Live Reconnaissance Simulators
Mission Brief
Theory is over. Run six live OSINT tools against approved public targets (your choice — try iana.org, example.com, github.com) and turn each raw output into one actionable finding for the Glasshouse report.
Story · The terminal opens
Your senior consultant slides a laptop across. 'Real APIs. Real targets. Public only — iana.org, example.com, github.com, your own domain. No production scanning. Go.'
Six tools. Six readouts. Six lessons in what hides in plain sight.
Trainer · Core Concepts
Look for: registrar (who controls the domain), creation date (older = more trust + more legacy infra), expiry (impending = social-engineering pretext), nameservers (often reveal hosting/DNS provider), and status flags (clientTransferProhibited is good hygiene).
A/AAAA → live hosts. MX → mail provider. NS → DNS provider. TXT → SPF (sending hosts), DMARC (anti-spoof posture), site-verification tokens (which SaaS they use!). CAA → which CAs may issue certs.
Every cert ever issued for the domain is here. Look for: unusual subdomains (dev-*, internal-*, *-staging), wildcard certs (broad attack surface), short-lived ACME certs (modern infra), and surprise sibling domains (M&A footprint).
First-seen date tells the domain's web history. Look for removed paths (/admin, /portal, /old-app) that may still resolve. 200-status snapshots of pages that now 404 are an OSINT goldmine.
Server header → fingerprint. HSTS/CSP/XFO/XCTO/Referrer/Permissions → 6-point security score. <3 = immature. 6 = mature defensive engineering.
NOT a security control — it's a sign-posted map of what the operator wanted hidden. Every Disallow path is a candidate for manual review. Sitemaps reveal content inventories.
Knowledge Map · drag to explore
Micro Labs
Lab 22 · Live WHOIS / RDAP
Run an RDAP lookup against a public target. Identify the registrar and creation date.
Query RDAP via rdap.org. Approved public targets only.
Lab 23 · Live DNS (DoH)
Pull MX or TXT records to read the target's email posture.
Use Cloudflare DoH. Try TXT to see SPF/DMARC + SaaS verification tokens.
Lab 24 · CT-log subdomain enumeration
Pull every subdomain ever issued a TLS cert for the target via crt.sh.
Search Certificate Transparency. Look for non-obvious hosts (dev-*, internal-*, *-staging).
Lab 25 · Wayback Machine history
Pull the snapshot history of a target to find first-seen date and removed content.
Use the Internet Archive CDX API.
Lab 26 · HTTP security header audit
Score the target's defensive web headers out of 6.
Fetch the homepage. Read HSTS / CSP / XFO / XCTO / Referrer-Policy / Permissions-Policy.
Lab 27 · robots.txt + sitemap recon
Parse the target's robots.txt and surface every Disallow path + sitemap reference.
Read /robots.txt — Disallow entries are recon hints, not security.
Knowledge Check
Challenge · Six-tool footprint sprint
Pick one approved public target. Run all six simulators. Produce a 5-bullet footprint with one finding per category (ownership, DNS, certs, history, headers, robots).
CEH v13 Exam Focus
- ·Reading RDAP / WHOIS output fields
- ·Interpreting DNS record types and DMARC policies
- ·Using CT logs for subdomain discovery
- ·HTTP security header taxonomy
- ·robots.txt as recon (not security)
- ·RDAP fields: REG-DATE-NS-STATUS
- ·DMARC policies: none → quarantine → reject (least to most enforcing)
- ·6 headers to score: HSTS, CSP, XFO, XCTO, Referrer, Permissions
- ⚠Treating robots.txt as a defence
- ⚠Assuming privacy-WHOIS hides everything (CT logs still leak hosts)
- ⚠Reading p=none as 'protected' (it's monitor-only)
- ⚠Confusing 'HSTS present' with 'HSTS preloaded'
- ▸RDAP > legacy WHOIS (structured JSON)
- ▸DoH = DNS-over-HTTPS (RFC 8484)
- ▸CT logs = append-only, public, permanent
- ▸CDX = Wayback's query interface
- ▸robots.txt = recon goldmine