use this information when profiling the attack surface of our target. Shodan offers a web interface and a command line tool. The web interface offers a concise rundown of the available services and recorded headers/SSL session information while interacting with the host, ASN and ISP information for the IP address, and the geolocation of the IP address.

Shodan also offers a command line interface (CLI). The Shodan CLI is easier to use when needing to perform searches against a target with large numbers of hosts/IP addresses. While the web interface will have the same results, we would have to go through each result one by one. The Shodan CLI can return all of the results in JSON format for further parsing.

SSL Certificate Search

Another host discovery method we use are SSL certificate
search engines such as and Censys. Both search engines provide results based
on SSL certificates observed while scanning the internet. We use the domains
shown in the results from both to help find additional hosts. Censys also
offers API access which can be used programmatically to pull results. An example
of and Censys results can be seen below.


SpyOnWeb is a great tool for finding alternate domains for
an IP address or URL. SpyOnWeb accepts IP addresses or URLs and returns
information about what is hosted. An example can be seen below after searching
for The application found another domain hosted on the same IP
address which can be researched for additional attack surface., also known
as the WayBack Machine, is constantly archiving websites and making them searchable.
Once we find a backup of a website, we use the tool Wayback Machine
to pull an offline copy. We can then browse the site without
generating traffic on the target’s host. If the backup is recent enough, we can
also use the backup during social engineering attacks by hosting the files on a
server we control and coercing the target’s employees into interacting with the
fake site.

Job Listings

A good way to find which software and security suites a company employs is to search through job postings. We look for keywords such as ‘IT’, ‘helpdesk’, ‘cybersecurity analyst’, ‘developer’, or ‘programmer’. Job postings often contain software suites, frameworks, and security platforms as requirements for the applicants. Using this information, we often know what kinds of hurdles we’ll have to overcome before we ever send the first packet or phishing email to the target. We usually search Google, Glassdoor, Indeed, Monster, and Zip Recruiter for the job postings. 


Using the methods outlined here, we have continued gathering actionable information on our target without ever interacting with their external hosts. We’ve gained insight into additional domains and IP addresses belonging to the target, reachable services on each of the hosts, interacted with the target’s web presence offline, and potentially found information about the infrastructure in use through job postings. In the next part, we’ll start tracking down employee email addresses through LinkedIn,, and public breach data.

Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

By Red Siege | July 8, 2024

by Mike Saunders, Principal Security Consultant This blog is the fourth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]

Learn More
Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

Adventures in Shellcode Obfuscation! Part 3: Encryption

By Red Siege | July 1, 2024

By Mike Saunders, Principal Security Consultant   This blog is the third in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the […]

Learn More
Adventures in Shellcode Obfuscation! Part 3: Encryption

Phone Switch Labs CTF – Walk-Through

By Red Siege | June 26, 2024

by Douglas Berdeaux, Senior Security Consultant CTF Getting Started Phone phreaking is the practice of exploring and hacking telephones, telephone switches, telephone test equipment, and physically exploring the telephone […]

Learn More
Phone Switch Labs CTF – Walk-Through

Find Out What’s Next

Stay in the loop with our upcoming events.