--- title: External Reconnaissance Toolkit type: toolkit scope: authorized-only url: https://proxoffensive.com/toolkit --- # External Reconnaissance Toolkit ## Authorized Use Only The tools and techniques listed here are for **authorized security assessments**, educational purposes, and defensive research only. Never use these tools on systems without explicit written permission from the asset owner. Unauthorized security testing is illegal. ## Reconnaissance Methodology A simple 5-step flow for external recon: 1. **OSINT** — Passive information gathering 2. **Network Mapping** — Identify hosts and ports 3. **Enumeration** — Service fingerprinting 4. **Discovery** — Identify exposures 5. **Analysis** — Prioritize findings ## Tools Reference (Purpose-Only) This is a **purpose index** (no runnable syntax). - **nmap** — Network and port scanning - **rustscan** — Fast port scanning - **amass** — Subdomain enumeration - **dnsx** — DNS probing and validation - **theHarvester** — OSINT for emails and subdomains - **crt.sh** — Certificate transparency search - **shodan** — Internet-facing device search - **whois** — Domain registration info - **SpiderFoot** — Automated OSINT collection - **recon-ng** — Modular recon framework - **nessus** — Vulnerability scanning - **testssl.sh** — SSL/TLS configuration analysis ## Key Considerations ### Before You Start - Obtain written authorization for all targets - Define scope boundaries clearly - Document your source IPs for the client SOC - Establish communication channels for critical findings - Agree on report format and delivery timeline ### During Assessment - Stay within authorized scope - Log activities for evidence - Validate findings before reporting - Report critical issues immediately - Avoid intrusive or destructive testing ## Want Prioritized Findings Without the DIY? The **External Exposure Audit Sprint** delivers prioritized findings with evidence and a remediation roadmap in 3–5 business days. - Learn about the sprint: https://proxoffensive.com/services/external-exposure - View sample report: https://proxoffensive.com/sample-report.pdf - Download the toolkit PDF: https://proxoffensive.com/Prox_Offensive_Recon_Toolkit_v0.1.pdf ## Contact contact@proxoffensive.com All assessments require explicit written authorization.