Offensive Recon – Perimeter Attack Methodologies

Course Description

Reconnaissance the very first phase of any Risk Assessment Exercise, is often underestimated by many security professionals. Every security analyst’s arsenal should include Open Source Intelligence and active reconnaissance for an effective assessment and to measure the security posture against real world adversaries. This training not only talks about extracting data but also focuses on the significance of this data and how it could be directly enriched and used offensively for attacking and compromising Modern Day Infrastructures.

The training program covers a wide range of tools, techniques and methodologies for performing real-world reconnaissance in order to launch targeted attacks against modern organizations and infrastructures. The course will cover topics like:

  • Scoping the Attack Surface
  • Asset Discovery
  • Enriching Collected Data
  • Cloud Recon
  • Attacking and Exploiting
  • Practical Social Engineering

This 2 day training takes a practical approach to indulge the participants into Real World Scenarios, Simulated Lab Environment, Hands-On exercises and Case Studies in order to get proficient in tools, techniques and methodologies for Reconnaissance and Attacking. During the course each participant will be provided access to our Cloud Based Private Lab mimicking the modern age infrastructure, decoy accounts/profiles and organization’s social presence.

By the end of the training, participants will be able to:

  • Map the perimeter of an organization including their digital assets and human resources.
  • Identify weak entry points, plan and prioritize attack paths to gain internal access

REMARK : This is a 2-day course, starting on Thursday the 23rd of April

Course contents

Day 1

  • Target Scoping and Mapping the Attack Surface :
    • ASN ID, IP Lookups, Allocated IP Range Extraction, Domain IP History
    • Subdomain Enumeration
    • Certificate Transparency, Brute Forcing, LDNS Walking, Internet Scan Repositories
    • Processing and Querying Mass Internet Scan Data
    • Organization’s Social Media Profiling
    • Identifying Organizations Associations (Acquisitions, Mergers, Vendors, etc.)
    • Hunting Code Repositories, Dark Web, Paste Sites and Leaked Data
    • Cloud Recon
    • Server Instances, Cloud Storage Objects,
    • Art of Making Notes
  • Data Enrichment:
    • Generating Username/Password Patterns
    • Bucket/Spaces Pattern Generation
    • Tech Stack Profiling
    • Port Scanning (Active/Passive)
    • Capturing Screenshots of Exposed Services
    • Identifying SSO/Login/Admin/VPN Portal(s)
    • Explore Breached Password Databases
    • Metadata Extraction
    • Automating CSE for Dork Matching

Day 2

  • Attacking and Exploiting :
    • Targeted Credential Spraying on Assets
    • Credential Stuffing
    • Compromising Business Communication Infrastructure (BCI)
    • Exploring the Compromised Assets
    • Attacking Network Services using collated data
    • Stealing information from Buckets/Blobs
    • Collecting and Leveraging Cloud Secrets
    • Compromising Cloud Server Instances
    • Discovering and Exploiting Hidden Injection Points
  • User Profiling :
    • Discovering User Digital Footprint
    • Searching Historical/Deleted User Data
    • Identifying User Relationships
    • Identifying Human Vulnerabilities
  • Practical Social Engineering :
    • Watering Hole Attack
    • Sock Puppet Creation
    • Email Spoofing
    • Setup and Manage Targeted Phishing Campaigns

What to expect ?

  • Fair understanding of how to Recon / Investigate an organisation / person from security perspective.
  • Slide deck and a handy Cheat Sheet of reconnaissance resources.
  • Lots of hands on Exercises and Custom Tools

Target audience

  • Penetration Testers
  • OSINT Analysts
  • Social Engineers
  • Red-Teamers
  • Bug Bounty Hunters
  • Risk Management Professionals


Delegates should have a basic understanding of Pentesting and be familiar with the command-line interface.

Technical Requirements

  • You should have a laptop with admin access on it.
    • 4 GB RAM and 20 GB of free HDD space is required.
    • It should support Wifi Connection for internet.
  • Any OS is fine (Windows/Mac/Linux).
  • Everything else will be provided in the Student kit.

Trainer Biography

Sudhanshu Chauhan is Director and Co-Founder of RedHunt Labs, focusing on Open Source Intelligence (OSINT), Asset Discovery and Perimeter Security.

Sudhanshu is a review board member at BlackHat Asia. He is the developer of RedHunt OS and one of the core contributors to DataSploit. He is an active contributor to MITRE ATT&CK knowledge base and has co-authored ‘Hacking Web Intelligence’, a book on OSINT and web reconnaissance concepts and techniques. He has been a speaker at various conferences such as Ground Zero Summit, CyberHackathon Bar-Ilan University, BlackHat Arsenal, etc and has been a trainer for ‘Tactical OSINT’ and ‘Web Hacking – Black Belt Edition’ at conferences such as BlackHat, AppSec, c0c0n, RootCon, etc. He is the co-founder of Recon Village which runs at DEFCON

Social Media

Personal Twitter : @Sudhanshu_C
Company: @redhuntlabs

Shubham Mittal is Director at RedHunt Labs and leads the research around Attack Surface Intelligence and Attack Automation for Enterprises.

He is a Review Board Member for BlackHat Asia, INSEC World (HongKong), RootConf and PyCon India Security Track. He is also the co-founder of Recon Village, an OSINT focused mini-con at DEFCON and co-author of the OSINT Framework – DataSploit. He has trained and presented to various government organizations, security companies and security conferences like BlackHat, RootConf, DEFCON, HackMiami, NullCon, c0c0n etc.

He has extensive experience in Offensive as well as Defensive security, Open Source Intelligence and Perimeter Security. He is also an active participant at Null – Open Security Community.