Prox Offensive Information Security
Free resource

Free DIY Recon Toolkit

A purpose index of the external reconnaissance tools and the 5-step methodology we use — for authorized assessments, education, and defensive research.

Download the Toolkit (PDF) Prefer it done for you?

Authorized use only

The tools and techniques listed here are for authorized security assessments, education, and defensive research only. Never use them on systems without explicit written permission from the asset owner. Unauthorized security testing is illegal.

  • Unauthorized testing
  • Intrusive exploitation
  • Accessing sensitive data
  • Anything outside written scope / permission

Reconnaissance methodology

A simple 5-step flow for external recon.

1

OSINT

Passive information gathering

2

Network Mapping

Identify hosts and ports

3

Enumeration

Service fingerprinting

4

Discovery

Identify exposures

5

Analysis

Prioritize findings

Tools reference

A purpose index — no runnable syntax, just what each tool is for.

nmap Network

Port scanning and service fingerprinting

Use non-intrusive scanning and stay within authorized scope.

rustscan Network

Fast port scanning to support deeper enumeration

Use responsibly — avoid high-impact scan settings.

amass DNS

Subdomain enumeration and asset discovery

Combine passive sources with validated results.

dnsx DNS

DNS probing and validation of discovered hosts

Validate and deduplicate results.

theHarvester OSINT

OSINT collection for emails, subdomains, and metadata

Prefer passive sources where possible.

crt.sh OSINT

Certificate transparency search for subdomains and domains

Good starting point for passive discovery.

shodan OSINT

Internet-facing device and service exposure discovery

Useful for exposure validation and context.

whois OSINT

Domain registration and ownership context

May help with asset ownership questions.

SpiderFoot OSINT

Automated OSINT collection and correlation

Review results carefully for false positives.

recon-ng OSINT

Modular recon framework for data gathering

Great for structured collection.

nessus Vuln Scanning

Vulnerability scanning and reporting support

Validate findings and avoid intrusive checks.

testssl.sh TLS

SSL/TLS configuration analysis

Useful for identifying weak ciphers and misconfigurations.

Key considerations

Before you start

  • Obtain written authorization for all targets
  • Define scope boundaries clearly
  • Document your source IPs for the client SOC
  • Establish communication channels for critical findings
  • Agree on report format and delivery timeline

During the assessment

  • Stay within authorized scope
  • Log activities for evidence
  • Validate findings before reporting
  • Report critical issues immediately
  • Avoid intrusive or destructive testing

Want prioritized findings without the DIY?

The External Exposure Audit Sprint delivers prioritized findings with evidence and a remediation roadmap in 3–5 business days.

Request a Proposal Email Us