Gather publicly available information about a target organization to map its external attack surface, including subdomains, emails, and exposed assets.
Core Workflow
Domain Enumeration
Discover subdomains and related assets using
amass
and
subfinder
.
Tech Profiling
Identify technologies used on discovered assets using
httpx
and
whatweb
.
Information Gathering
Search for emails, leaks, and social media presence using
theharvester
and search engines.
Asset Correlation
Correlate IP addresses, domains, and technologies to find weak spots.
Vulnerability Intel
Check discovered software versions against CVE databases.
References
references/tools.md
references/workflows.md